<italic xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">Memory corruption vulnerabilities have resulted in numerous exploits and significant damage to computer systems. ARM Pointer Authentication is a memory corruption mitigation that attempts to mitigate these issues by cryptographically signing pointers at runtime. We present PACMAN, a novel attack methodology that can forge correct pointer signatures and bypass the protection of Pointer Authentication without causing any crashes using microarchitectural side channels. PACMAN removes the primary barrier to conducting control-flow hijacking attacks on a platform protected with Pointer Authentication. We built two proof of concept attacks showing that PACMAN works across privilege levels on the Apple M1 CPU. We have also released a suite of open-source tools to enable the community to perform future research on Apple Silicon devices.</i>
Read full abstract