New “GoFetch” Vulnerability in Apple M-Series Chips Leaks Secret Encryption Keys
A new security shortcoming discovered in Apple M-series chips could be exploited to extract secret keys used during cryptographic operations.
Dubbed GoFetch, the vulnerability relates to a microarchitectural side-channel attack that takes advantage of a feature known as data memory-dependent prefetcher (DMP) to target constant-time cryptographic implementations and capture sensitive data from the CPU cache. Apple was made aware of the findings in December 2023.
Prefetchers are a hardware optimization technique that predicts what memory addresses a currently running program will access in the near future and retrieve the data into the cache accordingly from the main memory. The goal of this approach is to reduce the program’s memory access latency.
DMP is a type of prefetcher that takes into account the contents of memory based on previously observed access patterns when determining what to prefetch. This behavior makes it ripe for cache-based attacks that trick the prefetcher into revealing the contents associated with a victim process that should be otherwise inaccessible.
GoFetch also builds on the foundations of another microarchitectural attack called Augury that employs DMP to leak data speculatively.
“DMP activates (and attempts to dereference) data loaded from memory that ‘looks like’ a pointer,” a team of seven academics from the University of Illinois Urbana-Champaign, University of Texas, Georgia Institute of Technology, University of California, Berkeley, University of Washington, and Carnegie Mellon University said.
“This explicitly violates a requirement of the constant-time programming paradigm, which forbids mixing data and memory access patterns.”
Like other attacks of this kind, the setup requires that the victim and attacker have two different processes co-located on the same machine and on the same CPU cluster. Specifically, the threat actor could lure a target into downloading a malicious app that exploits GoFetch.
What’s more, while the attacker and the victim do not share memory, the attacker can monitor any microarchitectural side channels available to it, e.g., cache latency.
GoFetch, in a nutshell, demonstrates that “even if a victim correctly separates data from addresses by following the constant-time paradigm, the DMP will generate secret-dependent memory access on the victim’s behalf,” rendering it susceptible to key-extraction attacks.
In other words, an attacker could weaponize the prefetcher to influence the data being prefetched, thus opening the door to accessing sensitive data. The vulnerability has serious implications in that it completely nullifies the security protections offered by constant-time programming against timing side-channel attacks.
“GoFetch shows that the DMP is significantly more aggressive than previously thought and thus poses a much greater security risk,” the researchers noted.
The fundamental nature of the flaw means that it cannot be fixed in existing Apple CPUs, requiring that developers of cryptographic libraries take steps to prevent conditions that allow GoFetch to succeed, something that could also introduce a performance hit. Users, on the other hand, are urged to keep their systems up-to-date.
On Apple M3 chips, however, enabling data-independent timing (DIT) has been found to disable DMP. This is not possible on M1 and M2 processors.
“Apple silicon provides data-independent timing (DIT), in which the processor completes certain instructions in a constant amount of time,” Apple notes in its documentation. “With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data.”
The iPhone maker also emphasized that although turning on DIT prevents timing-based leakage, developers are recommended to adhere to “avoid conditional branches and memory access locations based on the value of the secret data” in order to effectively block an adversary from inferring secret by keeping tabs on the processor’s microarchitectural state.
The development comes as another group of researchers from the Graz University of Technology in Austria and the University of Rennes in France demonstrated a new graphics processing unit (GPU) attack affecting popular browsers and graphics cards that leverages specially crafted JavaScript code in a website to infer sensitive information such as passwords.
The technique, which requires no user interaction, has been described as the first GPU cache side-channel attack from within the browser.
“Since GPU computing can also offer advantages for computations within websites, browser vendors decided to expose the GPU to JavaScript through APIs like WebGL and the upcoming WebGPU standard,” the researchers said.
“Despite the inherent restrictions of the JavaScript and WebGPU environment, we construct new attack primitives enabling cache side-channel attacks with an effectiveness comparable to traditional CPU-based attacks.”
A threat actor could weaponize it by means of a drive-by attack, allowing for the extraction of AES keys or mining cryptocurrencies as users browse the internet. It impacts all operating systems and browsers implementing the WebGPU standard, as well as a broad range of GPU devices.
As countermeasures, the researchers propose treating access to the host system’s graphics card via the browser as a sensitive resource, requiring websites to seek users permission (like in the case of camera or microphone) before use.