DEF CON 30 - Joseph Ravichandran - The PACMAN Attack: Breaking PAC on Apple M1 with Hardware Attacks

What do you get when you cross pointer authentication with microarchitectural side channels?
The PACMAN attack is a new attack technique that can bruteforce the pointer authentication code (PAC) for an arbitrary kernel pointer without causing any crashes using microarchitectural side channels. We demonstrate the PACMAN attack against the Apple M1 CPU.