While Apple’s M1 processors have helped the Mac reach new performance heights, a few reports have exposed potential security issues with the system on a chip. The latest such report comes from MIT CSAIL, where researchers have found a way to defeat what is called “the last line of security” on the M1 SoC.
MIT CSAIL found that the M1 implementation of pointer authentication can be overcome with a hardware attack that the researchers developed. Pointer authentication is a security feature that helps protect the CPU against an attacker that has gained memory access. pointers store memory addresses, and pointer authentication code (PAC) checks for unexpected pointer changes caused by an attack. In its research, MIT CSAIL created “PACMAN,” an attack that can find the correct value to successfully pass pointer authentication, so a hacker can continue with access to the computer.
MIT CSAIL’s Joseph Ravichandran, who is the co-lead author of a paper explaining PACMAN, said in an MIT article, “When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger.”
According to MIT CSAIL, since its PACMAN attack involves a hardware device, a software patch won’t fix the problem. The issue is a wider problem with Arm processors that use Pointer Authentication, not just Apple’s M1. “Future CPU designers should take care to consider this attack when building the secure systems of tomorrow,” Ravichandran wrote. “Developers should take care to not solely rely on pointer authentication to protect their software.”
Apple announced the M2 chip at its WWDC keynote last Monday, which is a new generation that succeeds the M1 series. An MIT representative confirmed with Macworld that the M2 has not been tested for this flaw.
Because PACMAN requires a hardware device, a hacker has to have physical access to a Mac, which limits how a PACMAN can be executed. But as a technological demonstration, PACMAN shows that pointer authentication isn’t completely foolproof and developers shouldn’t completely rely on it.
MIT CSAIL plans to present the report at the International Symposium on Computer Architecture on June 18. Apple has not made a public comment, but it is aware of MIT CSAIL’s findings. (It is customary for researchers to share their results with involved firms before public disclosure).
PACMAN is the latest security breach discovered with the M1. In May, researchers at the University of Illinois at Urbana Champaign, the University of Washington, and Tel Aviv University discovered the Augury flaw. Last year, developer Hector Martin discovered the M1RACLES vulnerability. However, these flaws have been deemed harmless or not a serious threat.