Reverse Engineering the Customized Pointer Authentication Hardware Implementation on Apple M1

Security

Investigate Apple M1's customized pointer authentication hardware implementation through binary analysis, exploring unique packaging of the pack key, pack instruction encoding, and undocumented encodings.

Key takeaways
  • Customized pointer authentication hardware implementation on Apple M1 must be investigated through binary analysis.
  • Two pack modes exist on Apple M1, unpack mode and Apple pack mode, with the latter being a unique packaging of the pack key.
  • The pack key protection is implemented to prevent key reading and switching.
  • The Apple pack mode can trigger a key transformation, and the pack key is made up of two 64-bit system registers.
  • Apple’s PAC key protection is designed to mitigate cross-domain attacks without software support.
  • The pack instruction can be used to access different registers in different CPU states, and the encoding and register are not one-to-one mapping.
  • Apple’s PAC allows access to EO1 and EO2 exception levels, making it difficult to bypass Apple’s PAC key protection.
  • The pack key is made up of static values and hardcoded values, and there are still some encodings that remain undocumented.
  • Apple implemented dark magic by customizing its PAC hardware to achieve cross-domain attack mitigation.
  • Apple’s PAC allows for varying key transformation results for different keys and different CPU states.
  • Pointers can be hijacked through side-channel attacks and modified to bypass Apple’s PAC key protection.
  • Apple’s PAC works seamlessly across domains, and there is a need to bypass Apple’s PAC key protection for further research.
  • Apple’s PAC implementation allows for cross-key attack mitigation through per-key sorting.
  • A research gap exists in documenting Apple’s PAC implementation and exploring its limitations.
  • Future work aims to improve pointer authentication and bypass Apple’s PAC key protection.
  • There is a need for further research on Apple’s PAC implementation, including documentation, vulnerability identification, and mitigations.

More talks

Michael Liendo - Your SaaS forecast: Cloudy with a chance of GraphQL

CBDCs: A new form of money | Kumaraguru Ramanujam, James Belding, Chris Ostrowski | #LDNBlockchain23

"Beyond Blockchain: Convergent Consensus" by Mike Anderson (Strange Loop 2022)

The Joy of Linters: Good Engineering Practices & Productivity Boosters - Artur Kondas

Full stack web development with RedwoodJs

I Was Tasked With Enrolling Millions of Developers in 2FA - Here's What Happened

"A Hipster History of CORS" by Devdatta Akhawe (Strange Loop 2022)

Alex Oskotsky, Bill Donelly & Johnathan Constance - The impact of AI on DevSecOps organizations