It turns out that it is possible to steal private keys with the ``GoFetch'' attack that exploits the vulnerability of Apple silicon that cannot be patched



Researched the side-channel attack `` GoFetch '' that exploits the vulnerability of the ``Data Memory Dependent Prefetcher (DMP)'' in Apple Silicon's M series to steal data by exploiting the confusion between memory contents and data addresses. The team discovered. Through this attack, it is possible to extract the private key from the Mac during encryption operations. There seems to be no way to apply a patch because the vulnerability stems from the chip's microarchitectural design itself.

GoFetch

https://gofetch.fail/



Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars Technica

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/



New chip flaw hits Apple Silicon and steals cryptographic keys from system cache — 'GoFetch' vulnerability attacks Apple M1, M2, M3 processors, can't be fixed in hardware | Tom's Hardware

https://www.tomshardware.com/pc-components/cpus/new-chip-flaw-hits-apple-silicon-and-steals-cryptographic-keys-from-system-cache-gofetch-vulnerability-attacks-apple- m1-m2-m3-processors-cant-be-fixed-in-hardware

In 2022, it was pointed out that DMP has a vulnerability called ` `Augury '' that allows data to be read as a prefetch target when it should not be read.

Augury – Using Data Memory-Dependent Prefetchers to Leak Data at Rest
https://www.prefetchers.info/



``Augury'' was not considered to pose a significant threat due to the severe conditions under which it occurs, but ``GoFetch'' shows that this vulnerability is more dangerous than previously thought. , it has been pointed out that there is a major security risk. News site Tom's Hardware describes it as a 'serious vulnerability that affects all types of cryptographic algorithms.'

In addition, since the DMP vulnerability originates from the microarchitecture design, it cannot be patched, and the only countermeasure is to install DMP The aim is to avoid using it.

It is said that the M3 chip has a special switch that disables DMP, but it is not known how much the performance will be affected when disabling it.

By the way, DMP is a relatively new prefetcher, and in addition to Apple Silicon's M series, it is only installed in Intel's 13th generation Core processor 'Raptor Lake' , but there are no reports of vulnerabilities in Raptor Lake, so Tom's Hardware has expressed the opinion that it may be possible to apply a patch in some way.

Related Posts:

in Hardware,   Security, Posted by logc_nt