MIT found a new hardware vulnerability in Apple M1: it can break the security mechanism without leaving a trace

MIT Computer Science and artificial intelligence lab （CSAIL） The scientists of have released a The study says , They found a way to bypass Apple M1 CPU A new hardware attack of pointer verification mechanism on , be called  PACMAN.

According to the introduction ,M1 The chip uses the function of pointer authentication , This function is the last line of defense against typical software vulnerabilities . After enabling pointer Authentication , Vulnerabilities that usually compromise the system or disclose private information will be intercepted on its track . at present , Apple is already in its all based on ARM The pointer authentication is implemented on the custom chip of .

and MIT This newly discovered vulnerability , You can break through this last line of defense without leaving a trace . Besides , Whereas PACMAN Using the hardware mechanism , So there are no software patches that can fix it .MIT Aspect representation , Apple M2 The chip also supports pointer authentication , But they haven't tested it yet .

The study points out that , An attacker can guess the pointer authentication code （Pointer Authentication Code,PAC） And disable it to implement  PACMAN attack .PAC  Is an encrypted signature , It can be used to confirm whether an application has been tampered with maliciously . It is not difficult to guess the correct value , Attackers can get through  hardware side channel To test the correctness of the guess .“ Whereas PAC There are only so many possible values , They found that they could try all the values to find the correct value ”. most important of all , Because guesswork happens under the execution of guesswork , So the attack leaves no trace .

“ The idea behind pointer authentication is , If all the other methods fail , You can still rely on it to prevent attackers from controlling your system . We have proven that , As the last line of defense, pointer authentication is not as absolute as we once thought . When pointer authentication is introduced , A large category bug Suddenly it becomes more difficult to attack . And with the PACMAN Accentuate these bug Severity of , The overall attack surface may be larger .”

however ,PACMAN It doesn't completely bypass M1 All the security facilities on the chip ; It can only exploit existing vulnerabilities that pointer authentication can prevent , And by finding the right PAC To unlock the true potential of the vulnerability in the attack . Due to PACMAN Cannot destroy the system without existing software errors , So the researchers think that people don't have to panic .“ up to now , No one has taken advantage of PACMAN Create an end-to-end attack .”

It is worth noting that , Pointer authentication is mainly used to protect the core operating system kernel . The study points out that ,PACMAN The attack is even effective against the kernel , this “ For all enabled pointer authentication  ARM  The future safety work on the system has a significant impact . In the future CPU Designers should take this attack into account when building future security systems , Developers should be careful not to rely solely on pointer authentication to protect their software .”

MIT CSAIL Plan in 6 month 18 This research was formally introduced at the International Symposium on computer architecture . Apple issued a statement after learning of the discovery Express ,“ We would like to thank the researchers for their cooperation , Because this proof of concept advances our understanding of these technologies . Based on our analysis and the details shared with us , We came to the conclusion that , This problem does not pose a direct risk to our users , And it is not enough to bypass the security protection of the operating system .”