Design Weakness Discovered in Apple M1 Kernel Protections

Security researchers today released details about a new attack they designed against Apple’s M1 processor chip that can undermine a key security feature that protects the operating system (OS) kernel from memory corruption attacks. Dubbed PACMAN, the proof-of-concept attack targets ARM Pointer Authentication, a processor hardware feature that’s used as a last line of defense against software bugs that can be leveraged to corrupt the content of a memory location, hijack the execution flow of a running program, and ultimately gain complete control of the system.

“The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system,” says MIT CSAIL Ph.D. student Joseph Ravichandran, co-lead author of a new paper about PACMAN. “We’ve shown that pointer authentication as a last line of defense isn’t as absolute as we once thought it was.”

Lauded as the most powerful chips Apple has ever built, the M1 Pro and M1 Max were rolled out last fall to accolades not only for their power efficiency and performance, but also for the security afforded by the M1 system-on-chip (SoC) architecture.

Among those defenses is pointer authentication, an ARM feature that defends pointer integrity in memory by protecting pointers with a cryptographic hash that verifies they haven’t been modified. That hash is called a Pointer Authentication Code (PAC), which the system uses to validate the use of a protected pointer by a program. When the wrong PAC is used, a program will crash. PAC sizes are relatively small, but a straight brute-forcing attack would cause enough crashes to detect malicious behavior — not to mention that a program restart causes the PAC to be refreshed.

The MIT CSAIL team shows that it is possible to use a hardware side-channel attack to brute-force a PAC value and suppress crashes, kicking off a chained attack to ultimately build out a control-flow hijacking attack.

“The key insight of the PACMAN attack is to use speculative execution attacks to leak PAC verification results stealthily via micro-architectural side channels without causing crashes,” the paper explains.

Since the attack uses the speculative execution space, it doesn’t leave behind traces — and being a hardware attack, it also can’t be patched. The work offers a tangible example of how the one-two punch of hardware vulnerabilities and low-level software flaws can provide ample opportunities for attackers to run rampant in the kernel.

New Tools for Vulnerability Research

According to MIT professor and paper co-author Mengjia Yan, her team’s work offers insight into why software vulnerabilities at the kernel level should still be of concern to developers.

“It’s a new way to look at this very long-lasting security threat model. Many other mitigation mechanisms exist that are not well studied under this new compounding threat model, so we consider the PACMAN attack as a starting point,” she says. “We hope PACMAN can inspire more work in this research direction in the community.”

To encourage researchers to build off of their work, the MIT CSAIL team is releasing two sets of tools that are a product of their work analyzing Apple chips, which are closed source and undocumented.

“We expect these tools to unblock the community from conducting research on existing and future Apple Silicon devices,” the paper states, announcing availability of the tools at pacmanattack.com.