Discovering Novel Microarchitectural Security Vulnerabilities in Modern Processors
DownloadThesis PDF (5.729Mb)
Advisor
Yan, Mengjia
Terms of use
Metadata
Show full item recordAbstract
For decades, computer security issues such as viruses, worms, and Trojans have caused significant damages to computer systems across the world. Many of these security issues are caused by vulnerabilities in software allowing for memory corruption, a kind of attack where the contents of a computer’s memory are corrupted by an attacker to change a program’s behavior. While much research has been done on how to improve software security, vendors are increasingly turning to hardware defenses to compensate for software vulnerabilities. One such example is ARM Pointer Authentication, a security feature that enforces pointer integrity through the use of cryptographic hashes.
I will introduce the PACMAN attack, a novel attack methodology that defeats Pointer Authentication by leveraging the behavior of the CPU’s microarchitecture. I will present multiple proof-of-concept attacks showing PACMAN defeating Pointer Authentication on the Apple M1 SoC, the world’s first desktop processor that supports Pointer Authentication. I will also document the tools I have created to perform detailed reverse engineering of the microarchitecture on Apple Silicon platforms, enabling both this work and future research.
I will also present two memory corruption vulnerabilities I have discovered and reported in modern operating systems as case studies of the kind of software vulnerability Pointer Authentication tries to mitigate. The first is an uninitialized memory issue in Linux, and the second is a race condition leading to a type confusion in XNU. Finally, I will present a series of classroom exercises I have created to teach students about CPU vulnerabilities like PACMAN.
Date issued
2023-09Department
Massachusetts Institute of Technology. Department of Electrical Engineering and Computer SciencePublisher
Massachusetts Institute of Technology