Key Points

  • 1. A vulnerability in Apple's M-series chips allows attackers to extract secret keys from Mac devices during cryptographic operations, posing a serious threat to security.
  • 2. Unlike other vulnerabilities, this issue cannot be directly patched and requires integrating defenses into third-party cryptographic software, potentially leading to performance degradation.
  • 3. The vulnerability exploits a side channel in the chips' prefetcher, which can confuse memory content with pointer values, leaking sensitive information over time.
  • 4. The attack, known as GoFetch, can extract secret keys from both classical and newer encryption algorithms and requires minimal privileges, making it accessible to most third-party applications on macOS systems.
  • 5. Mitigating the effects of this vulnerability requires implementing additional defenses in cryptographic software, but there is currently no straightforward solution. Users are advised to remain vigilant and update their software regularly.

A recently discovered vulnerability embedded within Apple's M-series of chips has raised significant concerns among security experts. This flaw, unveiled by academic researchers in a paper released on Thursday, allows attackers to extract secret keys from Mac devices during commonly used cryptographic operations.

The Vulnerability

Unlike many vulnerabilities that can be addressed through software patches, this particular issue cannot be directly patched due to its origin in the microarchitectural design of the silicon itself. Instead, mitigation efforts must focus on integrating defenses into third-party cryptographic software. However, these defenses may come at a considerable cost, potentially leading to a significant degradation in performance, particularly for earlier generations of M-series chips like the M1 and M2.

The vulnerability exploits a side channel within the chips' data memory-dependent prefetcher, a hardware optimization designed to predict the memory addresses of data that running code is likely to access in the near future. This prefetcher, known as the DMP, reduces latency between the main memory and the CPU by loading contents into the CPU cache before they are needed. However, it also creates a side channel that malicious processes can exploit to obtain secret key material from cryptographic operations.

What sets this vulnerability apart is its exploitation of a previously overlooked behavior of DMPs in Apple silicon. These prefetchers sometimes confuse memory content, such as key material, with the pointer value used to load other data. As a result, the DMP may read the data and attempt to treat it as an address for memory access, leading to the leakage of sensitive information through a side channel.

image

The Discovery

The researchers behind the discovery, a team comprising experts from various academic institutions, detailed their findings in their paper. They explained how they manipulated intermediate data inside encryption algorithms to resemble pointers, thereby tricking the DMP into leaking sensitive information over time.

This attack, dubbed GoFetch by the researchers, poses a serious threat to the security of Mac devices. It can extract secret keys from both classical encryption algorithms and newer, more secure encryption methods. Moreover, the attack requires minimal privileges, making it accessible to most third-party applications installed on macOS systems.

To mitigate the effects of this vulnerability, developers of cryptographic software running on M1 and M2 processors will need to implement additional defenses. However, many of these defenses come with significant performance penalties, complicating the situation further. For instance, one effective mitigation strategy involves adding/removing masks to sensitive values before/after storing them to/loading them from memory, a process known as ciphertext blinding.

Despite the challenges posed by this vulnerability, there is currently no straightforward solution. Apple representatives have declined to comment on the research findings, leaving end users concerned about the security of their devices. While developers work to address these issues, users are advised to remain vigilant and update their software regularly to mitigate potential risks. Additionally, it is recommended to assume that other cryptographic protocols may also be susceptible to similar vulnerabilities, requiring ongoing monitoring and assessment.


Related Articles
Tags