University researchers have found an unpatchable security flaw in Apple Silicon Macs, which would allow an attacker to break encryption and get access to cryptographic keys.
The flaw is present in M1, M2, and M3 chips, and because the failing is part of the architecture of the chips, there’s no way for Apple to fix it in current devices …
The flaw is in a process known as DMP
Before we explain the flaw, we need to understand a process used in the most advanced of today’s chips, known as Data Memory-dependent Prefetchers (DMP). Here’s how ArsTechnica explains the concept:
The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel’s 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.
The problem arises from a bug in the DMP.
The unpatchable security flaw
Seven researchers from six different universities worked together to identify the vulnerability and create an app which was able to successfully exploit it: GoFetch.
The details are pretty technical, but the short version is that data stored in the chip is sometimes mistaken for a memory address, and cached. If a malicious app forces this error to occur repeatedly, then over time it can decrypt the key.
Here’s how the researchers describe it in more detail:
Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (where in fact it’s actually not!) and the data from this “address” will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels.
Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value “looks like” an address, and brings the data from this “address” into the cache, which leaks the “address.” We don’t care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.
It’s not the first time that a DMP vulnerability has been found in Apple Silicon. Back in 2022, a different research team found one they named Augury.
A workaround is possible, but would hit performance
The researchers say that because the problem can’t be patched, the best Apple could do is to implement workarounds – but these would badly hurt performance.
One of the most effective mitigations, known as ciphertext blinding, is a good example. Blinding works by adding/removing masks to sensitive values before/after being stored to/loaded from memory. This effectively randomizes the internal state of the cryptographic algorithm, preventing the attacker from controlling it and thus neutralizing GoFetch attacks. Unfortunately, the researchers said, this defense is both algorithm-specific and often costly, potentially even doubling the computing resources needed in some cases, such as for Diffie-Hellman key exchanges.
One other defense is to run cryptographic processes on the previously mentioned efficiency cores, also known as Icestorm cores, which don’t have DMP. One approach is to run all cryptographic code on these cores. This defense, too, is hardly ideal. Not only is it possible for unannounced changes to add DMP functionality to efficiency cores, running cryptographic processes here will also likely increase the time required to complete operations by a nontrivial margin.
But real-world risks are low
To exploit the vulnerability, an attacker would have to fool a user into installing a malicious app, and unsigned Mac apps are blocked by default.
Additionally, the time taken to carry out an attack is quite significant, ranging from 54 minutes to 10 hours in tests carried out by researchers, so the app would need to be running for a considerable time.
Apple has so far chosen not to implement protection against the Augury DMP exploit, likely because the performance hit wouldn’t be justified by the very low real of a real-world attack. The researchers here shared their findings with Apple back in December, and so far no workaround has been implemented, doubtless for the same reason. The company has not publicly commented.
The long-term solution will be for Apple to address the vulnerability in the DMP implementation in the design of future chips.
Photo by Ali Mahmoudi on Unsplash
FTC: We use income earning auto affiliate links. More.
