Puces Apple M1 affectées par Unpatchable “PAC-MAN” Exploiter

Apple M1 chips are a part of the Apple Silicon family that represents a new transition to Arm-based cores with new power and performance targets for Apple devices. A portion of building a processor is designing its security enclave, and today we have evidence that M1 processors got a new vulnerability. The PACMAN is a hardware attack that can bypass Pointer Authentication (CAP) on M1 processors. Security researchers took an existing concept of Spectre and its application in the x86 realm and now applied it to the Arm-based Apple silicon. PACMAN exploits a current software bug to perform pointer authentication bypass, which may lead to arbitrary code execution.

The vulnerability is a hardware/software co-design that exploits microarchitectural construction to execute arbitrary codes. PACMAN creates a PAC Oracle to check if a specific pointer matches its authentication. It must never crash if an incorrect guess is supplied and the attack brute-forces all the possible PAC values using the PAC Oracle. To suppress crashes, PAC Oracles are delivered speculatively. And to learn if the PAC value was correct, researchers used uArch side channeling. In the CPU resides translation lookaside buffers (TLBs), where PACMAN tries to load the pointer speculatively and verify success using the prime+probe technique. TLBs are filled with minimal addresses required to supply a particular TLB section. If any address is evicted from the TLB, it is likely a load success, and the bug can take over with a falsely authenticated memory address.

On the PACMAN website, vous pouvez voir l'attaque de manière beaucoup plus détaillée et en apprendre davantage à son sujet. Il est important de noter qu'Apple est conscient du problème, et les chercheurs sont en pourparlers avec l'entreprise depuis 2021. La mise à jour du logiciel est obligatoire, car ces types de bogues de corruption de mémoire peuvent être corrigés. La partie matérielle de cet exploit n'est pas patchable; cependant, les utilisateurs ne devraient pas s'inquiéter car cela nécessite à la fois des exploits logiciels et matériels pour fonctionner.