GoFetch
GoFetch (PDF, Hacker News):
GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs).
We show that DMPs are present in many Apple CPUs and pose a real threat to multiple cryptographic implementations, allowing us to extract keys from OpenSSL Diffie-Hellman, Go RSA, as well as CRYSTALS Kyber and Dilithium.
Dan Goodin (via Kim Zetter, Hacker News, MacRumors):
The flaw—a side channel allowing end-to-end key extractions when Apple chips run implementations of widely used cryptographic protocols—can’t be patched directly because it stems from the microarchitectural design of the silicon itself. Instead, it can only be mitigated by building defenses into third-party cryptographic software that could drastically degrade M-series performance when executing cryptographic operations, particularly on the earlier M1 and M2 generations. The vulnerability can be exploited when the targeted cryptographic operation and the malicious application with normal user system privileges run on the same CPU cluster.
[…]
The threat resides in the chips’ data memory-dependent prefetcher, a hardware optimization that predicts the memory addresses of data that running code is likely to access in the near future. By loading the contents into the CPU cache before it’s actually needed, the DMP, as the feature is abbreviated, reduces latency between the main memory and the CPU, a common bottleneck in modern computing. DMPs are a relatively new phenomenon found only in M-series chips and Intel’s 13th-generation Raptor Lake microarchitecture, although older forms of prefetchers have been common for years.
[…]
The breakthrough of the new research is that it exposes a previously overlooked behavior of DMPs in Apple silicon: Sometimes they confuse memory content, such as key material, with the pointer value that is used to load other data. As a result, the DMP often reads the data and attempts to treat it as an address to perform memory access. This “dereferencing” of “pointers”—meaning the reading of data and leaking it through a side channel—is a flagrant violation of the constant-time paradigm.
Note that exploiting the vulnerability requires running a malicious app on the target computer. So it could be worse. On the other hand, like many of these hardware side-channel attacks, it’s not possible to patch.
I recorded this video where I walk through what a “DMP” is, what the researchers figured out about Apple M-Series DMP behavior via microbenchmarking, and how a “GoFetch” DMP-enabled attack works in practice.
If you are already familiar with microarchitecture analysis, and would like some deeper reading on the subject, I would suggest reading the original GoFetch paper and three of its references in particular[…]
Intel, perhaps confusingly, gives the setting that turns this feature off the name DOIT, short for data operand independent timing, which actually tells the CPU, “Don’t do data memory-dependent prefetching.”
[…]
Very simply put, the researchers figured out how to feed in decryption keys that they knew wouldn’t work, but that might trigger DMP if they had guessed one of the bits in the key correctly, because they would have tricked the CPU into thinking it was looking at a pointer of interest.
By testing how quickly they could access the ‘memory address of interest’ immediately afterwards, they could determine whether it had been prefetched by the CPU (fast access) or not (slightly slower access), and therefore decide whether they had guessed correctly at one of the bits in the key.
With enough trials, they could gradually recover more and more bits of the key, to the point that they could then use other, existing attacks, albeit involving additional work based on data collected during the GoFetch stage, to figure out the entire key.
Previously:
- New FileVault Recovery Keys and GoFetch
- iLeakage: Browser-Based Timerless Speculative Execution Attacks on Apple Devices
- PACMAN Attack on M1 Processor
- Apple Silicon “Augury” DMP Vulnerability
- M1racles: M1ssing Register Access Controls Leak EL0 State
Update (2024-04-08): Damien Petrilli:
Still not a word from Apple since this issue was disclosed publicly.