Pointer authentication flaw in M1

By: Doug S (foo.delete@this.bar.bar), June 10, 2022 10:52 am
Room: Moderated Discussions
MIT's CSAIL lab is going to present a paper about a weakness in the ARM PAC implementation in the M1, which can be bypassed using (guess what) speculative execution.

Apparently the CPU doesn't fault when a speculatively executed instruction uses an address with incorrect PAC, only when committed. They found a way to brute force it via speculative execution and get feedback about which one is correct - perhaps timing related? With the M1 having 48 bits dedicated to address, that leaves a maximum of 16 bits for a PAC so it would be easily found. A15 added address bits so M2 will have even fewer bits for PAC. Not much "brute force" required, but if the tests are fast enough even 32 bits would not be sufficient.

This isn't a vulnerability by itself; it makes leveraging another vulnerability easier since the protection of PAC is nullified.

Perhaps the fix is to make the CPU fault when a speculatively executed instruction attempts to use an address with an incorrect PAC code? Not sure if doing that would cause other problems though.

https://www.theregister.com/2022/06/10/apple_m1_pacman_flaw/
 Next Post in Thread >
TopicPosted ByDate
Pointer authentication flaw in M1Doug S2022/06/10 10:52 AM
  Pointer authentication flaw in M1Adrian2022/06/10 11:11 AM
    Pointer authentication flaw in M1anon22022/06/11 03:40 AM
      Pointer authentication flaw in M1Anon42022/06/11 05:26 AM
        Pointer authentication flaw in M1anon22022/06/11 04:00 PM
      Pointer authentication flaw in M1---2022/06/11 01:45 PM
        Pointer authentication flaw in M1anon22022/06/11 04:06 PM
          Pointer authentication flaw in M1Linus Torvalds2022/06/12 10:04 AM
            Pointer authentication flaw in M1Linus Torvalds2022/06/12 10:33 AM
              Pointer authentication flaw in M1quackslikeaduck@quack.duck.com2022/06/12 02:54 PM
                Pointer authentication flaw in M1Doug S2022/06/12 04:58 PM
            Pointer authentication flaw in M1anon22022/06/12 08:17 PM
              solution simple, but hard to accepthobold2022/06/12 09:31 PM
                solution simple, but hard to acceptMichael S2022/06/12 11:19 PM
                  solution simple, but hard to accepthobold2022/06/13 12:20 AM
                solution simple, but hard to acceptLinus Torvalds2022/06/13 10:24 AM
                  solution simple, but hard to acceptDoug S2022/06/13 11:12 AM
                  solution simple, but hard to accepthobold2022/06/13 11:15 AM
                    solution simple, but hard to acceptAdrian2022/06/13 11:44 AM
                      solution simple, but hard to accepthobold2022/06/13 01:54 PM
                  solution simple, but hard to accept---2022/06/13 08:23 PM
                solution simple, but hard to acceptanon22022/06/13 01:18 PM
                  solution simple, but hard to accepthobold2022/06/13 01:43 PM
                    solution simple, but hard to acceptanon22022/06/13 02:11 PM
                      solution simple, but hard to accepthobold2022/06/13 10:42 PM
                        solution simple, but hard to acceptDoug S2022/06/14 09:46 AM
                          solution simple, but hard to accepthobold2022/06/14 12:22 PM
                          solution simple, but hard to acceptLinus Torvalds2022/06/14 01:44 PM
        CHERI?Brendan2022/06/11 08:40 PM
          CHERI?Simon Farnsworth2022/06/12 01:09 AM
            CHERI?Brendan2022/06/12 08:55 AM
              CHERI?Simon Farnsworth2022/06/13 12:14 AM
                CHERI?Michael S2022/06/13 01:05 PM
                CHERI?Brendan2022/06/13 01:23 PM
                  CHERI?dmcq2022/06/14 02:10 PM
                    CHERI?Brendan2022/06/14 02:46 PM
          CHERI?dmcq2022/06/12 03:57 AM
            CHERI?Anon42022/06/12 06:06 AM
          CHERI -> Implemented as Morello by Armnone2022/06/13 12:45 AM
Reply to this Topic
Name:
Email:
Topic:
Body: No Text
How do you spell tangerine? 🍊