By: Doug S (foo.delete@this.bar.bar), June 10, 2022 10:52 am
Room: Moderated Discussions
MIT's CSAIL lab is going to present a paper about a weakness in the ARM PAC implementation in the M1, which can be bypassed using (guess what) speculative execution.
Apparently the CPU doesn't fault when a speculatively executed instruction uses an address with incorrect PAC, only when committed. They found a way to brute force it via speculative execution and get feedback about which one is correct - perhaps timing related? With the M1 having 48 bits dedicated to address, that leaves a maximum of 16 bits for a PAC so it would be easily found. A15 added address bits so M2 will have even fewer bits for PAC. Not much "brute force" required, but if the tests are fast enough even 32 bits would not be sufficient.
This isn't a vulnerability by itself; it makes leveraging another vulnerability easier since the protection of PAC is nullified.
Perhaps the fix is to make the CPU fault when a speculatively executed instruction attempts to use an address with an incorrect PAC code? Not sure if doing that would cause other problems though.
https://www.theregister.com/2022/06/10/apple_m1_pacman_flaw/
Apparently the CPU doesn't fault when a speculatively executed instruction uses an address with incorrect PAC, only when committed. They found a way to brute force it via speculative execution and get feedback about which one is correct - perhaps timing related? With the M1 having 48 bits dedicated to address, that leaves a maximum of 16 bits for a PAC so it would be easily found. A15 added address bits so M2 will have even fewer bits for PAC. Not much "brute force" required, but if the tests are fast enough even 32 bits would not be sufficient.
This isn't a vulnerability by itself; it makes leveraging another vulnerability easier since the protection of PAC is nullified.
Perhaps the fix is to make the CPU fault when a speculatively executed instruction attempts to use an address with an incorrect PAC code? Not sure if doing that would cause other problems though.
https://www.theregister.com/2022/06/10/apple_m1_pacman_flaw/
Topic | Posted By | Date |
---|---|---|
Pointer authentication flaw in M1 | Doug S | 2022/06/10 10:52 AM |
Pointer authentication flaw in M1 | Adrian | 2022/06/10 11:11 AM |
Pointer authentication flaw in M1 | anon2 | 2022/06/11 03:40 AM |
Pointer authentication flaw in M1 | Anon4 | 2022/06/11 05:26 AM |
Pointer authentication flaw in M1 | anon2 | 2022/06/11 04:00 PM |
Pointer authentication flaw in M1 | --- | 2022/06/11 01:45 PM |
Pointer authentication flaw in M1 | anon2 | 2022/06/11 04:06 PM |
Pointer authentication flaw in M1 | Linus Torvalds | 2022/06/12 10:04 AM |
Pointer authentication flaw in M1 | Linus Torvalds | 2022/06/12 10:33 AM |
Pointer authentication flaw in M1 | quackslikeaduck@quack.duck.com | 2022/06/12 02:54 PM |
Pointer authentication flaw in M1 | Doug S | 2022/06/12 04:58 PM |
Pointer authentication flaw in M1 | anon2 | 2022/06/12 08:17 PM |
solution simple, but hard to accept | hobold | 2022/06/12 09:31 PM |
solution simple, but hard to accept | Michael S | 2022/06/12 11:19 PM |
solution simple, but hard to accept | hobold | 2022/06/13 12:20 AM |
solution simple, but hard to accept | Linus Torvalds | 2022/06/13 10:24 AM |
solution simple, but hard to accept | Doug S | 2022/06/13 11:12 AM |
solution simple, but hard to accept | hobold | 2022/06/13 11:15 AM |
solution simple, but hard to accept | Adrian | 2022/06/13 11:44 AM |
solution simple, but hard to accept | hobold | 2022/06/13 01:54 PM |
solution simple, but hard to accept | --- | 2022/06/13 08:23 PM |
solution simple, but hard to accept | anon2 | 2022/06/13 01:18 PM |
solution simple, but hard to accept | hobold | 2022/06/13 01:43 PM |
solution simple, but hard to accept | anon2 | 2022/06/13 02:11 PM |
solution simple, but hard to accept | hobold | 2022/06/13 10:42 PM |
solution simple, but hard to accept | Doug S | 2022/06/14 09:46 AM |
solution simple, but hard to accept | hobold | 2022/06/14 12:22 PM |
solution simple, but hard to accept | Linus Torvalds | 2022/06/14 01:44 PM |
CHERI? | Brendan | 2022/06/11 08:40 PM |
CHERI? | Simon Farnsworth | 2022/06/12 01:09 AM |
CHERI? | Brendan | 2022/06/12 08:55 AM |
CHERI? | Simon Farnsworth | 2022/06/13 12:14 AM |
CHERI? | Michael S | 2022/06/13 01:05 PM |
CHERI? | Brendan | 2022/06/13 01:23 PM |
CHERI? | dmcq | 2022/06/14 02:10 PM |
CHERI? | Brendan | 2022/06/14 02:46 PM |
CHERI? | dmcq | 2022/06/12 03:57 AM |
CHERI? | Anon4 | 2022/06/12 06:06 AM |
CHERI -> Implemented as Morello by Arm | none | 2022/06/13 12:45 AM |