If you have seen digital media with advertising or television, you will surely have noticed that Apple campaigns for privacy and security. In fact, he launched small campaigns at certain times during most of the year. Well, computer scientists at MIT CSAIL released a report on Friday that identifies and details a way to circumvent the authentication of Cupertino’s hitherto star chip, the M1. Are your iPhone and Mac safe? Why is Apple affected by this new vulnerability?
Not exactly humorless, the researchers dubbed the article determining the PACMAN: Attack arm pointer authentication with speculative execution and yes, once again speculative execution jumps to the fore, only now instead of Intel and AMD it’s Apple, but also Samsung and Qualcomm, nobody escapes it.
Apple and its latest vulnerability: M1 chip pointers
A pointer or a pointer is a variable intended to store an address in memory which can at the same time be a variable. Normally, pointers are designed for specific SIMD units and therefore are usually of two types: function or normal.
Without going into more detail on the architectures and programming of SIMD units, we must understand that anyone who accesses the information with which SIMDs work HMIS You will be able to access these units and thus also have access to the confidential data which is stored in memory, generally the cache of level 1 or 2where they can inject malicious code at the same time.
Although there are instructions that try to “protect” the onslaught of these pointers, which have been implemented by all manufacturers with their modifications and customizations necessary for their architecture, Apple has done so by opting for RMA in their chips and as such it was in the latest revision of those in 2018 where the discovered vulnerability is based.
The entire M1 series concerned: iPhone and Mac under control
The affected processors are: M1, M1 Pro and M1 Max, in addition to others not mentioned from Qualcomm and Samsung, so we can only generalize with them for now. The report states that it is pointer authentication through a cryptographic hash called Pointer Authentication Code (PAC) which is curious how it works by Apple.
In a current architecture like those of the processors of 64-bit macOS only uses 48while the rest and as needed can be saved as a PAC between 11 and 31 bit. Here’s the problem, since researchers can introduce a feedback mechanism that doesn’t block the instruction and through an “oracle PAC” (developers have their grace) they can discern between correct and incorrect predictions and by force raw they manage to access the information.
It takes 2.94 minutes to launch a 16-bit PAC and divert control of key information, to the point where they can fully or partially control the operating system. If this is not serious in itself, the attacker launches his attack and does not need any kind of privilege level to take control and thus obtain information from the kernel of the operating system. Therefore, whether it can be fully or partially fixed, all Apple devices with an M1 SoC are affected.
If we’re not much mistaken, this patch could result in lower performance for iPhones and Macs with said SoC, since the part being attacked is purely speculative execution, and we already know a lot about them and the TLB. On the other hand, the researchers do not know if Apple has already fixed it because they have not received an answer, and they do not know either if the M2s are concerned since they have not reached the market.