Hertzbleed is based on the idea that it’s possible to detect the difference between a CPU running at base frequency, and that CPU running at a boost frequency. The other side-channel technique is a new take on an old idea. Once a foothold is established in uprivileged userspace, Pacman would be used as part of an exploit against the kernel. The attack chain would likely start with a remote execution bug in an application missing PAC support. The platform that has made wide use of PAC is MacOS, as it’s a feature baked in to their M1 processor. One more important note is that an application has to have PAC support compiled in, in order to benefit from this protection. Pacman is not a Remote Code Execution flaw, nor is it useful in gaining RCE. What you may notice is that this requires an attack to already be running code on the target system, in order to run the PAC oracle technique. The key is to attempt a protected pointer dereference speculatively, and to then observe the change in system state as a result. In this case, the oracle works via speculation attacks, very similar to Meltdown and Spectre. What Pacman introduces is an oracle, which is a method to gain insight on data the attacker shouldn’t be able to see. 11 bits may not seem like enough to make this secure, but keep in mind that every failed attempt crashes the program, and every application restart regenerate the keys. Keep in mind that the application doesn’t hold the keys and doesn’t calculate this value.
The AArch64 architecture uses 64-bit values for addressing, but the address space is much less than 64-bit, usually 53 bits or less. The PAC is actually indicated in the unused bits of the pointer itself. The idea is that most exploits use pointer manipulation to achieve code execution, and correctly setting the PAC requires an explicit instruction call. If the hash is not set correctly, the program simply crashes. PAC is a protection built into certain ARM Processors, where a cryptographic hash value must be set correctly when pointers are updated. Up first is Pacman, a bypass for ARM’s Pointer Authentication Code.
There’s not one, but two side-channel attacks to talk about this week.
0 kommentar(er)
