Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Chipsets. Show all posts

Security Bug Detected in Apple M1 Processor Chipsets

 

MIT researchers have unearthed an “unpatchable” hardware bug in Apple's M1 processor chipsets that could allow hackers to breach its last line of security defenses. 

The security loophole is rooted in a hardware-level security mechanism employed in Apple M1 chips called pointer authentication codes, or PAC. This mechanism restricts a hacker to inject malicious code into a device’s memory and it also shields against buffer overflow exploits, which is a form of assault that forces memory to leak into other locations of the chip and acts as the last line of defense.

Employing assault to identify vulnerability 

MIT researchers demonstrated a novel hardware assault dubbed PACMAN that combines memory corruption and speculative execution to bypass the security feature. The assault depicted that pointer authentication can be breached without leaving a trace, and as it employs a hardware mechanism that cannot be patched with software features. 

The attack works by “guessing” a pointer authentication code (PAC), a cryptographic signature that confirms that an app hasn’t been maliciously altered. This is done using speculative execution — a methodology employed by modern computer processors to enhance performance by speculatively guessing various lines of computation — to leak PAC verification results, while a hardware side-channel reveals whether or not the guess was correct.

According to the researchers, there are many possible values of a PAC, but with a device that reveals whether a guess is correct or false, one can try them all until they hit the right one. 

“The idea behind pointer authentication is that if all else has failed, you still can rely on it to prevent attackers from gaining control of your system. We’ve shown that pointer authentication as a last line of defense isn’t as absolute as we once thought it was,” explained MIT CSAIL Ph.D. student Joseph Ravichandran and co-lead author of the paper. 

“When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be a lot larger”. 

Multiple chipsets are in danger 

Apple uses PAC on all its M1 chips, including the M1, M1 Pro, and M1 Max. In the coming months, other chip designers, including Samsung along with Qualcomm, are expected to launch new chips supporting PAC. 

If this exploit is not mitigated, it will impact the majority of mobile devices, and likely even desktop devices in the coming years, researchers warned. 

Prevention tips 

To mitigate the risks, modification of the software is required so PAC verification results are never done under speculation, meaning a hacker couldn’t go incognito while attempting to breach. 

The second technique is to guard against PACMAN in the same way Spectre vulnerabilities are being mitigated. And finally, patching memory corruption bugs would ensure this last line of defense isn’t required.