compilation | Su Mi
Produced | CSDN (ID: CSDNnews)
For a long time, the security of Apple products, whether it is operating systems, chips and other hardware, will make people feel more at ease. Of course, this is only relative.
Recently, the MIT Computer Science and Artificial Intelligence Laboratory (MIT CSAIL) released a latest research report. Researchers said they have found a way to defeat the so-called " last security line " on Apple's M1 SoC.
vulnerability cannot be fixed
In fact, Apple M1 has been widely praised by the industry since its release in 2020. It not only helped Mac reach a new level of performance, but also opened a new chapter in which Apple controls its own software and hardware ecosystem.
However, with the fermentation of a new vulnerability built into of M1 chip, it immediately attracted the attention of many security experts.
According to IEEE Spectrum, this vulnerability exists in the M1 chip hardware layer security mechanism PAC (pointer authentication codes) and reaches an irreparable level.
MIT CSAIL plans to submit an attack mode at the International Computer Architecture Symposium on June 18, launched by researchers led by MENGJIA YAN, a bachelor’s degree graduate from , Zhejiang University , currently an assistant professor in the Department of Electrical Engineering and Computer Science at MIT, and a member of the Computer Science and Artificial Intelligence Laboratory.
This new attack mode, called PACMAN, can bypass pointer authentication (PAC) on the Apple M1 CPU, ultimately causing the core of the computer's operating system to become vulnerable. Pointer Authentication is a security feature that adds encrypted signatures to pointers to help protect CPU from attackers who have gained memory access.
IEEE Spectrum says that this vulnerability may become more common as PACs may be integrated into future processors built with 64-bit Arm architectures.
Specific implementation principle
Specifically, researchers at MIT CSAIL found that PACMAN can allow attackers to physically access the Mac using Apple M1 CPU to access the underlying file system.
Source: https://pacmanattack.com/
Of course, there are prerequisites to implement attacks through PACMAN.
First, the attacker needs to find a memory bug that affects the software on the Mac, which can read and write to different memory addresses. The bug then takes advantage of the details on the M1 hardware architecture, which enables the vulnerability to execute code and even take over the operating system's ability.
researchers said during the verification process, "We first assume that the vulnerability is there, but we turn it into a more serious vulnerability."
PACMAN was created when mixing the hardware mitigation of software attacks with the microarchitecture side channels. The main method is to use the PACMAN method, which can use predictions to perform leaked PAC verification results without causing any crashes in the system.
As for how to do this, researchers say this involves the core of modern computing. "For decades, computers have been using so-called speculative execution to speed up processing. In traditional programs, which instruction should the next instruction follow usually depends on the result of the previous instruction (think if/then). Modern CPUs do not wait for the answer, but make direct speculations, and after making educated guesses, they start executing instructions along those routes. If the CPU guesses correctly, this speculative execution can save a lot of clock cycles. If the guess is wrong, everything starts over and the processor starts again in the correct order of instructions. Importantly, the miscalculated value is never visible to the software. No program can simply output the results of inference execution."
However, in the past few years, researchers have discovered ways to use speculative execution to do things, such as secretly pulling out data from the CPU. These are called side-channel attacks because they acquire data by observing indirect signals, such as the time it takes to access data.Spectre and Meltdown, which once swept the world, are representatives of side channel attacks.
MITh Researchers have come up with a way to trick the CPU into guessing the pointer authentication code so that no exceptions appear and the operating system will not crash. Of course, the answer is still invisible to the software, which involves filling a specific buffer with data, using timing to reveal which part was successfully speculated to replace.
Apple: There is no direct risk to users
As of now, MIT CSAIL said it only showed the experiments of PACMAN on Apple M1 CPU, and the specific situation of other platforms or versions is not yet known. However, it should be noted that PACMAN is similar to a ghost attack and does not leave any logs, so many people cannot identify whether their devices are within the range of attack.
So, will this have a certain impact on ordinary users?
MIT CSAIL says, "As long as you keep your software up to date, you can do it. PACMAN is a technology that exploits—it cannot harm users' systems, for itself. Although the principle of PACMAN is that it cannot be patched through software functions through hardware mechanisms, memory corruption errors can occur."
also shared the proof-of-concept attack process and code with Apple just after MIT researchers reported their findings. Apple's product team responded to Yan's team:
"We want to thank the researchers for their cooperation, because this proof of concept promotes our understanding of these technologies. Based on our analysis and the details shared by the researchers with us, we concluded that the issue will not pose a direct risk to our users, nor is it enough to bypass device protection alone. "
Some netizens also commented, "Accordingly, the arrival of M2 was announced on WWDC22 some time ago. If M1 is unsafe, then it is time to replace M2." However, in reality, it is still unknown whether the M2 chip has been repaired for this newly exposed vulnerability.
Reference:
https://pacmanattack.com/
https://spectrum.ieee.org/pacman-hack-can-break-apple-m1s-last-line-of-defense
http://pacmanattack.com/paper.pdf
