A new security hole discovered in Apple’s M-series chips could be exploited to extract secret keys used during cryptographic operations.
Nicknamed GoFetch, the vulnerability refers to a microarchitectural side-channel attack that leverages a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and acquire sensitive data from the CPU cache. Apple was informed of the results in December 2023.
Prefetchers are a hardware optimization technique that predicts which memory addresses a currently running program will access in the near future and fetches cached data from main memory accordingly. The goal of this approach is to reduce the memory access latency of the program.
DMP is a type of prefetching that takes into account the contents of memory based on previously observed access patterns when determining what to prefetch. This behavior makes it suitable for cache-based attacks that trick the prefetcher into revealing contents associated with the victim process that would otherwise be inaccessible.
GoFetch also builds on the foundations of another microarchitectural attack called Augury that uses DMP to speculatively leak data.
“DMP activates (and attempts to dereference) data loaded from memory that ‘looks’ like a pointer,” explained a team of seven academics from the University of Illinois Urbana-Champaign, the University of Texas, Georgia Institute of Technology , from the University of California, Berkeley, the University of Washington and Carnegie Mellon University said.
“This explicitly violates a requirement of the constant-time programming paradigm, which prohibits mixing data and memory access patterns.”
Like other attacks of this type, the setup requires the victim and attacker to have two different processes co-located on the same machine and on the same CPU cluster. Specifically, the threat actor could trick a target into downloading a malicious app that takes advantage of GoFetch.
Furthermore, while the attacker and victim do not share memory, the attacker can monitor any microarchitectural side channel available to him, such as cache latency.
GoFetch, simply put, demonstrates that “even if a victim successfully separates data from addresses following the constant-time paradigm, the DMP will generate secret-dependent memory access on behalf of the victim,” making it susceptible to key extraction attacks .
In other words, an attacker could use the prefetcher as a weapon to influence the data being prefetched, thus opening the door to accessing sensitive data. The vulnerability has serious implications as it completely nullifies the security protections offered by constant-time programming against temporal side-channel attacks.
“GoFetch shows that DMP is significantly more aggressive than previously thought and therefore poses a much greater security risk,” the researchers noted.
The fundamental nature of the flaw means it cannot be fixed in existing Apple CPUs, requiring cryptographic library developers to take steps to prevent conditions that allow GoFetch to succeed, which could also introduce a performance hit. Users, on the other hand, are advised to keep their systems up to date.
On Apple M3 chips, however, enabling data-independent timing (DIT) has been found to disable DMP. This is not possible on the M1 and M2 processors.
“Apple silicon provides data-independent timing (DIT), in which the processor completes certain instructions in a constant period of time,” Apple notes in its documentation. “With DIT enabled, the processor uses the longest and worst-case time to complete the instruction, regardless of the input data.”
The iPhone maker also pointed out that while enabling DIT prevents time-based leaks, developers are advised to adhere to “avoid conditional branches and memory access locations based on secret data value” in order to lock down effectively an adversary from deducing the secret by keeping the microarchitectural state of the processor under control.
The development comes as another group of researchers from the Graz University of Technology in Austria and the University of Rennes in France demonstrated a new graphics processing unit (GPU) attack that targets popular browsers and graphics cards and that exploits specially crafted JavaScript code in a website to infer sensitive information such as passwords.
The technique, which requires no user interaction, has been described as the first GPU cache side-channel attack from within the browser.
“Since GPU computing can also offer benefits for computations within websites, browser vendors have decided to expose the GPU to JavaScript via APIs such as WebGL and the upcoming WebGPU standard,” the researchers said.
“Despite the inherent restrictions of the JavaScript and WebGPU environment, we build new attack primitives that enable side-channel cache attacks with comparable effectiveness to traditional CPU-based attacks.”
A threat actor could weaponize it via a drive-by attack, allowing AES key extraction or cryptocurrency mining while users browse the internet. It impacts all operating systems and browsers that implement the WebGPU standard, as well as a wide range of GPU devices.
As a countermeasure, the researchers propose to treat access to the host system’s graphics card via the browser as a sensitive resource, requiring websites to ask users for permission (as in the case of the camera or microphone) before use.