While Apple’s M1 processors have helped the Mac reach new heights of performance, some reports have exposed potential security vulnerabilities with the System on a Chip. The latest report comes from MIT CSAIL, whose research has found a way to defeat what has been called “the last line of security” on the M1 SoC.
MIT CSAIL found that the M1 implementation of Pointer Authentication can be overcome with a hardware attack that the researchers developed. Pointer authentication is a security feature that helps protect the CPU from an attacker who has gained memory access. hands store memory addresses, and pointer authentication code (PAC) checks for unexpected pointer changes caused by an attack. In its research, MIT created CSAIL ‘PACMAN’, an attack that can find the correct value to successfully pass the pointer verification, so that a hacker can gain access to the computer.
Joseph Ravichandran of MIT CSAIL, co-lead author of a paper explaining PACMAN, said in an MIT article, “When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. Now PACMAN fixes these bugs.” more serious, the total attack surface could be a lot bigger.”
According to MIT CSAIL, a software patch will not solve the problem, as the PACMAN attack involves a hardware device. The problem is a wider one with Arm processors that use Pointer Authentication, not just Apple’s M1. “Future CPU designers should consider this attack when building tomorrow’s secure systems,” Ravichandran said. “Developers need to make sure they don’t rely solely on pointer authentication to protect their software.”
Apple announced the M2 chip at its WWDC keynote last Monday, a new generation that succeeds the M1 series. An MIT representative confirmed to Macworld that the M2 has not been tested for this flaw.
Because PACMAN requires a hardware device, a hacker must have physical access to a Mac, which limits how a PACMAN can run. But as a technology demonstration, PACMAN shows that pointer authentication is not completely foolproof and that developers should not rely on it completely.
MIT CSAIL plans to present the report at the International Symposium on Computer Architecture on June 18. Apple has not made a public comment, but is aware of the MIT CSAIL findings (it is common for researchers to share their results with concerned companies before making them public).
PACMAN is the latest security breach discovered with the M1. In May, researchers from the University of Illinois at Urbana Champaign, the University of Washington and Tel Aviv University discovered the Augury error. Last year developer Hector Martin discovered the vulnerability of M1RACLES. However, these flaws were considered harmless or not a serious threat.