Apple last week secretly published a workaround for a vulnerability in its M-series processors that attackers could exploit to steal cryptographic keys. More details have now come to light as a proof-of-concept attack demonstrates the ability to steal secret keys from the OpenSSL Diffie-Hellman and Go RSA encryption protocols and even from purported Quantum resistant cryptographic protocols such as Dilithium CRYSTALS and Kyber CRYSTALS.
Intended for developers of cryptographic libraries, the workaround activates a feature in Apple silicon called data-independent timing (DIT) which protects against temporal attacks that the vulnerability seeks to exploit. A temporal attack is a sophisticated type of lateral canal attachment in which a threat actor studies the time a processor takes to respond to different types of instructions to guess the data being processed. Researchers have previously used this tactic to show how attackers can extract sensitive information from cache memory through other microprocessor flaws such as Spectrum and fusion.
However, only Apple’s M3 chips currently support DTI and therefore are the only ones where the risk can be mitigated with this approach.
In the meantime, cryptographic application developers will need to make other changes to address the vulnerability at the software level for devices using Apple’s M1 and M2 processors – there is no official fix. Apple noted that even with mitigation in place for the M3, developers will also “need additional programming practices to prevent other changes to the microarchitectural state of the processor from providing signals about secret values to an adversary,” Apple warned. “For example, avoid conditional branches and memory access locations based on the value of secret data.”
Unfortunately, according to academic researchers at the University of Illinois at Urbana Champaign, Apple itself cannot easily fix the flaw at the hardware level; University of Texas at Austin, Georgia Institute of Technology; University of Washington; Carnegie Mellon University; and University of California, Berkeley. In a technical paper they revealed the details of their discovery and the PoC attack, which they called “GoFetch.”
End-to-end “GoFetch” timing attacks
The new vulnerability is associated with a performance optimization feature called data memory-dependent prefetchers (DMPs) in Apple’s M1, M2, and M3 microprocessors, which are used to preemptively cache data; they allow the chip to anticipate the next information it will need to access, speeding up processing times.
DMP “predicts the memory addresses that will be accessed in the near future and fetches cached data from main memory accordingly,” according to the document. Apple’s specific approach to DMP takes prefetching a step further by also considering the contents of memory to determine what to fetch, the researchers noted, and therein lies the problem.
Many developers use a coding practice or technique called constant time programming, developed specifically for cryptographic protocols. The idea behind constant-time programming is to ensure that the execution time of a processor remains the same, regardless of whether the inputs are secret keys, plaintext, or any other data. The goal is to ensure that an attacker cannot derive useful information simply by observing execution times or tracing code control flow and memory accesses.
Simply put, the bug in Apple’s DMP mechanism eliminates the safety afforded by constant-time programming. “Unfortunately, [DMP] The behavior inherently mixes data and memory addresses at the hardware level, making the entire computing stack non-constant-time, enabling our attack,” the researchers explained.
The GoFetch attack succeeded in tricking the prefetcher into taking data from memory (in this case, small cryptographic keys that it shouldn’t be retrieving) and placing it in a cache accessible to a potential attacker.
The problem may affect multiple chips
The vulnerability certainly affects Apple’s M1, M2 and M3 silicon, but the problem could be more widespread.
“We launched end-to-end GoFetch attacks on Apple hardware equipped with M1 processors,” the researchers said in a statement. Separate FAQ and blog post about their exploits. “We also tested DMP activation patterns on other Apple processors and found that the M2 and M3 CPUs also exhibit similar exploitable DMP behavior.” The researchers did not carry out further testing, but believe that it is very likely that other Apple M-series processors are also vulnerable.
Additionally, the vulnerability also affects Intel Raptor Lake processors. But as with Apple’s M3 chips, the Intel chip supports the ability for developers to disable DMP and enable DIT during cryptographic processing. The researchers also found that Intel’s DMP implementation is generally more resistant to attacks than Apple’s.
Hardware bugs continue to worry security teams
It’s unclear how easy it might be for an attacker to exploit the vulnerability in Apple’s M-series chips. In the past, similar microprocessor vulnerabilities – most notably Specter and Meltdown – have sparked widespread concern. Researchers have consistently discovered new ways to exploit these vulnerabilities in side-channel attacks. The most recent example is GhostRace, a speculative execution vulnerability this affects almost all Intel, AMD, ARM and IBM processors currently available.
But at least so far, there have been no publicly reported cases of threat actors exploiting these flaws on a mass scale, suggesting that these attacks present a high degree of difficulty. Nonetheless, the potential risks associated with these types of attacks have prompted extensive and ongoing review of microprocessor architectures — particularly performance optimization features such as prefetcher and speculative or out-of-order execution.