PACMAN: Attacking ARM Pointer Authentication with Speculative Execution

Ravichandran, Na, Lang, Yan, [2022] “PACMAN: Attacking ARM Pointer Authentication with Speculative Execution”

https://pacmanattack.com/

presenter: Arpit

1. Introduction

attack on ARM Pointer Authentication (introduced in 2017, ARMv8.3 ISA)

PAC - Pointer Authentication Code

=~ pointer provenance?

PACMAN Attack - extends speculative execution attacks to bypass Pointer Authentication by constructing a PAC oracle

2. Background

pacia / autia

IA = instruction address

uses translation lookaside buffer as the side channel

3. Threat model

attack scenario across privilege levels

4. The PACMAN attack

~~ 55k potential gadgets in XNU

5. Attack platform

Apple M1 SoC

macOS is a closed-source platform built on the open-source Darwin operating system and XNU kernel

6. Reverse engineering tools

PacmanOS, a bare-metal hypervisor

no high-resolution timers available in userspace

customized timer counter using multi-thread execution

7. Reverse engineering

TLB architecture on p-cores

8. Proof-of-concept attacks

Jump-oriented programming

9. Countermeasures

1. PAC-agnostic execution
2. Spectre-style defenses: InvisiSpec, SafeSpec, and Delay-on-Miss - unrealistic, big performance hits
3. Removing memory corruption vulns

10. Related work

not many synergistic attacks

11. Conclusion