A new side-channel attack called "GoFetch" impacts Apple M1, M2, and M3 processors and can be used to steal secret cryptographic keys from data in the CPU's cache.
The attack targets constant-time cryptographic implementations using data memory-dependent prefetchers (DMPs) found in modern Apple CPUs. This allows it to recreate the private cryptographic keys for various algorithms, including OpenSSL Diffie-Hellman, Go RSA, CRYSTALS Kyber, and Dilithium from the CPU's cache.
GoFetch was developed by a team of seven researchers from various universities in the U.S., who reported their findings to Apple on December 5, 2023.
However, as this is a hardware-based vulnerability, there is no way to fix it in impacted CPUs. While it would be possible to mitigate the flaws using software fixes, this would cause a performance hit on these CPUs' cryptographic functions.
GoFetch details
The GoFetch attack targets data memory-dependent prefetchers, a CPU feature designed to improve computer performance when executing code.
A prefetcher is trained by previous accesses to memory when retrieving data, allowing it to predict what data the computer will need next. This data is then fetched in advance from slower parts of memory into faster memory regions, like the CPU cache.
If the prediction is accurate, the data is now quickly available, increasing the computer's performance. If the guess was wrong, the CPU simply requests the correct data as usual.
The GoFetch attack focuses on a newer prefetcher called a data memory-dependent prefetcher (DMP). This prefetcher can also be trained on previous memory access, but can also examine data values in memory to determine what should be prefetched to the cache.
DMP is available in Apple silicon chips and Intel's 13th Gen Raptor Lake CPUs. However, the researchers say Intel's implementation is more restrictive and prevents the attack.
The attack focuses on cryptographic implementations that take the same amount of time to execute regardless of the input (constant time), which is a security measure to prevent sensitive data leaks.
Specifically, the researchers found a flaw in Apple's implementation of the DMP system that violates constant-time good practices.
"We reverse-engineered DMPs on Apple m-series CPUs and found that the DMP activates (and attempts to dereference) data loaded from memory that "looks like" a pointer," reads the summary of the attack.
"This explicitly violates a requirement of the constant-time programming paradigm, which forbids mixing data and memory access patterns."
The attackers can craft special inputs that cause the prefetcher to dereference data, which will appear as pointers if certain bits of the secret key are correctly guessed.
Next, they observe whether DMP activates or not, gradually inferring bits of the secret key. With enough repetitions of the process, the entire secret cryptographic key may be reconstructed.
The researchers confirmed the M1 processors are susceptible to this scheme, and considering that M2 and M3 have similar prefetching behavior, they're likely vulnerable too.
More details about the GoFetch attack can be found in the technical paper published by the researchers, with a proof-of-concept exploit being released at a later date.
What should Apple owners do?
Unfortunately, as the weakness is part of the implementation of the data memory-dependent prefetcher built directly into Apple CPUs, there is no way to mitigate the attack with a hardware fix.
The researchers say it's possible to disable DMP on some CPUs, like the M3, removing the prefetching behavior that GoFetch relies on. However, this is not possible on M1 and M2.
Other defense measures for developers include input blinding and DMP activation masking, which obfuscate the results of the attacker's input on the DMP level.
While Apple could introduce mitigations into macOS as a software patch, it would cause performance hits, as we saw in previous software fixes for side-channel attacks.
As an Apple user, there is not much you can do other than practice safe computing habits. That means regularly updating your operating system and software and only installing software from official channels and reputable sources to prevent malware infections.
The GoFetch attack does not require physical access for exploitation, so if the attacker can run code on the target machine, for example, via malware infection, it can be executed remotely.
BleepingComputer has contacted Apple to request a comment on the GoFetch danger and whether it plans to roll out security updates, but a spokesperson was limited to sharing a developer page outlining a mitigation.
Comments
rtfmoz - 3 months ago
Much Ado About Nothing.... https://developer.apple.com/documentation/xcode/writing-arm64-code-for-apple-platforms#Enable-DIT-for-constant-time-cryptographic-operations
But I suppose being %250 faster instead of %300 faster in crypto operations would be game changer...... for some.
h_b_s - 3 months ago
If you'd bothered to read the article, it specifically addresses DIT in the presence of the flaw. Data Memory Prefetcher CPU feature in the M1 and M2 series interferes with the constant time computation guarantees in DIT (Data Independent _Timing_) instructions. DMP can be disabled in M3 and Intel CPUs that have it so it won't interfere with constant timing guarantees, but not M1 & M2 based devices. There's no workaround available. Speculative execution. The gift that keeps on giving... and giving and giving...
The discoverers point out that doing constant time cryptography in the presence of hardware without a reliable constant time hardware guarantee will rightfully cause a performance hit, and requires a rewrite if anything is using DIT on a system that has a problematic DMP. Apple's guidance doesn't currently inform developers of this hardware flaw so any code using that guidance is going to be exploitable on M1 & M2 systems (and there's nothing end users can do about it).