Apple's M1 chips have one vulnerability that cannot be patched and allows attackers to penetrate its last line of security defense, discovered by MIT researchers.
The vulnerability lies in a hardware-level security mechanism used in Apple's M1 chips called pointer authentication codes or PACs.
This feature makes it much more difficult for an attacker to introduce malware code in a device's memory and provides an additional layer of defense against buffer overflow exploits, a type of attack that causes memory to leak to other locations on the chip.
Researchers from MIT's Computer Science and Artificial Intelligence Laboratory have created an attack that combines memory corruption with speculative execution attacks to bypass the security feature. The attack shows that PAC can be canceled without leaving a trace, and since it uses a hardware mechanism, no software update can fix it.
The attack, called "Pacman", works by "guessing" an authentication code (PAC), a cryptographic signature that confirms that an application has not been maliciously compromised.
This is done using a speculative execution attack – a technique used by modern computer processors to speed up performance by guessing various lines of computation – to leak PAC verification results, while a hardware side channel reveals whether the value was correct or not.
https://pacmanattack.com/paper.pdf
Yes, what he says is good, but… .the MIT participants were finally able to do something; Practically, what did they achieve?