Critical security flaw of Apple M1 discovered

Scientists from the MIT Computer Science & Artificial Intelligence Laboratory (CSAIL) revealed in a recent paper a vulnerability in what they call the "last line of security" for the M1 chip. . Theoretically, this vulnerability could provide an opportunity for bad actors to gain full access to the core operating system kernel.

Before I continue, Mac M1 owners don't need to worry about their sensitive data being stolen. While this is a critical vulnerability that needs to be addressed, certain impossibility conditions are required for it to work. First of all, the system under attack should have an existing memory corruption bug. As a result, the scientists say there is "no reason for immediate alarm."

For its part, Apple thanked the researchers in a statement to TechCrunch but stressed that the "issue" does not pose an immediate risk to MacBook owners.

"We would like to thank the researchers for their cooperation for proof of concept, enhancing our understanding of these techniques," Apple said. “Based on our analysis as well as the details shared by the researchers, we have concluded that this issue does not pose an immediate risk to users and is not sufficient to circumvent the issues on its own. operating system security measures.”

Going into the technical aspects, Apple's M1 chip uses something called Pointer Validation to detect and guard against unexpected changes in memory. MIT calls this "the last line of defense" and says it can eliminate bugs that often infiltrate systems and leak personal information. It does this by using “PAC” or pointer validation code to check for unexpected changes due to attack. PAC, or a cryptographic hash used as a signature, is performed when a program is deemed secure.

As the researchers discovered, this line of defense could be broken. That's where MIT's PACMAN attack comes in. It guesses the value of the PAC by the hardware device, meaning the software patch won't fix the program. There are many possible values ​​of PAC, but with a device that indicates whether the guess is right or wrong, you can try all of them until you choose the right one without leaving a trace.

“The idea behind pointer validation is that if all else fails, you can still rely on it to prevent attackers from gaining control of your system. We have demonstrated that pointer validation as a last line of defense is not as absolute as we once thought,” said Dr. MIT CSAIL. student Joseph Ravichandran and co-author of the paper. “When pointer validation was introduced, a bunch of bugs suddenly became a lot more unwieldy for attacks. With PACMAN making these bugs more severe, the overall attack surface could be a lot larger,” added Ravichandran.

Since pointer validation is used to protect the core OS kernel, omitting it could give bad actors access to sensitive parts of the system. As the researchers note, "An attacker gaining control of the kernel can do whatever they want on a device."

In this proof of concept, the researchers showed that the PACMAN attack can be used to attack the kernel, which has "major implications for future security work above all ARM systems have pointer validation enabled. Future CPU designers should carefully consider this attack when building the secure systems of tomorrow,” warns Ravichandran. “Developers should be careful not to rely solely on pointer validation to protect their software.”

Apple uses pointer validation on all of its ARM-based chips, including the M1, M1 Pro, and M1 Max. MIT says it has not tested this attack against the recently disclosed M2 processors that power the MacBook Air and MacBook Pro 13. Qualcomm and Samsung have announced or are set to ship the processors. use of security features.

The researchers outlined three methods to prevent such an attack in the future. One way is to modify the software so that the results of the PAC verification are never done speculatively, meaning that an attacker cannot gain anonymous access when attempting to break in. Another potential solution is to protect against PACMAN in a similar way to the Specter vulnerabilities being mitigated. And finally, patching memory corruption will ensure that this last line of defense is not needed.

Apple wins lawsuit over Specter and Meltdown security flaws

In related news, a judge has dismissed a class-action lawsuit against Apple for allegedly selling customers iPhones and iPads with processors vulnerable to the Specter and Meltdown vulnerabilities. U.S. District Judge Edward Davila in San Jose, Calif., said customers could not prove they were paying too much for the devices because Apple intentionally concealed defects, as Reuters reported. They also did not provide enough evidence that the security patch being rolled out to those devices made them significantly slower.