Pointer Autentication Vulnerable on M1 Chips - Threatwire (Patreon)

By Shannon Morse, ThreatWire

Researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) discovered a way to attack the Pointer Authentication in Apple’s M1 Chip to gain arbitrary code execution on Macs. This attack would require physical access and a memory bug that would first be blocked by PAC but then escalated into a severe issue by bypassing those PAC defenses.

The Pointer Authentication sets up a cryptographic signature called a pointer authentication code or PAC to detect and block strange changes to a system that could lead to data leaks or compromised Macs. But in this case, the pointer authentication code is triggered then bypassed leading to the arbitrary code execution. The trigger created something called a PAC Oracle, which tells if the authentication code matches up to a specified pointer. This Oracle can’t crash if the match is incorrect, but the researchers then brute force any possible values using that Oracle. In a tweet, the researchers stated that this was a way to defeat pointer authentication and forge kernel pointers from userspace.

Apple won’t be able to patch this issue. According to the company, it doesn’t present a danger since it depends on other vulnerabilities to work. But keeping a device updated with patches will help protect against this since the attack, dubbed PACMAN, uses bugs that could be exploited to trigger the pointer authentication. So on it’s own PACMAN can’t compromise your machine, but it builds upon other bugs to cause further issues.

The MIT researchers will be presenting their findings at the International Symposium on Computer Architecture on June 18.