“PACMAN” Hack Can Break Apple M1’s Last Line of Defense
Apple's M1 processor made a big splash on its November 2020 release, noteworthy for its eye-popping performance and miserly power consumption. But the value of its security may not be as obvious at first blush. A lack of serious attacks since its launch nearly two years ago indicates that its security systems, among them a last line of defense called pointer authentication codes, are working well. But its honeymoon period could possibly be coming to an end.
At the International Symposium on Computer Architecture later this month, researchers led by MIT's Mengjia Yan will present a mode of attack that so weakens the pointer authentication code (PAC) defense that the core of a computer's operating system is made vulnerable. And because PACs may be incorporated in future processors built from the 64-bit Arm architecture, the vulnerability could become more widespread. It's possible that other processors are already using PACs, but the M1 was the only one available to Yan's lab.
What we found is actually quite fundamental," says Yan. It's a class of attack. Not one bug."
How PACMAN picks the lock goes to the heart of modern computing.
The vulnerability, called PACMAN, assumes that there is already a software bug in operation on the computer that can read and write to different memory addresses. It then exploits a detail of the M1 hardware architecture to give the bug the power to execute code and possibly take over the operating system. We assume the bug is there and we make it into a more serious bug," says Joseph Ravichandran a student of Yan's who worked on the exploit with fellow students Weon Taek Na and Jay Lang.
To understand how the attack works you have to get a handle on what pointer authentication is and how a detail of processor architecture called speculative execution works. Pointer authentication is a way to guard against software attacks that try to corrupt data that holds memory addresses, or pointers. For example, malicious code might execute a buffer overflow attack, writing more data than expected into a part of memory, with the excess spilling over into a pointer's address and overwriting it. That might then mean that instead of the computer's software executing code stored at the original address, it is diverted to malware stored at the new one.
Pointer authentication appends a cryptographic signature to the end of the pointer. If there's any malicious manipulation of the pointer, the signature will no longer match up with it. PACs are used to guard the core of the system's operating system, the kernel. If an attacker got so far as to manipulate a kernel pointer, the mismatch between the pointer and its authentication code would produce what's called an exception," and the system would crash, ending the malware's attack. Malware would have to be extremely lucky to guess the right code, about 1 in 65,000.
PACMAN finds a way for malware to keep guessing over and over without any wrong guesses triggering a crash. How it does this goes to the heart of modern computing. For decades now, computers have been speeding up processing using what's called speculative execution. In a typical program, which instruction should follow the next often depends on the outcome of the previous instruction (think if/then). Rather than wait around for the answer, modern CPUs will speculate-make an educated guess-about what comes next and start executing instructions along those lines. If the CPU guessed right, this speculative execution has saved a bunch of clock cycles. If it turns out to have guessed wrong, all the work is thrown out, and the processor begins along the correct sequence of instructions. Importantly, the mistakenly computed values are never visible to the software. There is no program you could write that would simply output the results of speculative execution.
Initial solutions to PACMAN only tended to increase the processor's overall vulnerability.
However, over the past several years, researchers have discovered ways to exploit speculative execution to do things like sneak data out of CPUs. These are called side-channel attacks, because they acquire data by observing indirect signals, such as how much time it takes to access data. Spectre and Meltdown, are perhaps the best known of these side-channel attacks.
Yan's group came up with a way to trick the CPU into guessing pointer authentication codes in speculation so an exception never arises, and the OS doesn't crash. Of course, the answer is still invisible to software. But a side-channel trick involving stuffing a particular buffer with data and using timing to uncover which part the successful speculation replaces, provides the answer. [A similar concept is explained in more detail in How the Spectre and Meltdown Hacks Really Worked," IEEE Spectrum, 28 February 2019.]
With regard to PACMAN, Apple's product team provided this response to Yan's group:
We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques. Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own."
Other researchers familiar with PACMAN say that how dangerous it really is remains to be seen. However, PACMAN increases the number of things we have to worry about when designing new security solutions," says Nael Abu-Ghazaleh, chair of computer engineering at University of California, Riverside, and an expert in architecture security, including speculative execution attacks. Processors makers have been adding new security solutions to their designs besides pointer authentication in recent years. He suspects that now that PACMAN has been revealed, other research will begin to find speculative attacks against these new solutions.
Yan's group explored some naive solutions to PACMAN, but they tended to increase the processor's overall vulnerability. It's always an arms race," says Keith Rebello, the former program manager of DARPA's System Security Integrated Through Hardware and firmware (SSITH) program and currently a senior technical fellow at the Boeing Company. PACs are there to make it much harder to exploit a system, and they have made it a lot harder. But is it the complete solution? No." He's hopeful that tools developed through SSITH, such as rapid re-encryption, could help.
Abu-Ghazaleh credits Yan's group with opening a door to a new aspect of processor security.
People used to think software attacks were standalone and separate from hardware attacks," says Yan. We are trying to look at the intersection between the two threat models. Many other mitigation mechanisms exist that are not well studied under this new compounding threat model, so we consider the PACMAN attack as a starting point."