Source: Ralf Liebhold via Shutterstock
Apple last week quietly posted a workaround for a vulnerability in its M-series processors that attackers could exploit to steal cryptographic keys. More details have now come to light as a proof-of-concept attack demonstrates the ability to steal secret keys from the OpenSSL Diffie-Hellman and Go RSA encryption protocols, and even from supposedly quantum-resistant cryptographic protocols such as CRYSTALS Dilithium and CRYSTALS Kyber.
Intended for developers of cryptographic libraries, the workaround activates a feature in Apple silicon called data-independent timing (DIT) that protects against the timing attacks that the vulnerability seeks to exploit. A timing attack is a sophisticated type of side-channel attack where a threat actor studies the time it takes for a processor to respond to different types of instructions to guess the data that is being processed. Researchers have previously used the tactic to show how attackers can extract sensitive information from cache memory via other microprocessor flaws such as Spectre and Meltdown.
However, only Apple's M3 chips currently support DTI and thus are the only ones where the risk can be mitigated with the approach.
Meanwhile, developers of cryptographic applications will need to make other changes to address the vulnerability at the software level for devices running Apple's M1 and M2 processors — there is no official workaround. Apple noted that even with the mitigation in place for the M3, developers will also "need additional programming practices to prevent other changes to the processor's microarchitectural state from providing an adversary with signals about secret values," Apple warned. "For example, avoid conditional branches and memory access locations based on the value of the secret data."
Sadly, Apple itself cannot easily patch the flaw at the hardware level, according to academic researchers from the University of Illinois at Urbana Champaign; University of Texas at Austin, Georgia Institute of Technology; University of Washington; Carnegie Mellon University; and University of California, Berkeley. In a technical paper, they have disclosed details of their discovery and the PoC attack, which they have named "GoFetch."
End-to-End "GoFetch" Timing Attacks
The new vulnerability is associated with a performance optimization feature called data memory-dependent prefetchers (DMP) in Apple's M1, M2, and M3 microprocessors, which are used to preemptively cache data; they allow the chip to anticipate the next bit of information that it will need to access, which speeds up processing times.
DMP "predicts memory addresses to be accessed in the near future and fetches the data into the cache accordingly from the main memory," according to the paper. Apple's specific take on DMP takes prefetching a step further by also considering the content of memory to determine what to fetch, the researchers noted — and therein lies the problem.
Many developers use a coding practice or technique called constant-time programming, especially developed for cryptographic protocols. The idea behind constant-time programming is to ensure that a processor's execution time remains the same, regardless of whether the inputs are secret keys, plaintext, or any other data. The goal is to ensure that an attacker cannot derive any useful information by simply observing execution times or by tracing the code's control flow and memory accesses.
Put simply, the bug in Apple's DMP mechanism obviates the security offered by constant-time programming. "Unfortunately, [DMP] behavior inherently mixes data and memory addresses at the hardware level, making the entire compute stack non-constant-time, enabling our attack," the researchers explained.
The GoFetch attack was able to get the prefetcher to grab data from memory — in this case, small of bits cryptographic keys that it is not supposed to fetch — and place it in an accessible cache open to a would-be attacker.
Issue Could Affect More Chips
The vulnerability definitely affects Apple's M1, M2, and M3 silicon, but the problem could be more widespread.
"We have mounted end-to-end GoFetch attacks on Apple hardware equipped with M1 processors," the researchers said in a separate FAQ and blog post on their exploit. "We also tested DMP activation patterns on other Apple processors, and found that M2 and M3 CPUs also exhibit similar exploitable DMP behavior." The researchers did not test further, but they said they believe it's very likely that other Apple M-series processors are vulnerable as well.
To boot, the vulnerability also affects Intel's Raptor Lake processors. But as with Apple's M3 chips, the Intel chip supports the ability for developers to disable DMP and enable DIT when doing cryptographic processing. The researchers also found Intel's DMP implementation generally more resilient to attacks than Apple's.
Hardware Bugs Continue to Concern Security Teams
It's unclear just how easy it might be for an attacker to exploit the vulnerability in Apple M-series chips. In the past, similar microprocessor vulnerabilities — most notably Spectre and Meltdown — have evoked widespread concern. Researchers have consistently uncovered new ways to exploit these vulnerabilities in side-channel attacks. The most recent example is GhostRace, a speculative execution vulnerability that affects almost all currently available Intel, AMD, ARM, and IBM processors.
But so far at least, there are no publicly reported instances of threat actors exploiting these flaws on a mass scale, suggesting these attacks come with a high degree of difficulty. Even so, the potential risks associated with these types of attacks have prompted a broad and ongoing review of microprocessor architectures — especially performance optimizing features such as prefetchers and speculative or out-of-order execution.