Apparently attackers can exploit memory corruption vulnerabilities in software and weaknesses in microprocessor design to bypass pointer authentication codes. Memory corruption vulnerabilities are caused by bugs that allow a hacker to tamper with the contents of a memory location and hijack program execution.
Arm, which makes blueprints for chips, introduced Pointer Authentication, or PA, to protect pointer integrity. PA makes it more difficult for attackers to covertly modify memory pointers.
PA uses a cryptographic hash called Pointer Authentication Code, or PAC, to ensure that a pointer has not been modified. To get around such a system, an attacker would have to guess a PAC value. The size of the PAC is sometimes small enough to be ‘brute-forced’ or crack through trial and error. However, a simple brute force approach will not be enough to break PA, as every time an incorrect PA is entered, the program crashes.
That’s where the PACMAN attack comes in. It takes it one step further by building a PAC oracle that can be used to distinguish between a correct PAC and an invalid one without causing crashes.
The researchers have shown that such a PAC oracle can be used to brute-force the correct value and access a program or operating system, in this case macOS.
The important thing to note here is that the operations required to perform the PACMAN attack will not lead to visible events in the architecture and this would help an attacker avoid the problem where incorrect guesses lead to a crash.
The problem with attacking PAC is that it is impossible to bruteforce without causing crashes (in our case kernel panics). But what if there was a way to suppress crashes…?
— Joseph Ravichandran (@0xjprx) June 10, 2022
The team has also shown that the attack works at different privilege levels, meaning it can be used to attack the operating system kernel, the core of an operating system. The vulnerability is not only found in the M1, but also in the beefed-up versions, the M1 Pro and M1 Max.
Since this is a hardware attack, it cannot be addressed with a security patch. However, Mac users need not worry as this attack can only be performed if a memory corruption vulnerability also exists.
We would like to thank the researchers for their collaboration as this proof of concept enhances our understanding of these techniques. Based on our analysis and the details the researchers have shared with us, we have concluded that this issue poses no direct risk to our users and is insufficient to circumvent operating system security measures alone.”
Still, this isn’t something that can be brushed off as insignificant. Many chipmakers, including Qualcomm and Samsung, have unveiled or are expected to introduce processors with Pointer Authentication.
- Protect your privacy with ExpressVPN: Download ExpressVPN for iPhone, Android, Mac or PC