New PACMAN Hardware Attack Targets Macs with Apple M1 CPU

A new hardware attack targeting Pointer Authentication on Apple M1 CPUs has been found to allow attackers to execute arbitrary code on Mac systems.

Website for the pacman attack

Pointer Authentication is a security feature that adds a cryptographic signature called a Pointer Authentication Code (PAC) to a pointer, allowing the operating system to detect and block unexpected changes that could lead to a data breach or system compromise. This allows operating systems to detect and block unexpected changes that could lead to data leakage or system compromise.

Discovered by researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), this new attack allows an attacker with physical access to a Mac with an Apple M1 CPU to access the underlying file system.

To do so, the attacker must first find a memory bug that affects the software on the targeted Mac, and after bypassing the PAC defenses, can proceed to more serious security attacks

PACMAN takes advantage of an existing software bug (memory read/write) and turns it into a more serious exploit (pointer authentication bypass) that can lead to arbitrary code execution. To do this, we need to know what the PAC value of a particular victim pointer is

PACMAN does this by creating what we call a PAC Oracle, the ability to know if a PAC matches a given pointer.

This PAC Oracle should never crash if an incorrect guess is provided. The PAC Oracle is then used to brute force all possible PAC values

Apple cannot patch hardware to block attacks using this exploit technique, but as long as end users keep their software up to date and there are no bugs that can be used to execute code using PACMAN, they have nothing to worry about.