Apple M-series semiconductors contain a new security flaw that could be leveraged to extract secret keys needed for cryptographic operations.
The vulnerability, dubbed GoFetch, is related to a microarchitectural side-channel attack that targets constant-time cryptographic implementations and retrieves sensitive data from the CPU cache by utilizing a data memory-dependent prefetcher (DMP) feature. The results were communicated to Apple in December 2023.
Prefetchers are a hardware optimization technology that pulls data from the main memory into the cache following the memory addresses that an application executing at the moment is likely to access in the near future. This strategy aims to lower the program’s latency for memory access.
When choosing what to prefetch, DMP prefetchers consider the contents of memory based on previously observed access patterns. Because of this behavior, it is vulnerable to cache-based attacks, which fool the prefetcher into exposing data related to a victim process that ought to remain unreachable.
GoFetch also builds on the foundations of another microarchitectural attack called Augury that employs DMP to leak data speculatively.
“DMP activates (and attempts to dereference) data loaded from memory that ‘looks like’ a pointer,” a team of seven academics from the University of Illinois Urbana-Champaign, University of Texas, Georgia Institute of Technology, University of California, Berkeley, University of Washington, and Carnegie Mellon University said.
“This explicitly violates a requirement of the constant-time programming paradigm, which forbids mixing data and memory access patterns.”
Like other attacks of this kind, the setup requires that the victim and attacker have two different processes co-located on the same machine and on the same CPU cluster. Specifically, the threat actor could lure a target into downloading a malicious app that exploits GoFetch.
What’s more, while the attacker and the victim do not share memory, the attacker can monitor any microarchitectural side channels available to it, e.g., cache latency.
GoFetch, in a nutshell, demonstrates that “even if a victim correctly separates data from addresses by following the constant-time paradigm, the DMP will generate secret-dependent memory access on the victim’s behalf,” rendering it susceptible to key-extraction attacks.
In other words, an attacker could weaponize the prefetcher to influence the data being prefetched, thus opening the door to accessing sensitive data. The vulnerability has serious implications in completely nullifying the security protections offered by constant-time programming against timing side-channel attacks.
“GoFetch shows that the DMP is significantly more aggressive than previously thought and thus poses a much greater security risk,” the researchers noted.
The fundamental nature of the flaw means that it cannot be fixed in existing Apple CPUs, requiring that developers of cryptographic libraries take steps to prevent conditions that allow GoFetch to succeed, something that could also introduce a performance hit. Users, on the other hand, are urged to keep their systems up-to-date.
On Apple M3 chips, however, enabling data-independent timing (DIT) has been found to disable DMP. This is not possible on M1 and M2 processors.
“Apple silicon provides data-independent timing (DIT), in which the processor completes certain instructions in a constant amount of time,” Apple notes in its documentation. “With DIT enabled, the processor uses the longer, worst-case amount of time to complete the instruction, regardless of the input data.”
The iPhone maker also emphasized that although turning on DIT prevents timing-based leakage, developers are recommended to adhere to “avoid conditional branches and memory access locations based on the value of the secret data” to effectively block an adversary from inferring secret by keeping tabs on the processor’s microarchitectural state.
The development comes as another group of researchers from the Graz University of Technology in Austria and the University of Rennes in France demonstrated a new graphics processing unit (GPU) attack affecting popular browsers and graphics cards that leverages specially crafted JavaScript code in a website to infer sensitive information such as passwords.
The technique, which requires no user interaction, has been described as the first GPU cache side-channel attack from within the browser.
“Since GPU computing can also offer advantages for computations within websites, browser vendors decided to expose the GPU to JavaScript through APIs like WebGL and the upcoming WebGPU standard,” the researchers said.
“Despite the inherent restrictions of the JavaScript and WebGPU environment, we construct new attack primitives enabling cache side-channel attacks with an effectiveness comparable to traditional CPU-based attacks.”
A threat actor could weaponize it by employing a drive-by attack, allowing for the extraction of AES keys or mining cryptocurrencies as users browse the internet. It impacts all operating systems and browsers implementing the WebGPU standard, as well as a broad range of GPU devices.
As countermeasures, the researchers propose treating access to the host system’s graphics card via the browser as a sensitive resource, requiring websites to seek the user’s permission (like in the case of a camera or microphone) before use.
