back to article Apple M1 chip contains hardware vulnerability that bypasses memory defense

Apple's M1 chip has been found to contain a hardware vulnerability that can be abused to disable one of its defense mechanisms against memory corruption exploits, giving such attacks a greater chance of success. MIT CSAIL computer scientists on Friday said they have identified a way to bypass the M1 chip's pointer …

  1. DrBobK

    ARM or Apple?

    Is it an Apple issue or an ARM issue? Are there lots of ARM implementations out there based on ARM8.3 that have this pointer authentication issue or is it just the M1? BTW it sounds as if you are worse off with no pointer authentication than with pointer authentication that takes minutes to crack. I'm not an expert in such matters - just interested to know the answers.

    1. John Robson Silver badge

      Re: ARM or Apple?

      "We investigated the M1 chip as it is the first desktop CPU that shipped with pointer authentication,"

      1. big_D Silver badge

        Re: ARM or Apple?

        Yes, but there are hundreds of IoT, mobile and server chips out there with ARM, so it is a valid question.

        The single desktop CPU to use it is vulnerable, but are there other chips in other areas (E.g. Apple A-series chips for iPhone, iPad, Watch, Apple TV etc.) that also have this and just haven't been tested?

        1. doublelayer Silver badge

          Re: ARM or Apple?

          My guess is that IoT SoCs won't be affected by this as they're almost always using older ISA versions and with limited focus on CPU speed, instead focusing either on power consumption or acceleration for specific tasks like network comms or video encoding. Server chips probably aren't seeing this for now because a lot of the ARM designs are older and many companies trying them have given up on getting users over to them, but if they come back with new designs, it should be tested. I wouldn't be surprised to hear that some modern smartphone chips have this vulnerability as well, but likely the researchers would have to redesign their test binary to run it on Android (and running on IOS would likely be a bit more painful) so they've started here. Investigating those might be step 2 of the project, or they might go and look for new exploits and let a different research team test more hardware with their code.

          1. andygrace

            Re: ARM or Apple?

            AWS Graviton 3 instances also implement pointer authentication.

          2. big_D Silver badge

            Re: ARM or Apple?

            The other thing is, the ARMs (and other types of CPU) that don't have this protection are already vulnerable to such attacks (the point of this technology is to protect the pointers from manipulations), so this attack just brings the extra protection that ARM chips with pointer protection back to a level playing field with "normal" chips.

            With a "normal" CPU chip, you can manipulate the pointers directly. With these ARM chips with pointer protection, you have to additionally crack the encryption of the pointer protection in order to manipulate it. This means it is harder to get started and it takes more time than a traditional CPU without pointer protection, but once you have spent time breaking the encryption, you can manipulate the pointers, just like any other CPU.

    2. Charlie Clark Silver badge

      Re: ARM or Apple?

      As the article says, this is the first PC using the feature. It's certainly possible that other chips will have the feature and other OSes may or not have protection.

      It would be good for Apple to provide a response to the study authors before the conference.

  2. AlanSh
    Happy

    Accuracy is everything

    "About 2.94 minutes" - just a rough gude then :)

  3. amanfromMars 1 Silver badge

    You say Black, they say White ..... Is All Settled and Everything Happy with Grey?*

    Apple M1 chip contains hardware vulnerability that bypasses memory defense

    Apple M1 chip entertains accelerated hardware facilities and abilities that bypass defense memory thus speeding up speculative execution of novel processed data ..... virgin info .... disruptive intel is another interpretation and short summary of the paper titled "PACMAN: Attacking Arm Pointer Authentication with Speculative Execution," by Joseph Ravichandran, ​​Weon Taek Na, Jay Lang, and Mengjia Yan and one which realises the supposed virtual vulnerability is in fact a live practical feature for further beta testing development and in-house future trialling and trailing.

    In such a case one can safely assume M2 will be similarly blessed and equipped.

    * Then of course would the discourse dispute the shade of grey to be decided on there ..... light steel or dark battleship.

    The bottom line is .... It is what it is and what great or pathetic use you make of it.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like