Apple Silicon vulnerability leaks encryption keys and cannot be easily fixed

Apple Silicon M2 in front of MacBook

A new vulnerability in Apple Silicon chips could allow an identified attacker to gain access to user data by stealing cryptographic keys — and the fix can have a significant impact on encryption performance.

Researchers have discovered a problem in Apple's M-series chips related to their performance of cryptographic operations, such as file encryption. However, since this is a chip architectural design problem, it is very difficult to solve.

Detailed Thursday by a team of researchers and reported by ArsTechnica, the problem involves memory-dependent data prefetching (DMP), which predicts the memory addresses of data that currently running programs are likely to access. code. By prefetching data, it becomes subject to scanning for malicious code.

This is because prefetchers use previous access patterns to determine their prediction of the next bit of data to fetch. An attacker could use this modus operandi to influence pre-fetched data, opening the possibility of access to sensitive data.

GoFetch attack can steal encryption keys

The attack, dubbed “GoFetch” by researchers, exploits a feature of Apple Silicon's use of DMPs. In particular, how the DMP can confuse the contents of memory with the values ​​of pointers used to load more data, with the former sometimes being used as the latter.

Describing the attack, the researchers confirm that it is possible to make the data “look like” a pointer, which DMP will treat as an address and, in turn, transfer this data to the cache. The appearance of the address in the cache is visible, that is, malicious code can see it.

The attack manipulates the data inside the encryption algorithm to appear as a pointer using a selected input attack. The DMP, seeing that the data value looks like an address, then retrieves the data from that address, losing the address itself.

The attack is not an instant cracking of the encryption key. However, the attack can be carried out repeatedly, allowing the key to be revealed over time.

The GoFetch attack uses the same user rights as many other third-party macOS apps rather than root access. This lowers the barrier to entry for actually carrying out an attack, but that's not all.

To function, the GoFetch application carrying out the attack must also be running on the same chip cluster as the target cryptographic application, and both must simultaneously use efficiency cores or performance cores. It is cluster specific, meaning that it will still work if applications are running on different cores in the same cluster.

Researchers claim that the attack works against both classical encryption algorithms and newer quantum-protected versions.

In terms of efficiency, the researchers' test application was able to extract a 2048-bit RSA key in less than an hour and just over two hours for a 2048-bit Diffie-Hellman key. Securing a Dilithium-2 key requires ten hours of data retrieval, not including offline processing time.

Difficult to prevent

The main problem with the attack is that it cannot be prevented. fixed in Apple Silicon itself as it is a central part of the design. Instead, cryptographic software developers need measures to address this problem.

The problem is that any changes to security controls increase the workload required to complete operations, which in turn affects performance. However, these consequences should only affect applications that use encryption and security controls, and not other general types of applications.

In the case of one mitigation, ciphertext blinding, the effectiveness varies depending on the algorithm and may require twice as many resources as usual.

It is also possible to run processes only on efficiency cores, since they do not have DMP functionality. Again, encryption performance will suffer since it doesn't work on faster cores.

The third option actually applies to M3 chips: a special bit can be flipped to disable DMP. The researchers admit they don't know the level of performance loss that might occur.

Apple declined to comment on the report on this matter. The researchers said they provided responsible information to Apple before the public release, informing the company on December 5, 2023.

Some of the researchers had previously worked on another 2022 discovery, also involving the use of Apple Silicon DMP. At the time, the so-called Augury flaw was considered not “that bad” and was “probably just a sandbox threat model.”

History repeating

Chip vulnerabilities can be a big problem for device manufacturers, especially if they have to make changes to operating systems and software for security purposes.

In 2018, Meltdown and Specter chip defects were discovered that affected all Mac and iOS devices, as well as almost all X86 devices released since 1997.

These security vulnerabilities relied on “speculative head”, where the chip would increase its speed by executing multiple instructions simultaneously or even out of order. As the name suggests, the CPU will speculatively continue executing along the path until the branch is completed.

Both Meltdown and Specter used this function to access “privileged memory”, which could include the CPU core.

The discovery of the vulnerabilities led to a spate of other similar attacks, mostly targeting Intel chips, including Foreshadow and Zombieload.

This is not the first problem discovered in the design of Apple Silicon chips. In 2022, MIT researchers discovered an unpatched vulnerability dubbed “PACMAN” that used pointer authentication processes to create a side-channel attack.

Leave a Reply

Your email address will not be published. Required fields are marked *