Monday, June 13th 2022

Apple M1 Chips Affected by Unpatchable "PACMAN" Exploit

Apple M1 chips are a part of the Apple Silicon family that represents a new transition to Arm-based cores with new power and performance targets for Apple devices. A portion of building a processor is designing its security enclave, and today we have evidence that M1 processors got a new vulnerability. The PACMAN is a hardware attack that can bypass Pointer Authentication (PAC) on M1 processors. Security researchers took an existing concept of Spectre and its application in the x86 realm and now applied it to the Arm-based Apple silicon. PACMAN exploits a current software bug to perform pointer authentication bypass, which may lead to arbitrary code execution.

The vulnerability is a hardware/software co-design that exploits microarchitectural construction to execute arbitrary codes. PACMAN creates a PAC Oracle to check if a specific pointer matches its authentication. It must never crash if an incorrect guess is supplied and the attack brute-forces all the possible PAC values using the PAC Oracle. To suppress crashes, PAC Oracles are delivered speculatively. And to learn if the PAC value was correct, researchers used uArch side channeling. In the CPU resides translation lookaside buffers (TLBs), where PACMAN tries to load the pointer speculatively and verify success using the prime+probe technique. TLBs are filled with minimal addresses required to supply a particular TLB section. If any address is evicted from the TLB, it is likely a load success, and the bug can take over with a falsely authenticated memory address.
Apple M1 PACMAN Attack
On the PACMAN website, you can see the attack in much greater detail and learn about it in-depth. It is important to note that Apple is aware of the issue, and researchers have been in talks with the company ever since 2021. Keeping the software up to date is mandatory, as these kinds of memory corruption bugs are patchable. The hardware part of this exploit is not patchable; however, users shouldn't be worried as it requires both software and hardware exploits to function.
Source: PACMAN
Add your own comment

9 Comments on Apple M1 Chips Affected by Unpatchable "PACMAN" Exploit

#1
ZoneDymo
"The hardware part of this exploit is not patchable; however, users shouldn't be worried as it requires both software and hardware exploits to function."

So we start with some pathetic clickbait and end a bit more rational, good, now if we could just lay off the clickbait crap, youtube has (to my ever increasing disappointment) enough of it for the rest of the internet.
Posted on Reply
#2
zlobby
Wakawakawakawakawaka.
Posted on Reply
#4
DeathtoGnomes
ZoneDymo"The hardware part of this exploit is not patchable; however, users shouldn't be worried as it requires both software and hardware exploits to function."

So we start with some pathetic clickbait and end a bit more rational, good, now if we could just lay off the clickbait crap, youtube has (to my ever increasing disappointment) enough of it for the rest of the internet.
"Please click on our adds to support us"

:banghead:
Posted on Reply
#5
W1zzard
ZoneDymo"The hardware part of this exploit is not patchable; however, users shouldn't be worried as it requires both software and hardware exploits to function."

So we start with some pathetic clickbait and end a bit more rational, good, now if we could just lay off the clickbait crap, youtube has (to my ever increasing disappointment) enough of it for the rest of the internet.
You did check their paper? "Hardware" doesn't mean "physical access"
Does this attack require physical access?
Nope! We actually did all our experiments over the network on a machine in another room. PACMAN works just fine remotely if you have unprivileged code execution.
Posted on Reply
#6
DeathtoGnomes
W1zzardYou did check their paper? "Hardware" doesn't mean "physical access"
that little telltale section...
PACMAN works just fine remotely if you have unprivileged code execution.
always chokes me up. :nutkick:
Posted on Reply
#7
Steevo
The speedup of speculative branching prediction/fetching and preprocessing is negated with thread and data security checks.


While I enjoy how soon after the **AMAZING, AWESOME, FAR SUPERIOR** M1 was released they have released a newer faster chip that will presumably have the same types of security issues. The fact is all CPU's could gain a decent IPC performance uplift if they were allowed to run code without security checks, and I would be down for trying or being able to buy a insecure piece of hardware, or if the big three would let us turn the security features on and off.
Posted on Reply
#8
ghazi
W1zzardYou did check their paper? "Hardware" doesn't mean "physical access"
While "pathetic clickbait" is definitely not accurate, there is something to be said for the fact that if you already have unprivileged code execution these kinds of vulns are among the most inefficient possible ways to escalate privilege.
Posted on Reply
#9
mechtech
Well at least the bug has a cool name.

watch out apple. I think ‘Pac-Man’ is
Trademarked by someone other than you. ;)
Posted on Reply
Nov 18th, 2024 20:37 EST change timezone

New Forum Posts

Popular Reviews

Controversial News Posts