[ad_1]
The Apple M1 processor made a splash in its November 2020 release, notable for its amazing performance and low power consumption. But the significance of its security may not be so obvious at first glance. The absence of major attacks since its launch almost two years ago indicates that its security systems, including the last line of defense called pointer authentication codes, are working well. But his honeymoon may be coming to an end.
At the International Symposium on Computer Architecture later this month, researchers led by Mengjia Yang of the Massachusetts Institute of Technology will present an attack that weakens the Pointer Authentication Code (PAC) security so much that the computer’s operating system kernel becomes vulnerable. And since PACs may be included in future processors based on the 64-bit Arm architecture, the vulnerability could become more prevalent. Perhaps other processors are already using PAC, but the M1 was the only one available to Jan’s lab.
“What we found is actually quite fundamental,” Yang says. “This is an attack class. Not a single mistake.”
The way PACMAN breaks the lock is at the heart of modern computing.
The vulnerability, called PACMAN, suggests that a computer is already running a software bug that can read and write to different memory addresses. It then uses a piece of M1’s hardware architecture to give the bug a chance to execute code and possibly take over the operating system. “We assume the bug exists and turn it into a bigger bug,” says Joseph Ravichandran, a student of Yang who worked on the exploit with fellow students Weon Taek Na and Jay Lang.
To understand how the attack works, you must understand what pointer authentication is and how a detail of processor architecture called speculative execution works. Pointer authentication is a way to protect against software attacks that try to corrupt data containing memory addresses or pointers. For example, malicious code can perform a buffer overflow attack by writing more data than expected to a piece of memory, with the excess moving to the pointer’s address and overwriting it. This could then mean that instead of the computer software executing the code stored at the original address, it is redirected to the malware stored at the new address.
Pointer authentication adds a cryptographic signature to the end of the pointer. If there is any malicious manipulation of the pointer, the signature will no longer match it. PACs are used to protect the kernel of the system’s operating system, the kernel. If an attacker goes so far as to manipulate the kernel pointer, a mismatch between the pointer and its authentication code will result in what is called an “exception” and the system will crash, causing the malware attack to stop. Malware has to be extremely lucky to guess the correct code, about 1 in 65,000.
PACMAN finds a way for malware to repeat the assumptions over and over without any incorrect assumptions causing it to fail. How this happens is at the heart of modern computing. For decades, computers have been speeding up processing using what is known as speculative execution. In a typical program, which instruction should follow the next often depends on the result of the previous instruction (think if/then). Instead of waiting for a response, modern processors will speculate – make educated guesses – about what’s next and start executing instructions in that direction. If the CPU guessed right, this speculative execution saved a bunch of clock cycles. If it turns out that they guessed wrong, all the work is thrown away, and the processor begins to execute the correct sequence of instructions. It is important to note that erroneously calculated values are never visible to the software. You cannot write a program that simply prints the results of a speculative execution.
The original PACMAN solutions only increased the overall vulnerability of the processor.
However, over the past few years, researchers have discovered ways to use speculative execution to steal data from the CPU, for example. They are called side-channel attacks because they obtain data by observing indirect signals, such as how long it takes to access the data. Specter and Meltdown are perhaps the most famous of these side-channel attacks.
Yang’s group came up with a way to make the CPU guess the pointer’s authentication codes for speculative purposes so that exceptions never occur and the OS doesn’t crash. Of course, the answer is still invisible to the software. But a side-channel trick involving filling a certain buffer with data and using time to determine which part a successful speculation replaces provides the answer. [A similar concept is explained in more detail in “How the Spectre and Meltdown Hacks Really Worked”]
As for PACMAN, The Apple development team provided the following response to Jan’s group:
“We want to thank the researchers for their collaboration as this proof of concept expands our understanding of these methods. Based on our analysis, as well as the details shared with us by the researchers, we have concluded that this issue does not pose an immediate risk to our users and is not sufficient by itself to bypass device security.”
Other researchers familiar with PACMAN say how dangerous it really is remains to be seen. However, PACMAN “increases the number of things we have to worry about when developing new security solutions,” says Nael Abu-Ghazaleh, chair of the computer engineering department at the University of California at Riverside and an expert in architectural security, including speculative execution attacks. In recent years, processor manufacturers have added new security solutions to their designs beyond pointer authentication. He suspects that now that PACMAN has been revealed, other research will begin to find speculative attacks on these new solutions.
Yang’s group explored some naive solutions for PACMAN, but they tended to increase the overall vulnerability of the processor. “It’s always an arms race,” says Keith Rebello, a former DARPA Hardware and Firmware Integrated Security (SSITH) program officer and now a senior technical officer at Boeing. PACs exist to “make the system harder to use, and they made it that much harder. But is this a complete solution? No.” He hopes tools developed by SSITH, such as fast re-encryption, can help.
Abu-Ghazaleh believes Yan’s group has opened the door to a new aspect of processor security.
“People used to think that software attacks were standalone and separate from hardware attacks,” Yang says. “We are trying to find the intersection point of the two threat models. There are many other mitigation mechanisms that are not well understood within this new sophisticated threat model, so we consider the PACMAN attack as a starting point.”
[ad_2]
Source link