PACMAN, the unpatched security problem of the Apple M1

So far the Apple M1 chip has done nothing but provide joy in Cupertino. Since its launch about a year and a half ago, both the first of Apple Silicon’s first-generation chipsets and its “big brothers,” the Pro, Max, and Ultra variants, have garnered rave reviews, proving that the engineering work in designing their own chips is most remarkable.

However, it had to be in the week in which the long-awaited Apple M2 was presented, and precisely on the day that leaks about the future M2 Max arrived, when it was revealed that the apple m1 has a security problemalthough, and this is very important, does not affect users of devices with this chipYes, it is a serious wake-up call to Apple, but also to other integrated designers, about the risks of neglecting security at the chip design stage.

Researchers from the Computer Science & Artificial Intelligence Laboratory (CSAIL) of the Massachusetts Institute of Technology have designed a proof of concept called PACMAN, which consists of a mixed attack capable of exploiting a vulnerability detected in the Pointer Authentication Code (PAC) of the Apple M1, which under normal conditions protects the device from exploiting issues related to memory corruption processes.

PAC, in its normal operation, assigns a cryptographic signature to each memory pointer, which is used to securely validate them before they are used. Saving the distances, we can compare each of the signatures generated by PAC to the HASH codes that allow us to trust what is associated with it. Thus, the Apple M1 would, in theory, be protected from attacks that try to modify the pointers for malicious purposes.

The problem found by the MIT researchers in the implementation of PAC is that there is a limited number of possible values ​​for the signature, so that in an attempt to exploit this weakness of the Apple M1 supported by speculative execution (a technique that allows deducing certain points). it would be possible to reduce this list substantially, which in turn It would allow you to try all the options until you find the correct one..

PAC-MAN, per seit is not enough to devise an attack against a system based on an Apple M1, there would have to be an additional set of circumstances for it to be exploited. However, as noted above, it is an indicator that the signature validation offered by PAC may not be sufficient, and therefore the CSAIL urges engineering teams to take this weakness into account in their future designs.

The vulnerability has been acknowledged by Apple, which also acknowledges and appreciates the work of the MIT researchers.. However, it does not clarify if this problem is reproduced on the Apple M2 (which also uses PAC for pointer validation), which would be unfortunate, but understandable. The key, of course, will be to check if the vulnerability of the Apple M1 is mitigated in future Cupertino SoCs, something that we will have to wait to see.