William Shakespeare may have talked about Apple’s recently released M1 chip through his prose in “A Midsummer Night’s Dream”: “And though she’s small, she’s fierce.”
The company’s software runs on tiny squares made of custom silicon, creating Apple’s most powerful chip to date, with industry-leading power efficiency.
However, despite the power of the chip, there is still no shortage of complaints about security holes, as concerns about sensitive data and personal information being leaked abound. Recently, this chip was found to have a security flaw that was quickly deemed harmless.
The M1 chip uses a feature called pointer validation, which acts as a last line of defense against typical software vulnerabilities. With pointer validation enabled, common errors that could compromise the system or leak personal information will be caught in their tracks.
Now, researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) have found a vulnerability: Their new hardware attack, called PACMAN, exposes authentication pointers can be defeated without leaving a trace. Furthermore, PACMAN uses a hardware mechanism, so no software patch can fix it.
Pointer validation code, abbreviated as PAC, is a signature that confirms that the program’s state has not been maliciously altered. Enter the PACMAN attack. The team has shown that it is possible to guess a value for PAC and reveal whether the guess is correct via a hardware side channel. Since there are only so many possible values for PAC, they found that they could try all of them to find the correct one. Most importantly, since all the guesswork happens under speculative execution, the attack leaves no trace.
“The idea behind pointer validation is that if all else fails, you can still rely on it to prevent attackers from gaining control of your system. We have demonstrated that pointer validation as a last line of defense is not as absolute as we once thought,” said Joseph Ravichandran, an MIT graduate student in electrical engineering and computer science, branch. CSAIL and co-author of a new paper on PACMAN. “When pointer validation was introduced, a bunch of bugs suddenly became a lot more unwieldy for attacks. With PACMAN making these bugs more severe, the overall attack surface could be a lot bigger.”
Traditionally, hardware and software attacks have lived a somewhat separate life; people see software failure as software error and hardware failure as hardware failure. Architecturally visible software threats include things like malicious phishing attempts, malware, denial of service, and the like. On the hardware side, security bugs like the much-talked Specter and Meltdown bug of 2018 manipulate microarchitectures to steal data from computers.
The MIT team wanted to see what combining the two could achieve – taking something from the world of software security and breaking a mitigation (a feature designed to protect software) by using hardware attacks. That’s at the heart of what PACMAN stands for – a new way of thinking about how threat models converge in the Specter era.
PACMAN is not a magic fork for all M1 chip security. PACMAN can only handle an existing error that the pointer validation protects against and unleash the true potential of that error for use in an attack by finding the correct PAC. The scientists say there is no reason for immediate alarm because PACMAN cannot compromise a system without an existing software bug.
Pointer validation is mainly used to protect the core operating system kernel, the most privileged part of the system. An attacker who gains control of the kernel can do whatever they want on a device. The team has shown that the PACMAN attack even works against the kernel, which has “a major impact on future security work on all ARM systems with child authentication enabled.” pointing,” Ravichandran said. “Future CPU designers should carefully consider this attack when building the secure systems of tomorrow. Developers should be careful not to rely solely on pointer validation to protect their software. “
“Software vulnerabilities have been around for about 30 years now. Mengjia Yan, Homer A. Burnell Professor of Career Development, assistant professor in the MIT Department of Electrical and Computer Engineering, said: Science (EECS), CSAIL affiliate and senior author on the team paper. “Our work provides insight into how software vulnerabilities persist as critical mitigations that can be bypassed through hardware attacks. It’s a new way of looking at this long-standing security threat model. Many other mitigation mechanisms exist that have not been well studied under this new dual threat model, so we consider the PACMAN attack as a starting point. We hope PACMAN can inspire more work towards this research in the community. ”
The researchers will present their work at the International Symposium on Computer Architecture on June 18. Ravichandran and Yan wrote the paper with co-first author Weon Taek Na, a student EECS student at CSAIL and Jay Lang, a student at MIT.
This work was funded in part by the National Science Foundation and the US Air Force Office of Scientific Research (AFOSR).