MIT discovers new hardware vulnerability in Apple M1
- An American company made 0.7nm chips: EUV lithography machines can’t do it
- CVE-2007-4559 Python vulnerability ignored for 15 years puts 350,000 projects at risk of code execution
- RISC-V only takes 12 years to achieve the milestone of 10 billion cores
- 14000 cores + 450W: RTX 4080 graphics card perfectly replaces the RTX 3080
- Big upgrade: The difference between Bluetooth 5.0 and 5.2
- Geeks Disappointed that RTX 4080/4090 doesn’t come with PCIe 5.0
- What are advantages and disadvantages of different load balancing?
MIT discovers new hardware vulnerability in Apple M1: can break through security mechanism without without leaving a trace.
Scientists at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have released a study saying they have discovered a new type of hardware attack known as PACMAN that can bypass the pointer verification mechanism on the Apple M1 CPU .
According to the introduction, the M1 chip uses the function of pointer authentication, which is the last line of defense against typical software vulnerabilities.
With pointer authentication enabled, vulnerabilities that typically compromise systems or leak private information are blocked in their tracks.
Currently, Apple has implemented pointer authentication on all of its custom ARM-based chips.
And this new vulnerability discovered by MIT can break through this last line of defense without leaving a trace.
Also, given that PACMAN utilizes a hardware mechanism, there are no software patches to fix it.
MIT said that Apple’s M2 chip also supports pointer authentication, but they have not tested it for related attacks.
The study pointed out that an attacker can implement a PACMAN attack by guessing the value of the Pointer Authentication Code (PAC) and disabling it .
PAC is a cryptographic signature that can be used to confirm that an application has not been maliciously tampered with.
It is not difficult to guess the correct value, and the attacker can check the correctness of the guess through the hardware side channel.
“Given that there are only so many possible values for PAC, they found that they could try all the values to find the right one.”
Best of all, since guesswork happens under speculative execution, the attack leaves no trace.
“The idea behind pointer authentication is that if all else fails, you can still rely on it to prevent attackers from taking control of your system.
We’ve shown that pointer authentication as a last line of defense is not what we once thought Absolutely.
When pointer authentication was introduced, a large class of bugs suddenly became harder to attack.
And as PACMAN aggravates the severity of these bugs, the overall attack surface is likely to be larger.”
However, PACMAN does not completely bypass all the security facilities on the M1 chip; it can only exploit the existing vulnerability that pointer authentication prevents, and by finding the right PAC, unlock the vulnerability’s true potential in an attack.
Because PACMAN can’t break a system without existing software bugs, the researchers think there’s no need to panic. ” So far, no one has used PACMAN to create an end-to-end attack. “
It is worth noting that pointer authentication is mainly used to protect the core operating system kernel.
The study notes that the PACMAN attack is effective even against the kernel, which “has significant implications for future security efforts on all ARM systems with pointer authentication enabled. Future CPU designers should take care to consider this attack when building future secure systems, and developers Care should be taken not to rely solely on pointer authentication to protect their software.”
MIT CSAIL plans to formally present the research at the June 18 International Symposium on Computer Architecture.
Apple issued a statement after learning of the discovery, saying , “We would like to thank the researchers for their collaboration as this proof of concept advances our understanding of these technologies. Based on our analysis and the details the researchers shared with us, we have It was concluded that this issue does not pose an immediate risk to our users and is not sufficient to bypass the security protections of the operating system on its own.”
- DIY a PBX (Phone System) on Raspberry Pi
- How to host multiple websites on Raspberry Pi 3/4?
- A Free Intercom/Paging system with Raspberry pi and old Android phones
- DIY project: How to use Raspberry Pi to build DNS server?
- Raspberry Pi project : How to use Raspberry Pi to build git server?