{"id":48712,"date":"2022-06-13T14:16:49","date_gmt":"2022-06-13T14:16:49","guid":{"rendered":"https:\/\/harchi90.com\/newly-identified-pacman-flaw-in-apple-m1-cpu-cant-be-patched\/"},"modified":"2022-06-13T14:16:49","modified_gmt":"2022-06-13T14:16:49","slug":"newly-identified-pacman-flaw-in-apple-m1-cpu-cant-be-patched","status":"publish","type":"post","link":"https:\/\/harchi90.com\/newly-identified-pacman-flaw-in-apple-m1-cpu-cant-be-patched\/","title":{"rendered":"Newly identified PACMAN flaw in Apple M1 CPU can’t be patched"},"content":{"rendered":"\n
\n
What just happened?<\/strong> Researchers have revealed a newly discovered attack vector allowing malicious actors to overcome the M1’s security features. The exploit allows the CPU’s Pointer Authentication Codes (PAC), designed to defend against malicious code injection, to be sidestepped entirely. It also leaves no trace of an attack and cannot be proactively patched due to the exploit’s hardware-based nature. <\/p>\n
Led by MIT’s Mengjia Yan, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) created the novel attack using a combination of memory corruption and speculative execution to bypass the M1’s security. The research team’s proof of concept also demonstrated the attack’s effectiveness against the CPU kernel, which could have far-reaching impacts on any PAC-enabled ARM system.<\/p>\n
A PAC typically guards the OS kernel by causing any mismatch between a PAC pointer and its authentication code to result in a crash. The PACMAN attack’s reliance on speculative execution and repeated guesses is critical to its success. Due to the finite number of PAC values, the team determined that it would be possible for a malicious actor to find the correct PAC value by simply trying them all. However, this requires the ability to make multiple guesses without triggering an exception any time the values \u200b\u200bare incorrectly guessed. The researchers figured out a way to do just that.<\/p>\n