PACMAN Can Bypass The M1’s Pointer Authentication
You’ve seen the commercials and heard it from any Apple fans you might know; Apple is for security and not vulnerable to the viruses that take out PCs. While not entirely untrue, the success of their PR campaigns have led people to overestimate just how invulnerable that Apple product they purchase actually is. The latest example of that is the hardware vulnerably PACMAN, which targets the new M1 chip from Apple, completely bypassing some security features on it.
The M1 uses pointer authentication, which should prevent an attacker from modifying memory references without being detected and stop anything flagged by it from running at all. The attack itself is quite worrying, as it can make guesses about the cryptographic hash value of a Pointer Authentication Code without crashing the program, as is intended. It is also rather effective, with researchers taking 2.94 minutes to guess a proper value for a 16-bit PAC and construct a control-flow hijacking attack. You can dive deeper into the details with this story at The Register.
We can hope that the Apple M2 chip also includes mitigations for this, though that was not specifically mentioned during Apple’s WWDC 2022 keynote speech. They did suggest that the new eight-core M2 CPU will provide 87% of an Intel’s 12-core Core i7-1260P peak performance, but will consume a mere quarter of the power of the Alder Lake chip. Apple also suggests it will provide almost twice the processing power of the Core i7-1255U, and do so while matching the power consumption of the Intel chip.