Security

Research

Hardware-level Apple Silicon vulnerability can leak cryptographic keys

Short of redesigning CPUs, the fix will seriously degrade performance


A side-channel vulnerability has been found in the architecture of Apple Silicon processors that gives malicious apps the ability to extract cryptographic keys from memory that should be off limits. 

Dubbed GoFetch by the team that discovered it, the issue stems from how processors equipped with data memory-dependent prefetchers (DMPs) - eg, Arm-compatible Apple Silicon chips, and 13th generation and newer Intel architectures - can end up revealing sensitive information to malware running on a device.

For decades a lot of processors have typically used some kind of prefetching to boost their performance: These usually work by predicting what data the currently running program will need next from, say, system memory and automatically bringing that information into a cache within the processor from DRAM so it's ready for near-immediate use. The location of the data to prefetch could be predicted by noticing that a CPU core is accessing information in a certain pattern and then following that pattern ahead of execution.

DMPs try to be a bit smarter by predicting what will be fetched next from the contents of memory. For instance, if it looks like the processor is preparing to fetch some data from a location based on what looks like a memory address at another location – think linked lists and the like in which one block of data has a pointer to another – the DMP may begin bringing into the cache that next data.

But that isn't without its problems: A vulnerable DMP can be manipulated into populating a cache preemptively in a way that discloses the contents of other memory. Malware or other rogue observers on a machine can exploit this to extract secret keys and other sensitive stuff from DRAM that should otherwise be inaccessible.

"We reverse-engineered DMPs on Apple m-series CPUs and found that the DMP activates (and attempts to dereference) data loaded from memory that 'looks like' a pointer," as the team – a group hailing from the University of Illinois Urbana-Champaign; the University of Texas at Austin; the Georgia Institute of Technology; the University of California, Berkeley; the University of Washington; and Carnegie Mellon University, all in the US – put it.

And here's the magic: "To exploit the DMP, we craft chosen inputs to cryptographic operations, in a way where pointer-like values only appear if we have correctly guessed some bits of the secret key.

"We verify these guesses by monitoring whether the DMP performs a dereference through cache-timing analysis. Once we make a correct guess, we proceed to guess the next batch of key bits.

"Using this approach, we show end-to-end key extraction attacks on popular constant-time implementations of classical (OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum cryptography (CRYSTALS-Kyber and CRYSTALS-Dilithium)."

Thus, malicious code on a vulnerable Apple Silicon device hoping to obtain a secret key from memory can attempt cryptographic operations involving that secret key, and then piece together that key bit by bit by observing the DMP's activities. The DMP kicks in during those operations to speed up the processor's workings.

Any malicious app running in the same CPU cluster as the targeted cryptographic operation, and with nothing but user privileges, can pull off this kind of exploit we're told. Note that this will take some time, and is most useful against keys that are not ephemeral – think long-term private server-side keys.

Similar vulnerabilities were reported in Apple Silicon chips a few years back under the name Augury, but the GoFetch crew note Augury's analysis of DMP was "overly restrictive" and "missed several DMP activation scenarios." 

"We find that the DMP activates on behalf of potentially any program, and attempts to dereference any data brought into cache that resembles a pointer," the GoFetch team says. 

In short, "the security threat from DMPs is significantly worse than previously thought," the team wrote in a paper [PDF]. All the technical details are inside that document.

What chips are affected, and how can this be fixed?

The researchers were able to successfully mount key recovery attacks on Apple hardware containing M1 processors, and found that base-model M2 and M3 Apple Silicon CPUs display similar exploitable behavior. Other Apple Silicon variants weren't tested. 

Intel processors are at risk too, but less so, the team notes. "Intel's 13th Gen Raptor Lake microarchitecture also features a DMP. However, its activation criteria are more restrictive, making it robust to our attacks."

DMP can be disabled on M3 CPUs, but not M1 and M2 chips, the researchers note, adding that disabling DMP is likely to seriously degrade performance. The only alternative to fix GoFetch without reengineering chips (sound familiar?) is to rely on third-party cryptographic programs to improve their implementations to prevent attacks from succeeding. Similar fixes are available for Intel chips. 

What Apple plans to do isn't immediately clear, with its response to our questions minimal. 

"We want to thank the researchers for their collaboration as this research advances our understanding of these types of threats," an Apple spokesperson told The Register. Apple also pointed us to developer documentation on how to implement the mitigations highlighted by the researchers, which Apple admits will degrade CPU performance. ®

Send us news
22 Comments

Employee sues Apple over 'spying' claims tied to mandatory devices

Cupertino's walled garden 'is a prison yard' claims plaintiff

Zabbix urges upgrades after critical SQL injection bug disclosure

US agencies blasted 'unforgivable' SQLi flaws earlier this year

Perfect 10 directory traversal vuln hits SailPoint's IAM solution

20-year-old info disclosure class bug still pervades security software

QNAP and Veritas dump 30-plus vulns over the weekend

Just what you want to find when you start a new week

OpenWrt orders router firmware updates after supply chain attack scare

A couple of bugs lead to a potentially bad time

Indonesia tells Apple $100 million investment isn't enough to lift iPhone 16 sale ban

Wants Cook to look under the couch again and find at least another $15 million

Interpol nabs thousands, seizes millions in global cybercrime-busting op

Also, script kiddies still a threat, Tornado Cash is back, UK firms lose billions to avoidable attacks, and more

PoC exploit chains Mitel MiCollab 0-day, auth-bypass bug to access sensitive files

Still unpatched 100+ days later, watchTowr says

Apple's backwards design mistake and the reversed capacitor

It's true – the Mac LC III really did have it installed the wrong way round

Blue Yonder ransomware termites claim credit

Also: Mystery US firm compromised by Chinese hackers for months; Safe links that aren't; Polish spy boss arrested, and more

China launches AI that writes politically correct docs for bureaucrats

PLUS: Politician thought Korea's martial law declaration was a deepfake; Apple finds a billion for Indonesia; China worries about open source intel; and more

Severity of the risk facing the UK is widely underestimated, NCSC annual review warns

National cyber emergencies increased threefold this year