Apple's M1 chips, like some other ARM chips, implement something called PAC which stands for pointer authentication code. PAC checks are used to protect the CPU against attackers with memory access.
PAC was introduced in ARM 8.3. It adds a cryptographic signature to pointers in memory so if an attacker tries to replace the pointer a (perhaps with a buffer overflow attack) it won't have that signature and will be rejected and the attack will fail.
It's a last line of defense. If an attack has succeeded against the operating system and is compromising memory pointers to execute its attack, PAC can still stop it. Unless you do this new attack method that folks at MIT discovered.
Scientists at MIT's CSAIL have developed what they call a PACMAN attack on Apple M1 SoCs that can find correct values to pass the check.
First there needs to be a successful vulnerability on the software side that would otherwise be stopped by PAC. Then the attack uses a speculative execution attack. These are pretty common now, the most famous being the SPECTRE and MELTDOWN attacks on x86 instruction sets. Speculative execution tries to anticipate tasks before their called for in order to speed up processing. Speculative execution attacks can read patterns in how the processor anticipates tasks and deduce data from that through a side channel. The MIT scientists conducted a speculative execution attack to judge whether they had picked a correct PAC value. Because there are only so many possibilities for a match, the attack just guesses until the side channel confirms the right one
The PACMAN attack requires physical access to the machine in order to conduct the speculative execution part of it. That's good news and bad news. On the one hand it's a harder attack to pull off. On the other hand it also means it cannot be patched.
The attack works against any ARM chip that has implemented PAC, including chips from Qualcomm and Samsung. The attack would not be necessary against chips that don't implement PAC as those chips do not have that protection.
PACMAN also does not bypass all security on the M1, only bugs that otherwise would only be stopped by PAC checks. Because of that, Apple told TechCrunch that it had "concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”
The forthcoming M2 has not been tested for the flaw.
The scientists who discovered the attack will present findings on June 18th at the International Symposium on Computer Architecture.