A report from security firm Ars Technica revealed a vulnerability in Apple's M-series chips, used in numerous Macbook devices. The flaw is considered «irreparable» or unpatchable and would allow potential attackers to access cryptographic data on affected devices. A team of 8 researchers from several universities in the United States determined that Apple chip failure allows malicious attackers to execute a side channel exploit, when running commonly used cryptographic protocols. This opens the possibility for attackers to obtain end-to-end encryption keys. The vulnerability can be exploited when a potential victim's cryptographic operation and the malicious application, which uses common user system privileges, run on the same CPU cluster (or as a group of coordinated computers) without the victim's knowledge. Because The vulnerability is found in the microarchitecture of the chips (that is, at the silicon level), researchers consider that security patches cannot be designed to solve the problem. According to the researchers, The flaw can only be mitigated through the use of third-party software, which could significantly affect the performance of Macbooks when using cryptographic programs. Among the report's findings, it stands out that the chips that are most vulnerable are the M1 and M2, old generation components. Specifically, potential hackers could intercept and exploit computer memory access patterns to extract sensitive information, such as encryption keys used by cryptographic applications. «In other words, the vulnerability uses «The advance of the new research is that it exposes a behavior of DMPs [memoria dependiente de captadores previos] in Apple silicon that was previously overlooked: they sometimes confuse the contents of memory, such as key material, with the value of the pointer used to load other data,» the researchers explain. This is the first time researchers have found flaws in Apple's DMP.
As a result, the DMP often reads the data and attempts to treat it as an address to perform memory access. This “dereferencing” of “indicators” – that is, reading data and filtering it through a side channel – is a blatant violation of the constant time paradigm. Ars Technica, security firm
The researchers continue with the explanation.
Prefetchers typically look at the addresses of the data being accessed (ignoring the values of the data being accessed) and try to guess future addresses that might be useful. The DMP is different in this sense, since in addition to addresses, it also uses data values to make predictions (predicting the addresses to go to and searching beforehand). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (where in reality it is not!) and the data at this “address” will be taken to the cache. The arrival of this address into the cache is visible and filtered through the cache side channels. Ars Technica, security firm
By the way, the team of researchers points out the following: «Our attack exploits this fact. «We can't leak encryption keys directly, but what we can do is manipulate intermediate data within the encryption algorithm to make it look like a pointer through a chosen input attack.» As the researchers claim, the DMP sees that the data value «looks like» an address and brings the data from this «address» to the cache, which filters the «address.» «The fact that the intermediate data looks like an address is visible through a cache channel and is enough to reveal the secret key over time,» they say. The type of attack that can be perpetrated through this vulnerability was called Go Fetch. The hack works in the user's environment without difficulty and requires only standard user privileges, similar to those needed by normal applications.
The GoFetch application requires less than an hour to extract a 2048-bit RSA key and a little over two hours to extract a 2048-bit Diffie-Hellman key. The attack takes 54 minutes to extract the material needed to assemble a Kyber-512 key and about 10 hours for a Dilithium-2 key, not counting the offline time needed to process the raw data. Ars Technica, security firm
The researchers offered some advice on how to defend against these types of attacks. Among these techniques is ciphertext blinding, which is a good example. «Blinding works by adding/removing masks to sensitive values before/after being stored/loaded from memory,» they point out. This randomizes the encryption algorithms, preventing the Go Fetch attack from being effective. However, this defense is algorithm-specific and costly. Another way to protect affected devices is to run cryptographic processes on the aforementioned efficiency cores, also known as Icestorm cores, which do not have DMP. One way to do this is to run all the cryptographic code on these cores. However, this defense is not ideal, because additional cryptographic processes will likely increase the time needed to complete computer operations. Researchers mention several defenses, but they are equally problematic.
«In the long term, we believe that the correct solution would be to extend the hardware and software contract to take DMP into account,» the researchers wrote. “At a minimum, hardware should expose to software a way to selectively disable DMP when running security-critical applications,” they recommend. As reported by BitcoinDynamic, in April of last year a vulnerability was detected in Apple equipment, which also granted access to key data, such as that which gives way to the storage of cryptocurrencies. This suggests that Apple would be working on a solution to the problem.