Hardware-level Apple Silicon vulnerability can leak cryptographic keys

A side-channel vulnerability has been found in the architecture of Apple Silicon processors that gives malicious apps the ability to extract cryptographic keys from memory that should be off limits. 

Dubbed GoFetch by the team that discovered it, the issue stems from how processors equipped with data memory-dependent prefetchers (DMPs) - eg, Arm-compatible Apple Silicon chips, and 13th generation and newer Intel architectures - can end up revealing sensitive information to malware running on a device.

For decades a lot of processors have typically used some kind of prefetching to boost their performance: These usually work by predicting what data the currently running program will need next from, say, system memory and automatically bringing that information into a cache within the processor from DRAM so it's ready for near-immediate use. The location of the data to prefetch could be predicted by noticing that a CPU core is accessing information in a certain pattern and then following that pattern ahead of execution.

DMPs try to be a bit smarter by predicting what will be fetched next from the contents of memory. For instance, if it looks like the processor is preparing to fetch some data from a location based on what looks like a memory address at another location – think linked lists and the like in which one block of data has a pointer to another – the DMP may begin bringing into the cache that next data.

But that isn't without its problems: A vulnerable DMP can be manipulated into populating a cache preemptively in a way that discloses the contents of other memory. Malware or other rogue observers on a machine can exploit this to extract secret keys and other sensitive stuff from DRAM that should otherwise be inaccessible.

"We reverse-engineered DMPs on Apple m-series CPUs and found that the DMP activates (and attempts to dereference) data loaded from memory that 'looks like' a pointer," as the team – a group hailing from the University of Illinois Urbana-Champaign; the University of Texas at Austin; the Georgia Institute of Technology; the University of California, Berkeley; the University of Washington; and Carnegie Mellon University, all in the US – put it.

And here's the magic: "To exploit the DMP, we craft chosen inputs to cryptographic operations, in a way where pointer-like values only appear if we have correctly guessed some bits of the secret key.

"We verify these guesses by monitoring whether the DMP performs a dereference through cache-timing analysis. Once we make a correct guess, we proceed to guess the next batch of key bits.

"Using this approach, we show end-to-end key extraction attacks on popular constant-time implementations of classical (OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum cryptography (CRYSTALS-Kyber and CRYSTALS-Dilithium)."

Thus, malicious code on a vulnerable Apple Silicon device hoping to obtain a secret key from memory can attempt cryptographic operations involving that secret key, and then piece together that key bit by bit by observing the DMP's activities. The DMP kicks in during those operations to speed up the processor's workings.

Any malicious app running in the same CPU cluster as the targeted cryptographic operation, and with nothing but user privileges, can pull off this kind of exploit we're told. Note that this will take some time, and is most useful against keys that are not ephemeral – think long-term private server-side keys.

Similar vulnerabilities were reported in Apple Silicon chips a few years back under the name Augury, but the GoFetch crew note Augury's analysis of DMP was "overly restrictive" and "missed several DMP activation scenarios." 

"We find that the DMP activates on behalf of potentially any program, and attempts to dereference any data brought into cache that resembles a pointer," the GoFetch team says. 

In short, "the security threat from DMPs is significantly worse than previously thought," the team wrote in a paper [PDF]. All the technical details are inside that document.

What chips are affected, and how can this be fixed?

The researchers were able to successfully mount key recovery attacks on Apple hardware containing M1 processors, and found that base-model M2 and M3 Apple Silicon CPUs display similar exploitable behavior. Other Apple Silicon variants weren't tested. 

Intel processors are at risk too, but less so, the team notes. "Intel's 13th Gen Raptor Lake microarchitecture also features a DMP. However, its activation criteria are more restrictive, making it robust to our attacks."

• Microsoft, Google: We've found a fourth data-leaking Meltdown-Spectre CPU hole
• Bad news: Another data-leaking CPU flaw. Good news: It's utterly impractical
• Arm acknowledges side-channel attack but denies Cortex-M is crocked
• AMD, boffins clash over chip data-leak claims: New side-channel holes in decades of cores, CPU maker disagrees

DMP can be disabled on M3 CPUs, but not M1 and M2 chips, the researchers note, adding that disabling DMP is likely to seriously degrade performance. The only alternative to fix GoFetch without reengineering chips (sound familiar?) is to rely on third-party cryptographic programs to improve their implementations to prevent attacks from succeeding. Similar fixes are available for Intel chips. 

What Apple plans to do isn't immediately clear, with its response to our questions minimal. 

"We want to thank the researchers for their collaboration as this research advances our understanding of these types of threats," an Apple spokesperson told The Register. Apple also pointed us to developer documentation on how to implement the mitigations highlighted by the researchers, which Apple admits will degrade CPU performance. ®