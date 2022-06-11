Photo : Joanna Nelius / Gizmodo.

Apple’s blazingly fast and remarkably efficient M1 chips have been the catalysts behind a recent resurgence of MacBooks, but security researchers at MIT have found a chink in their armor.

Scientists at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) revealed in a recent study a vulnerability in what they call the “last line of security” for the M1 chip. In theory, the flaw could give malicious cybercriminals or hackers a doorway to gain full access to the core operating system core.

Before continuing, the owners of MacBook M1 they do not need to worry about their sensitive data being stolen. While this is a serious vulnerability that will need to be addressed by Apple, certain unlikely conditions need to be met for it to work. First of all, the system under attack must have an existing memory corruption bug. As such, scientists say there is “no immediate cause for alarm.”

For its part, Apple thanked the researchers in a statement to TechCrunchbut stressed that the “issue” does not pose an immediate risk to MacBook owners.

“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques,” Apple said. “Based on our analysis, as well as details shared with us by researchers, we have concluded that this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”

Getting into the technical stuff, Apple’s M1 chip uses something called “Pointer Authentication” to detect and protect against unexpected memory changes. MIT calls this the “last line of defense” and says it can eliminate bugs that would normally compromise a system and leak private information. It does this by using “PACS” or Pointer Authentication Code (PAC) which checks for unexpected changes resulting from an attack. A PAC is created, or a hashes cryptographic used as a signature, when a program is considered to be secure.

As the researchers discovered, this line of defense can be breached. That’s where MIT’s PACMAN attack comes into play. This guesses the value of a PAC using a hardware device, which means a software patch will not fix the program. There are many possible values ​​of a PAC, but with a device that reveals whether a guess is right or wrong, you can try them all until you get the right one without leaving a trace. In this scenario, the ghosts win.

“The idea behind pointer authentication is that if all else has failed, you can still rely on it to prevent attackers from gaining control of your system. We have shown that pointer authentication as a last line of defense is not as absolute as we once thought it was,” said the Ph.D. (PhD) at MIT CSAIL Joseph Ravichandran and co-senior author of the study.

“When pointer authentication was introduced, a whole category of bugs suddenly became much more difficult to use for attacks. With PACMAN making these bugs more serious, the overall attack surface could be much larger,” Ravichandran added.

Since pointer authentication is used to protect the core operating system kernel, bypassing it could give attackers access to sensitive parts of a system. As the researchers point out: “An attacker who gains control of the kernel can do whatever he wants to a device.”

In this proof of concept, the researchers demonstrated that the PACMAN attack could be used to attack the kernel, which has “massive implications for future security work across systems.” MRA with pointer authentication enabled. Future CPU designers should be careful to consider this attack when building tomorrow’s secure systems,” Ravichandran warned. “Developers should be careful not to rely solely on pointer authentication to protect their software.”

Apple uses pointer authentication on all of its ARM-based chips, including the M1, M1 Pro and M1 Max. MIT said it has not tested this attack on the M2 processor newly revealed to empower the new macbook air and MacBook Pro 13. Qualcomm and Samsung a a No have announced their own processors that use this security function.

The researchers outlined three methods to prevent such an attack in the future. One way is to modify the software so that PAC verification results are never done under speculation, meaning an attacker would not be able to go undercover while trying to infiltrate. Another potential solution is to defend against PACMAN in the same way that Specter vulnerabilities are mitigated. And finally, patching memory corruption bugs would ensure that this last line of defense is not needed.

