Apple’s blazing fast and remarkably efficient M1 chips have been the catalysts behind a recent MacBook revival, but MIT security researchers have discovered a crack in their armor.
Scientists at the MIT Computer Science & Artificial Intelligence Laboratory (CSAIL) revealed in a recent newspaper a vulnerability in what they call the “last line of security” for the M1 chip. The flaw could theoretically give bad actors a door to gain full access to the core operating system.
Before I go any further, M1 MacBook owners don’t have to worry about their sensitive data being stolen. While this is a serious vulnerability that needs to be addressed, there must be certain unlikely conditions for it to work. The system under attack must have an existing memory corruption bug in the first place. As such, the scientists say there is “no cause for immediate alarm.”
For its part, Apple thanked the researchers in a statement for: TechCrunch but stressed that the “problem” poses no immediate risk to MacBook owners.
“We would like to thank the researchers for their collaboration as this proof of concept enhances our understanding of these techniques,” Apple said. “Based on our analysis and the details the researchers have shared with us, we have concluded that this issue poses no direct risk to our users and is insufficient to circumvent operating system security on its own.”
Getting into the technical bits, Apple’s M1 chip uses something called Pointer Authentication to detect and protect unexpected changes in memory. MIT calls this the “last line of defense” and says it can spot bugs that would normally compromise a system and leak private information. It does this using “PACS” or pointer authentication code (PAC) that checks for unexpected changes as a result of an attack. A PAC, or a cryptographic hash used as a signature, is created when a program is considered safe.
As the researchers found, this line of defense can be broken. That’s where MIT’s PACMAN attack comes in. It guesses the value of a PAC using a hardware device, meaning a software patch will not fix the program. There are many possible values of a PAC, but with a device that reveals whether a guess is correct or false, you can try them all until you get the right one without leaving any trace. In this scenario, the ghosts win.
“The idea behind pointer authentication is that if all else fails, you can still rely on it to prevent attackers from taking control of your system. We’ve shown that pointer authentication as a last line of defense isn’t as absolute as we once thought it was,” said MIT CSAIL Ph.D. student Joseph Ravichandran and co-lead author of the paper.
“When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks. Now that PACMAN makes these bugs more severe, the total attack surface could be a lot bigger,” Ravichandran added.
Since pointer authentication is used to protect the core of the operating system, bypassing it can give attackers access to sensitive parts of a system. As the researchers note, “An attacker who gains control of the kernel can do whatever they want on a device.”
In this proof of concept, the researchers showed that the PACMAN attack can be used to attack the kernel, which has “huge implications for future security work on all ARM systems with pointer authentication enabled. Future CPU designers should consider this attack when building tomorrow’s secure systems,” Ravichandran warned. “Developers need to make sure they don’t rely solely on pointer authentication to protect their software.”
Apple uses pointer authentication on all of its ARM-based chips, including the M1, M1 Pro, and M1 Max. MIT said it has not tested this attack on the recently unveiled M2 processor set to power the new one MacBook Air and MacBook Pro 13. Qualcomm and Samsung have announced or are going to ship processors that use the security feature.
The researchers outlined three methods to prevent such an attack in the future. One way is by tweaking the software so that PAC verification results are never done under speculation, meaning an attacker cannot go incognito while trying to infiltrate. Another possible solution is to defend against PACMAN in the same way that Specter vulnerabilities are limited. And finally, patching memory corruption bugs would eliminate the need for this last line of defense.
Apple Wins Lawsuit Over Specter and Meltdown Security Flaws
In related news, a judge dismissed a class action lawsuit against Apple for allegedly selling iPhones and iPads to customers with processors vulnerable to the devastating Specter and Meltdown flaws. U.S. District Judge Edward Davila in San Jose, California ruled that customers failed to prove that they were overpaying for devices because Apple deliberately concealed flaws, as reported by Reuters† They also didn’t provide enough evidence that a security patch pushed to those devices made them significantly slower.
#Newly #discovered #Apple #security #flaw #repair