Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

New PACMAN hardware attack targets Macs with Apple M1 CPUs

A new hardware attack targeting Pointer Authentication in Apple M1 CPUs with speculative execution enables attackers to gain arbitrary code execution on Mac systems.

Pointer Authentication is a security feature that adds a cryptographic signature, known as pointer authentication code (PAC), to pointers that allow the operating system to detect and block unexpected changes that would otherwise lead to data leaks or system compromise.

Discovered by researchers at MIT’s Computer Science & Artificial Intelligence Laboratory (CSAIL), this new class of attack would allow threat actors with physical access to Macs with Apple M1 CPUs to access the underlying filesystem.

To do that, the attackers first need to find a memory bug affecting software on the targeted Mac that would be blocked by PAC and that can be escalated into a more severe security issue after bypassing PAC defenses.

“PACMAN takes an existing software bug (memory read/ write) and turns it into a more serious exploitation primitive (a pointer authentication bypass), which may lead to arbitrary code execution. In order to do this, we need to learn what the PAC value is for a particular victim pointer,” the researchers explained.

“PACMAN does this by creating what we call a PAC Oracle, which is the ability to tell if a given PAC matches a specified pointer. The PAC Oracle must never crash if an incorrect guess is supplied. We then brute force all possible PAC values using the PAC Oracle.”

While Apple can’t patch the hardware to block attacks using this exploitation technique, the good news is that end-users don’t need to be worried as long as they keep their software up to date and free of bugs that could be exploited to gain code execution using PACMAN.

“PACMAN is an exploitation technique- on its own it cannot compromise your system. While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be,” the researchers added.

While this attack would typically lead to a kernel panic, crashing the entire system, PACMAN ensures that no system crashes occur and leaves no traces in logs.

Apple: No immediate risk to users

The MIT CSAIL researchers reported their findings and shared proof-of-concept attacks and code with Apple, exchanging info with the company since 2021.

Apple says this new side-channel attack doesn’t represent a danger to Mac users, given that it also requires other security vulnerabilities to be effective.

“We want to thank the researchers for their collaboration as this proof-of-concept advances our understanding of these techniques,” an Apple spokesperson told BleepingComputer.

“Based on our analysis, as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass device protections on its own.”

Security experts have argued that the attack doesn’t come with “real-world utility,” which was confirmed by Joseph Ravichandran, an MIT Ph.D. student and one of the four researchers behind PACMAN.

You can find more technical details about this novel hardware attack on the dedicated site and in the “PACMAN: Attacking ARM Pointer Authentication with Speculative Execution” paper [PDF] that will be presented at the International Symposium on Computer Architecture on June 18.

Advertisement. Scroll to continue reading.

Source: https://www.bleepingcomputer.com/news/security/new-pacman-hardware-attack-targets-macs-with-apple-m1-cpus/

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Bug bounty platform HackerOne has launched a scheme to encourage customers to adopt a standard policy geared towards protecting hackers from potential legal problems. The Gold Standard...

Cyber Security

Last month two Italian security researchers revealed they had netted more than $46,000 in bug bounties after discovering a misconfiguration vulnerability in Akamai – despite receiving nothing from...

Cyber Security

Apple has launched a security bug bounty for its new Lockdown Mode feature, which aims to give users heightened protection against spyware attacks. Lockdown Mode, which...

Cyber Security

A vulnerability in Parse Server software has led to the discovery of an authentication bypass impacting Apple Game Center. Parse Server is an open...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO