THIS MEMORY-DEPENDENT PREFETCHER HAS TEETH — Unpatchable vulnerability in Apple chip leaks secret encryption keys Fixing newly discovered side channel will likely take a major toll on performance.
Dan Goodin – Mar 21, 2024 2:40 pm UTC EnlargeAurich Lawson | Apple reader comments 162
A newly discovered vulnerability baked into Apples M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday.
The flawa side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocolscant be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster. Beware of hardware optimizations
The threat resides in the chips data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before its actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel’s 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.
Security experts have long known that classical prefetchers open a side channel that malicious processes can probe to obtain secret key material from cryptographic operations. This vulnerability is the result of the prefetchers making predictions based on previous access patterns, which can create changes in state that attackers can exploit to leak information. In response, cryptographic engineers have devised constant-time programming, an approach that ensures that all operations take the same amount of time to complete, regardless of their operands. It does this by keeping code free of secret-dependent memory accesses or structures.
The breakthrough of the new research is that it exposes a previously overlooked behavior of DMPs in Apple silicon: Sometimes they confuse memory content, such as key material, with the pointer value that is used to load other data. As a result, the DMP often reads the data and attempts to treat it as an address to perform memory access. This dereferencing of pointersmeaning the reading of data and leaking it through a side channelis a flagrant violation of the constant-time paradigm. Advertisement
The team of researchers consists of: Boru Chen, University of Illinois Urbana-Champaign Yingchen Wang, University of Texas at Austin Pradyumna Shome, Georgia Institute of Technology Christopher W. Fletcher, University of California, Berkeley David Kohlbrenner, University of Washington Riccardo Paccagnella, Carnegie Mellon University Daniel Genkin, Georgia Institute of Technology
In an email, they explained: Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value looks like a pointer, it will be treated as an address (where in fact it’s actually not!) and the data from this address will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels.
Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value looks like an address, and brings the data from this address into the cache, which leaks the address. We dont care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.
In Thursdays paper, the team explained it slightly differently:
Our key insight is that while the DMP only dereferences pointers, an attacker can craft program inputs so that when those inputs mix with cryptographic secrets, the resulting intermediate state can be engineered to look like a pointer if and only if the secret satisfies an attacker-chosen predicate. For example, imagine that a program has secret s, takes x as input, and computes and then stores y = s ? x to its program memory. The attacker can craft different x and infer partial (or even complete) information about s by observing whether the DMP is able to dereference y. We first use this observation to break the guarantees of a standard constant-time swap primitive recommended for use in cryptographic implementations. We then show how to break complete cryptographic implementations designed to be secure against chosen-input attacks. Page: 1 2 3 Next → reader comments 162 Dan Goodin Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Advertisement Promoted Comments AusPeter Requires running a malicious application locally.
Reminder to avoid running applications youve downloaded from anywhere but trusted sources.And when the hackers attack your trusted sources?
Which reminded me of Reflections on Trusting Trust by Ken Thompson. March 21, 2024 at 3:28 pm Rene Gollent An exploit like this needs local access. If the bad baby eating hackers crawling on every corner of the internets already have local access you’re screwed anyway.I’d be careful making assumptions like this ; the same was true of exploits like Spectre until people managed to get it efficiently running in Javascript in a browser (which did not take very long after the spectre paper was released). Don’t assume that because the initial PoC is time consuming and requires a bunch of access that it won’t be refined into something much less demanding in short order. March 21, 2024 at 3:38 pm purecarot Its a very difficult exploit thats unlikely to affect you.It will affect him if Apple deploys a fix that affects CPU performance. March 21, 2024 at 4:47 pm Channel Ars Technica ← Previous story Next story → Related Stories Today on Ars
