archy13 - stock.adobe.com
'GoFetch' attack spells trouble for Apple M-series chips
Academic researchers discovered a hardware optimization feature called 'data memory-dependent prefetcher' could be abused to extract secret encryption keys from vulnerable systems.
Academic researchers disclosed a side-channel attack in Apple's M-series chips that could allow threat actors to obtain secret encryption keys from devices in a way that poses significant mitigation challenges.
In a paper published Thursday, the research team explained that the attack, dubbed "GoFetch," is based on a microarchitectural vulnerability in M-series chips. It involves the chips' data memory-dependent prefetcher (DMP), which is a new hardware optimization feature that predicts the memory addresses a user will access in the near future and places the data into the CPU cache. By reverse engineering the M-series DMP, the research team found that it sometimes confuses pointer values with data in memory, including cryptographic key material.
"This paper shows that the security threat from DMPs is significantly worse than previously thought and demonstrates the first end-to-end attacks on security-critical software using the Apple M-series DMP," the research paper states. "Undergirding our attacks is a new understanding of how DMPs behave which shows, among other things, that the Apple DMP will activate on behalf of any victim program and attempt to 'leak' any cached data that resembles a pointer."
In 2022, a different collection of academic researchers first discovered that Apple chips had DMPs and developed a side-channel attack called "Augury," which could leak some data at rest on systems using Apple M1 and A14 processors. However, GoFetch researchers discovered DMPs in other M-series chips and found they could exploit the feature even further and extract keys from several cryptographic implementations, including OpenSSL Diffie-Hellman, Go RSA, CRYSTALS Kyber and Dilithium.
According to the research team's GoFetch website, Apple M1, M2 and M3 chips are vulnerable to the side-channel attack. While they did not test additional M-series chips like M2 Pro, the team said it expects they will have the same exploitable DMPs. In addition, the researchers discovered a DMP in Intel's 13th Gen Raptor Lake microarchitecture. "However, its activation criteria are more restrictive, making it robust to our attacks," the researchers wrote on the website.
Patching challenges
The researchers noted that there are no easy fixes for GoFetch because it involves a microarchitectural flaw. The research team said a "drastic solution" would be to disable DMPs in Apple M-series chips but noted there are two problems with that approach: First, it would create "heavy performance penalties" on vulnerable devices. Second, the researchers said disabling DMPs on M1 and M2 CPUs is "likely not possible."
Therefore, developers of cryptographic libraries may have to update their software in order to either disable DMPs or avoid key-dependent DMP activation, according to the website.
Possible fixes include running all cryptographic code on M-series' efficiency or "Icestorm" cores, which do not have DMPs. However, the researchers said such a move would "incur a significant performance penalty" and warned that future updates or changes from Apple could silently enable DMPs on those efficiency cores as well.
Another potential mitigation is using a cryptographic blinding technique to protect secret keys from GoFetch leaking. But researchers noted major challenges for that mitigation as well. "The major downside of this approach is that it requires potentially DMP-bespoke code changes to every cryptographic implementation, as well as heavy performance penalties for some cryptographic schemes," they wrote.
The GoFetch research team reported the vulnerability to Apple on Dec. 5 and also notified OpenSSL, GoCrypto and the CRYSTALS development team. According to the research paper, Apple is currently investigating the team's proof-of-concept exploit, which has yet to be published.
An Apple spokesperson shared a potential mitigation with TechTarget Editorial, which involves enabling the data-independent timing (DIT) feature in affected chips. The documentation recommended running DIT "in specialized situations, such as cryptographic routines."
The spokesperson thanked the GoFetch researchers for advancing understanding of this type of threat.
It's unclear if cryptographic software developers will take action to provide further mitigations for GoFetch. According to the research paper, OpenSSL said that local side-channel attacks fall outside its threat model, and the Go Crypto team considers the attack to be low-severity. "The CRYSTALS team agreed that pinning to the Icestorm cores without DMP could be the short-term solution, and hardware fixes are needed in the long term," the paper stated.
The research team ultimately concluded that significant changes are needed in microarchitecture designs to better control how DMPs are applied to avoid any leaking of sensitive data such as cryptographic secrets. "Longer term, we view the right solution to be to broaden the hardware-software contract to account for the DMP. At a minimum, hardware should expose to software a way to selectively disable the DMP when running security-critical applications."
But researchers warned the issue posed by DMPs may extend well beyond just the Apple M-series chips and four cryptographic libraries that were tested. "While we demonstrate end-to-end attacks on four cryptographic implementations, more programs are likely at risk, given similar attack strategies," they wrote. "Given our findings that DMPs also exist on the Apple M2/M3 and Intel 13th-Generation CPUs, the problem seemingly transcends specific processors and hardware vendors and thus requires dedicated hardware countermeasures."
The GoFetch research team includes Boru Chen at University of Illinois Urbana-Champaign; Yingchen Wang at University of Texas at Austin; Pradyumna Shome at the Georgia Institute of Technology; Christopher W. Fletcher at the University of California, Berkeley; David Kohlbrenner at the University of Washington; Riccardo Paccagnella at Carnegie Mellon University; and Daniel Genkin at the Georgia Institute of Technology.
GoFetch marks the second side-channel attack affecting Apple chips in less than a year. In October, academic researchers unveiled iLeakage, a transient execution side-channel attack that could allow threat actors to obtain sensitive data from users' Safari browsers.
Rob Wright is a longtime reporter and senior news director for TechTarget Editorial's security team. He drives breaking infosec news and trends coverage. Have a tip? Email him.