Connect with us

Hi, what are you looking for?


Endpoint Security

Academics Devise New Speculative Execution Attack Against Apple M1 Chips

A group of academic researchers has devised a new hardware attack that bypasses pointer authentication protections on Apple’s M1 processor.

A group of academic researchers has devised a new hardware attack that bypasses pointer authentication protections on Apple’s M1 processor.

Pointer authentication (PA) is a mechanism to prevent the modification of pointers in memory using a cryptographic hash, or pointer authentication code (PAC). With the integrity of a pointer verified against the PAC, a crash is triggered if the values do not match.

First introduced by ARM in 2017 and adopted by Apple in 2018, pointer authentication basically requires the attacker to guess the PAC of a pointer after modification to prevent triggering a crash when modifying code in memory.

Dubbed PACMAN, a new attack technique devised by a group of researchers at the Massachusetts Institute of Technology’s (MIT) Computer Science and Artificial Intelligence Laboratory (CSAIL) uses micro-architectural side-channels to leak PAC verification results and bypass PA without triggering a crash.

“[W]e propose the PACMAN attack, which extends speculative execution attacks to bypass Pointer Authentication by constructing a PAC oracle. Given a pointer in a victim execution context, a PAC oracle can be used to precisely distinguish between a correct PAC and an incorrect one without causing any crashes,” the researchers note in a paper.

Essentially, PACMAN relies on guessing the PAC by trying multiple possible values, and uses a pointer verification operation and a micro-architectural side channel to transmit the verification result.

“If a correct PAC is guessed, the transmission operation will speculatively access a valid pointer, resulting in observable micro-architectural side effects. Otherwise, the transmission step will cause a speculative exception due to accessing an invalid pointer,” the researchers say.

Advertisement. Scroll to continue reading.

Because both operations are executed on a mis-speculated path, the operations won’t trigger “architecture-visible events,” such as crashes.

The attack was performed on Apple’s M1 processor, but the researchers believe that it may be applicable to future ARM processors as well. They also note that the attack impacts all processors that rely on PA, which is currently being adopted by numerous chip makers.

“Since our attack breaks Pointer Authentication, our work calls for re-evaluating the security properties of those extended designs under a broader threat model involving speculative execution attacks,” the academics note.

The researchers also provide multiple proof-of-concept (PoC) demonstrations, including one that targets the operating system’s kernel and which could essentially compromise the entire system. Furthermore, the academics explain that they performed all of their experiments over the network.

The exploited vulnerabilities are at the hardware level and the researchers note that they cannot be addressed with software features. However, they also note that the PACMAN attack on itself cannot compromise a system, as it requires a software bug – such as a memory read/write – to bypass PA.

Apple was informed of the new attack technique last year. SecurityWeek has emailed the tech giant for a comment on PACMAN but has yet to receive a reply.

UPDATE: Apple has provided the following statement:

“We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”

Related: Academics Devise Side-Channel Attack Targeting Multi-GPU Systems

Related: Researchers Disclose New Side-Channel Attacks Affecting All AMD CPUs

Related: Researchers Show First Side-Channel Attack Against Apple M1 Chips

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.