![]() So, an attacker with an existing bug could do the same attack without the kext. Our demo only uses the kext for adding a software bug. In a real world attack, you would just find an existing kernel bug. For our demo, we add our own bug to the kernel using a kext. PACMAN takes an existing software bug (memory read/ write) and turns it into a more powerful primitive (pointer authentication bypass). Why do you need a software bug to do the PACMAN attack? Neither of those things requires a kext- an attacker can find both in the vanilla kernel.Īn attacker with a software bug doesn’t need a kext. This kext does two things: 1) adds an artificial software bug to the kernel for us to attack, and 2) adds a PACMAN Gadget. You may be wondering why our attack begins by loading a custom kernel extension (kext). So, “ probably not.” Why are you loading a kext? Much like the Spectre attack our work is based on, PACMAN executes entirely in the speculative regime and leaves no logs. Can I tell if someone is using PACMAN against me? While the hardware mechanisms used by PACMAN cannot be patched with software features, memory corruption bugs can be. PACMAN is an exploitation technique- on its own it cannot compromise your system. Should I be worried?Īs long as you keep your software up to date, no. PACMAN works just fine remotely if you have unprivileged code execution. Nope! We actually did all our experiments over the network on a machine in another room. Does this attack require physical access? ![]() PACMAN works across privilege levels, so it works on the kernel from user mode. Compromising the kernel means that an attacker can do anything you can do (eg. The kernel is the most privileged part of your computer’s operating system. PACMAN was discovered by researchers at MIT CSAIL. PACMAN also affects Neoverse V1, Neoverse N2, Cortex-A78C, Cortex-A78AE, Cortex-A710, Cortex-A715, Cortex-X1C, Cortex-X2, and Cortex-X3. We’ve shown PACMAN to work on the Apple M1 CPU.ĪRM has discovered many of its cores are also vulnerable to PACMAN. ![]() For support questions, contact us at pacman-attackmitedu. We hope these tools will help the community perform next-generation microarchitectural research. PACMAN lies in the intersection of software and hardware attacks.įrom the beginning, PACMAN has been built with extensibility in mind.Īs part of our DEF CON 30 talk about PACMAN, we are releasing our proof-of-concept attack, as well as some in-house tools we built for researching Apple Silicon devices. We believe the core idea of PACMAN will be applicable to much more than just PAC. PACMAN is what you get when you mix a hardware mitigation for software attacks with microarchitectural side channels.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |