We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Reverse Engineering the Customized Pointer Authentication Hardware Implementation on Apple M1
Investigate Apple M1's customized pointer authentication hardware implementation through binary analysis, exploring unique packaging of the pack key, pack instruction encoding, and undocumented encodings.
- Customized pointer authentication hardware implementation on Apple M1 must be investigated through binary analysis.
- Two pack modes exist on Apple M1, unpack mode and Apple pack mode, with the latter being a unique packaging of the pack key.
- The pack key protection is implemented to prevent key reading and switching.
- The Apple pack mode can trigger a key transformation, and the pack key is made up of two 64-bit system registers.
- Apple’s PAC key protection is designed to mitigate cross-domain attacks without software support.
- The pack instruction can be used to access different registers in different CPU states, and the encoding and register are not one-to-one mapping.
- Apple’s PAC allows access to EO1 and EO2 exception levels, making it difficult to bypass Apple’s PAC key protection.
- The pack key is made up of static values and hardcoded values, and there are still some encodings that remain undocumented.
- Apple implemented dark magic by customizing its PAC hardware to achieve cross-domain attack mitigation.
- Apple’s PAC allows for varying key transformation results for different keys and different CPU states.
- Pointers can be hijacked through side-channel attacks and modified to bypass Apple’s PAC key protection.
- Apple’s PAC works seamlessly across domains, and there is a need to bypass Apple’s PAC key protection for further research.
- Apple’s PAC implementation allows for cross-key attack mitigation through per-key sorting.
- A research gap exists in documenting Apple’s PAC implementation and exploring its limitations.
- Future work aims to improve pointer authentication and bypass Apple’s PAC key protection.
- There is a need for further research on Apple’s PAC implementation, including documentation, vulnerability identification, and mitigations.