Skip links

Hardware-level Apple Silicon vulnerability can leak cryptographic keys

Apple is having its own Meltdown/Spectre moment with a new side-channel vulnerability found in the architecture of Apple Silicon processors that gives malicious apps the ability to extract cryptographic keys. 

Dubbed GoFetch by the team that discovered it, the issue stems from how processors equipped with data memory-dependent prefetchers (DMPs) – eg, Apple Silicon chips and 13th generation and newer Intel architectures – implement certain cryptographic operations, in some cases very common ones. 

DMPs are designed to improve prefetching of irregularly accessed data by also considering the content of system memory alongside memory addresses. This isn’t without its problems, though: By factoring system memory into its prefetching equations alongside addresses, DMPs mix data and addresses at the hardware level, the researchers noted. 

“We reverse-engineered DMPs on Apple m-series CPUs and found that the DMP activates (and attempts to dereference) data loaded from memory that ‘looks like’ a pointer,” the team say in the paper. 

The study was undertaken by researchers from US institutions including the University of Illinois Urbana-Champaign, the University of Texas at Austin, Georgia Institute of Technology, University of California, Berkeley, University of Washington; and Carnegie Mellon University

A programming paradigm known as “constant time” is designed to harden CPUs against side-channel attacks by ensuring that all operations take the same amount of time regardless of their operands, thus masking what’s being done. Constant-time programming forbids mixing data and memory access patterns, but Apple’s implementation does just that, opening up a whole can of hardware-level vulnerability worms. 

“The Apple DMP will activate on behalf of any victim program and attempt to ‘leak’ any cached data that resembles a pointer,” the researchers note in their paper. By crafting cryptographic inputs that only show pointer-like values if a few bits of a secret key has been guessed, the researchers were able to verify guesses by watching how DMP performs a dereference via cache-timing analysis.

“Once we make a correct guess, we proceed to guess the next batch of key bits,” the researchers say. “Using this approach, we show end-to-end key extraction attacks on popular constant-time implementations of classical (OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum cryptography (CRYSTALS-Kyber and CRYSTALS-Dilithium).”

Any malicious app running in the same CPU cluster as the targeted cryptographic operation, and with nothing but user privileges, can trigger the exploit. Additional cryptographic implementations are also likely at risk, the team notes. 

Similar vulnerabilities were reported in Apple Silicon chips a few years back under the name “Augury,” but the GoFetch researchers note Augury’s analysis of DMP was “overly restrictive” and “missed several DMP activation scenarios.” 

“We find that the DMP activates on behalf of potentially any program, and attempts to dereference any data brought into cache that resembles a pointer,” the GoFetch team says. 

In short, “the security threat from DMPs is significantly worse than previously thought,” the team writes in their paper [PDF].

What chips are affected, and how can this be fixed?

The researchers were able to successfully mount end-to-end attacks on Apple hardware containing M1 processors, and found that base-model M2 and M3 Apple Silicon CPUs display similar exploitable behavior. Other Apple Silicon variants weren’t tested. 

Intel processors are at risk too, but less so, the team notes. “Intel’s 13th Gen Raptor Lake microarchitecture also features a DMP. However, its activation criteria are more restrictive, making it robust to our attacks.”

DMP can be disabled on M3 CPUs, but not M1 and M2 chips, the researchers note, adding that disabling DMP is likely to seriously degrade performance. The only alternative to fix GoFetch without reengineering chips (sound familiar?) is to rely on third-party cryptographic programs to improve their implementations to prevent attacks from succeeding. Similar fixes are available for Intel chips. 

What Apple plans to do isn’t immediately clear, with its response to our questions minimal. 

“We want to thank the researchers for their collaboration as this research advances our understanding of these types of threats,” an Apple spokesperson told The Register. Apple also pointed us to developer documentation on how to implement the mitigations highlighted by the researchers, which Apple admits will degrade CPU performance. ®