Dub a fancy hardware attack Pacman Demonstrated against Apple’s M1 processor chipset, potentially arming a malicious actor with the ability to gain arbitrary code execution on the MacOS system.
It “exploits hypothetical execution attacks to bypass an important memory protection system, ARM pointer authentication, a security feature used to enforce pointer integrity,” said MIT researchers Joseph Ravichandran, Wayne Taek Na, J Lang and Menzia Ian. Says In a new paper.
More worryingly, “although the hardware processes used by PACMAN cannot be patched with software features, there may be bugs of memory corruption,” the researchers added.
Weakness pointers are contained in the authentication code (PACsA defense line introduced in the arm64e architecture aimed at detecting and protecting against unforeseen changes. Indicative – The object that stores a memory address – in memory.
PACs target a common problem with software security, such as memory corruption vulnerabilities, which often overwrite control data in memory (i.e., pointers) by redirecting code execution to an arbitrary location controlled by the attacker.
Strategies such as address space layout randomization (ASLR) Built to increase the difficulty of performing buffer overflow attacks, PAC aims to ensure “legitimacy of pointers with minimal size and performance effects”, effectively preventing adversaries from creating valid pointers for use in an exploit.
This is achieved by securing a pointer with a cryptographic hash – called a pointer authentication code (PAC) – to ensure its integrity. Apples Explains PACs as follows –
Pointer authentication works with a special CPU instruction to add a cryptographic signature – or PAC – to a pointer’s unused high-order bits before saving the pointer. Another instruction removes the signature after reading the pointer from memory and validates it. Any change in the stored value between reading and writing invalidates the signature. The CPU interprets authentication failure as memory corruption and sets a high-order bit on the pointer, invalidating the pointer and crashing the app.
But PACMAN “removes the initial hurdle of conducting control-flow hijacking attacks on a secure platform using pointer authentication.” It combines memory corruption and speculative performance to prevent security features, “leaking the results of PAC verification through the microarchitectural side channel without causing any crashes.”
The attack method, in short, makes it possible to distinguish between a correct PAC and an incorrect hash, allowing a bad actor to “brutally emphasize the correct PAC value while suppressing crashes and create a PA-capable control-flow hijacking attack” victim program or operating System. “
Crash prevention, in part, is successful because each PAC value is approximated using a time-based side channel via a translation look-side buffer.TLB) Using a prime + probe attack.
Weakness of speculative execution in the case of Specter and Meltdown, makes weapons The death penalty is out of orderA technique used to improve the performance of modern microprocessors Prophecy The most probable way to execute a program.
However, it is worth noting that the threat model assumes that a victim program (kernel) already has an exploitative memory corruption vulnerability, which, in turn, allows the unauthorized attacker (a malicious app) to inject malicious code into specific memory locations. The hunting process.
“This attack has significant implications for designers seeking to implement future processors with pointer authentication, and future control-flow integrity has far-reaching implications for primitive security,” the researchers concluded.
