The new PACMAN hardware threat is aimed at Macs with Apple M1 processors
An attacker can get arbitrary code execution on Mac systems via novel hardware exploit targeting Pointer Authentication in Apple M1 CPUs with speculative execution.
Pointer Authentication is a security feature that adds a cryptographic signature to pointers, known as a pointer authentication code, allowing the operating system to identify and prohibit unexpected modifications that could otherwise result in data leaks or system penetration.
This new form of attack, discovered by researchers at MIT’s Computer Science and Artificial Intelligence Laboratory, allows threat actors with physical access to Macs with Apple M1 CPUs to access the underlying filesystem.
To do so, the attackers must first locate a memory problem in software on the targeted Mac that is prevented by PAC and can be escalated into a more serious security concern after defeating PAC’s protections.
“PACMAN combines an existing software flaw (memory read/write) into a more serious exploitation primitive, which could lead to arbitrary code execution.” “To do so, we need to figure out what the PAC value for a certain victim pointer is,” the researchers noted. “PACMAN accomplishes this by constructing a PAC Oracle, which is the capacity to determine whether a given PAC matches a particular pointer. If an inaccurate estimate is made, the PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle.”
While Apple won’t be able to patch the hardware to prevent assaults using this exploitation technique, the good news is that end users shouldn’t be concerned as long as their software is up to date and free of defects that may be exploited to get code execution using PACMAN.
“PACMAN is an exploitation method; it cannot breach your system on its own. Although the PACMAN hardware techniques cannot be patched with software features, memory corruption issues can “According to the researchers,
While a kernel panic would normally cause the entire system to crash, PACMAN ensures that no system crashes occur and that no traces of the attack are left in the logs.
Apple has said there will be no harm to the users. Since 2021, the MIT CSAIL researchers have been reporting their results and sharing proof-of-concept assaults and code with Apple.
Apple claims that this new side-channel attack poses no threat to Mac users because it relies on previous security flaws to be effective.