Researchers discover a new hardware vulnerability in the Apple M1 chip

I am not sure how serious this is, but it looks like Apple did not catch this mistake. More such mistakes and the nimbus of Apple may suffer.

"[The] novel hardware attack, called PACMAN, shows that pointer authentication can be defeated without even leaving a trace. Moreover, PACMAN utilizes a hardware mechanism, so no software patch can ever fix it. ..."

From the abstract:

"... We leverage speculative execution attacks to bypass an important memory protection mechanism, ARM Pointer Authentication... We present PACMAN, a novel attack methodology that speculatively leaks PAC verification results via micro-architectural side channels without causing

any crashes. Our attack removes the primary barrier to conducting control-flow hijacking attacks on a platform protected using Pointer Authentication.

We demonstrate multiple proof-of-concept attacks of PACMAN

on the Apple M1 SoC, the first desktop processor that supports ARM

Pointer Authentication. We reverse engineer the TLB hierarchy on

the Apple M1 SoC and expand micro-architectural side-channel

attacks to Apple processors. Moreover, we show that the PACMAN

attack works across privilege levels, meaning that we can attack

the operating system kernel as an unprivileged user in userspace."

Researchers discover a new hardware vulnerability in the Apple M1 chip | MIT News | Massachusetts Institute of Technology CSAIL scientists’ novel hardware attack against the Apple M1 chip defeats the last line of security while leaving no trace.

PACMAN: Attacking ARM Pointer Authentication with Speculative Execution (open access)