• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Apple M1 Chips Affected by Unpatchable "PACMAN" Exploit

AleksandarK

News Editor
Staff member
Joined
Aug 19, 2017
Messages
2,646 (0.99/day)
Apple M1 chips are a part of the Apple Silicon family that represents a new transition to Arm-based cores with new power and performance targets for Apple devices. A portion of building a processor is designing its security enclave, and today we have evidence that M1 processors got a new vulnerability. The PACMAN is a hardware attack that can bypass Pointer Authentication (PAC) on M1 processors. Security researchers took an existing concept of Spectre and its application in the x86 realm and now applied it to the Arm-based Apple silicon. PACMAN exploits a current software bug to perform pointer authentication bypass, which may lead to arbitrary code execution.

The vulnerability is a hardware/software co-design that exploits microarchitectural construction to execute arbitrary codes. PACMAN creates a PAC Oracle to check if a specific pointer matches its authentication. It must never crash if an incorrect guess is supplied and the attack brute-forces all the possible PAC values using the PAC Oracle. To suppress crashes, PAC Oracles are delivered speculatively. And to learn if the PAC value was correct, researchers used uArch side channeling. In the CPU resides translation lookaside buffers (TLBs), where PACMAN tries to load the pointer speculatively and verify success using the prime+probe technique. TLBs are filled with minimal addresses required to supply a particular TLB section. If any address is evicted from the TLB, it is likely a load success, and the bug can take over with a falsely authenticated memory address.



On the PACMAN website, you can see the attack in much greater detail and learn about it in-depth. It is important to note that Apple is aware of the issue, and researchers have been in talks with the company ever since 2021. Keeping the software up to date is mandatory, as these kinds of memory corruption bugs are patchable. The hardware part of this exploit is not patchable; however, users shouldn't be worried as it requires both software and hardware exploits to function.

View at TechPowerUp Main Site | Source
 
Joined
Feb 11, 2009
Messages
5,569 (0.96/day)
System Name Cyberline
Processor Intel Core i7 2600k -> 12600k
Motherboard Asus P8P67 LE Rev 3.0 -> Gigabyte Z690 Auros Elite DDR4
Cooling Tuniq Tower 120 -> Custom Watercoolingloop
Memory Corsair (4x2) 8gb 1600mhz -> Crucial (8x2) 16gb 3600mhz
Video Card(s) AMD RX480 -> RX7800XT
Storage Samsung 750 Evo 250gb SSD + WD 1tb x 2 + WD 2tb -> 2tb MVMe SSD
Display(s) Philips 32inch LPF5605H (television) -> Dell S3220DGF
Case antec 600 -> Thermaltake Tenor HTCP case
Audio Device(s) Focusrite 2i4 (USB)
Power Supply Seasonic 620watt 80+ Platinum
Mouse Elecom EX-G
Keyboard Rapoo V700
Software Windows 10 Pro 64bit
"The hardware part of this exploit is not patchable; however, users shouldn't be worried as it requires both software and hardware exploits to function."

So we start with some pathetic clickbait and end a bit more rational, good, now if we could just lay off the clickbait crap, youtube has (to my ever increasing disappointment) enough of it for the rest of the internet.
 
Joined
Sep 6, 2013
Messages
3,391 (0.82/day)
Location
Athens, Greece
System Name 3 desktop systems: Gaming / Internet / HTPC
Processor Ryzen 5 7600 / Ryzen 5 4600G / Ryzen 5 5500
Motherboard X670E Gaming Plus WiFi / MSI X470 Gaming Plus Max (1) / MSI X470 Gaming Plus Max (2)
Cooling Aigo ICE 400SE / Segotep T4 / Νoctua U12S
Memory Kingston FURY Beast 32GB DDR5 6000 / 16GB JUHOR / 32GB G.Skill RIPJAWS 3600 + Aegis 3200
Video Card(s) ASRock RX 6600 + GT 710 (PhysX) / Vega 7 integrated / Radeon RX 580
Storage NVMes, ONLY NVMes / NVMes, SATA Storage / NVMe, SATA, external storage
Display(s) Philips 43PUS8857/12 UHD TV (120Hz, HDR, FreeSync Premium) / 19'' HP monitor + BlitzWolf BW-V5
Case Sharkoon Rebel 12 / CoolerMaster Elite 361 / Xigmatek Midguard
Audio Device(s) onboard
Power Supply Chieftec 850W / Silver Power 400W / Sharkoon 650W
Mouse CoolerMaster Devastator III Plus / CoolerMaster Devastator / Logitech
Keyboard CoolerMaster Devastator III Plus / CoolerMaster Devastator / Logitech
Software Windows 10 / Windows 10&Windows 11 / Windows 10
1655106255080.png
 
Joined
Jul 16, 2014
Messages
8,217 (2.16/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
"The hardware part of this exploit is not patchable; however, users shouldn't be worried as it requires both software and hardware exploits to function."

So we start with some pathetic clickbait and end a bit more rational, good, now if we could just lay off the clickbait crap, youtube has (to my ever increasing disappointment) enough of it for the rest of the internet.
"Please click on our adds to support us"

:banghead:
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
27,940 (3.71/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
"The hardware part of this exploit is not patchable; however, users shouldn't be worried as it requires both software and hardware exploits to function."

So we start with some pathetic clickbait and end a bit more rational, good, now if we could just lay off the clickbait crap, youtube has (to my ever increasing disappointment) enough of it for the rest of the internet.

You did check their paper? "Hardware" doesn't mean "physical access"

Does this attack require physical access?
Nope! We actually did all our experiments over the network on a machine in another room. PACMAN works just fine remotely if you have unprivileged code execution.
 
Joined
Jul 16, 2014
Messages
8,217 (2.16/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
You did check their paper? "Hardware" doesn't mean "physical access"
that little telltale section...
PACMAN works just fine remotely if you have unprivileged code execution.

always chokes me up. :nutkick:
 
Joined
Nov 4, 2005
Messages
12,007 (1.72/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs, 24TB Enterprise drives
Display(s) 55" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
The speedup of speculative branching prediction/fetching and preprocessing is negated with thread and data security checks.


While I enjoy how soon after the **AMAZING, AWESOME, FAR SUPERIOR** M1 was released they have released a newer faster chip that will presumably have the same types of security issues. The fact is all CPU's could gain a decent IPC performance uplift if they were allowed to run code without security checks, and I would be down for trying or being able to buy a insecure piece of hardware, or if the big three would let us turn the security features on and off.
 
Joined
Dec 5, 2017
Messages
157 (0.06/day)
You did check their paper? "Hardware" doesn't mean "physical access"
While "pathetic clickbait" is definitely not accurate, there is something to be said for the fact that if you already have unprivileged code execution these kinds of vulns are among the most inefficient possible ways to escalate privilege.
 
Joined
Dec 26, 2006
Messages
3,861 (0.59/day)
Location
Northern Ontario Canada
Processor Ryzen 5700x
Motherboard Gigabyte X570S Aero G R1.1 BiosF5g
Cooling Noctua NH-C12P SE14 w/ NF-A15 HS-PWM Fan 1500rpm
Memory Micron DDR4-3200 2x32GB D.S. D.R. (CT2K32G4DFD832A)
Video Card(s) AMD RX 6800 - Asus Tuf
Storage Kingston KC3000 1TB & 2TB & 4TB Corsair MP600 Pro LPX
Display(s) LG 27UL550-W (27" 4k)
Case Be Quiet Pure Base 600 (no window)
Audio Device(s) Realtek ALC1220-VB
Power Supply SuperFlower Leadex V Gold Pro 850W ATX Ver2.52
Mouse Mionix Naos Pro
Keyboard Corsair Strafe with browns
Software W10 22H2 Pro x64
Well at least the bug has a cool name.

watch out apple. I think ‘Pac-Man’ is
Trademarked by someone other than you. ;)
 
Top