by Tim Hardwick
According to a recently published scientific study (via ArsTechnica), an unpatched vulnerability has been discovered in Apple's M series chips that allows attackers to extract private encryption keys from Mac computers under certain conditions.
The described type of cyberattack, dubbed GoFetch, involves data-memory-dependent prefetchers (DMPs) that try to predict what data the computer will need next and get it in advance. This is intended to speed up processing, but may inadvertently reveal information about what the computer is doing.
The paper finds that DMPs, especially in Apple processors, pose a significant security threat to the constant-time programming model that are used to write programs so that they take the same amount of time to execute, regardless of what data they deal with.
The constant-time programming model is designed to protect against side-channel attacks, or types of attacks in which someone can obtain sensitive information from a computer system without having direct access to it (for example, by observing certain patterns). The idea is that if all operations take the same amount of time, there will be less opportunity for an attacker to observe and exploit.
However, the paper finds that DMPs, especially in Apple processors, can leak information even if the program is designed not to reveal any patterns in how it accesses memory. New research shows that DMPs can sometimes confuse the contents of memory, causing the data to be treated as a memory address, which contradicts the constant-time model.
The authors present GoFetch as a new type of attack that can exploit this vulnerability in DMP to extract encryption keys from protected software. The attack works against several popular encryption algorithms that are considered resistant to side-channel attacks, including both traditional (e.g., OpenSSL Diffie-Hellman key exchange, Go RSA decryption) and post-quantum (e.g., CRYSTALS-Kyber and CRYSTALS-Dilithium). cryptographic methods.
In an email to ArsTechnica, the authors explained:
Prefetching typically looks at the addresses of the available data (ignoring the values of the available data) and tries to guess future addresses that might be useful. In this sense, DMP is different because in addition to addresses, it also uses data values for prediction (predicting addresses for branching and prefetching). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (even though it actually isn't!), and the data from that “address” will be moved to the cache. The entry of this address into the cache is visible by leaking through cache side channels.
Our attack exploits this fact. We cannot leak encryption keys directly, but we can manipulate the intermediate data within the encryption algorithm to appear as a pointer using a chosen input attack. The DMP then sees that the data value “looks like” an address and moves the data from that “address” into the cache, causing the “address” to leak. We don't care about prefetching the data value, but the fact that the intermediate data looked like an address is visible through the cache pipe and is sufficient to reveal the secret key over time.
Thus, the paper shows that the DMP feature in Apple silicon processors can be used to bypass security measures in cryptographic software that were thought to protect against such leaks, potentially allowing attackers to gain access to sensitive information such as 2048-bit RSA key. in some cases in less than an hour.
According to the authors, the error in Apple chips cannot be fixed directly. Instead, the attack vector can only be mitigated by building protections in third-party cryptographic software, which can result in dramatic performance degradation when performing cryptographic operations, especially on earlier M1 and M2 chips. The DMP in M3, Apple's latest chip, has a special bit that developers can use to disable it, but researchers are not yet sure what penalty will occur if this performance optimization is disabled.
As ArsTechnica notes, this is not the first time researchers have discovered threats in Apple's DMP. Research documented in 2022 found one such threat each in M1 and Apple's A14 Bionic chip for the iPhone, which led to the “Augury” attack. However, this attack ultimately failed to extract sensitive data when using constant-time techniques.
“GoFetch shows that DMP is significantly more aggressive than previously thought, and thus poses a much greater security risk,” the researchers state on their website. “Specifically, we found that any value loaded from memory is a candidate for dereference (literally!) This allows us to bypass many of Augury's limitations and demonstrate end-to-end constant-time attacks on real code.”
DMP-style attacks are not common, and researchers informed Apple of the vulnerability in December 2023. Users concerned about this vulnerability are advised to check for updates to GoFetch to mitigate the effects that will become available in future updates to macOS. encryption protocols, which are known to be vulnerable. Apple representatives declined to comment on the record when ArsTechnica asked about the document.
Tags: Apple Security, Apple Silicon Guide, Encryption[204 comments]