A team of academic researchers has uncovered a concerning vulnerability affecting Apple's M-series chips that could allow attackers to extract encryption keys and other sensitive data. The findings were published in a paper released on Thursday.
The vulnerability relates to a side-channel attack vector introduced by a performance optimization feature called the Data Memory-Dependent Prefetcher (DMP). DMPs are designed to reduce latency by predicting which memory addresses code will need to access and pre-loading that data into the CPU cache.
However, the researchers discovered that the DMP implementation in Apple's M1 and M2 chips has an overlooked behavior that violates the security principle of constant-time programming.
In constant-time code, execution time should not depend on secret data, preventing timing side-channel attacks. But the M-series DMPs sometimes treat secret key material as a pointer value, effectively "dereferencing" the secrets into memory where they can be leaked through side channels.
The implications are severe - the research team demonstrated the ability to extract full encryption keys for widely-used ciphers like RSA, Diffie-Hellman, and post-quantum cryptography schemes like Kyber and Dilithium. All of the targeted cryptographic implementations employed constant-time programming defenses, but proved ineffective against this new attack vector named GoFetch.
For example, GoFetch could extract a 2048-bit RSA key in under an hour, and a 2048-bit Diffie-Hellman key in just over two hours, even from constant-time implementations. Leaking keys for post-quantum ciphers took longer but was still achievable, like 10 hours for Dilithium-2.
Video Demonstration
The vulnerability represents a fundamental threat, as it stems from the Silicon design itself rather than software implementation bugs. As such, it cannot be patched directly - only mitigated through changes to cryptographic libraries to build defenses around the hardware behavior.
However, effective mitigations like "ciphertext blinding" which masks sensitive data could impose significant performance penalties, potentially even doubling resource usage in some cases according to the researchers. Running crypto operations on the M-series efficiency cores is another possible workaround, but also with performance trade-offs.
On the newly-released M3 chip, Apple has introduced an option to disable the DMP functionality entirely, though the performance impact remains unknown. The researchers suggest in the long term, hardware-software contracts need to evolve to allow more control and transparency around DMP behavior for security purposes.
The impact is potentially far-reaching, as Apple's ARM-based M-series chips now power the entire Mac desktop and laptop lineup, with future chip generations like the M3 expected to expand into higher-performance pro devices. IoT devices and other ARM-based systems could theoretically be impacted as well if they adopt similar DMP designs.
From a security perspective, GoFetch underscores the risks of hardware optimization features defeating constant-time protections relied upon by modern cryptography. While caches and speculative execution have been widely studied for side-channel leakage, data prefetchers have received less scrutiny in the past.
"GoFetch shows that the DMP is significantly more aggressive than previously thought and thus poses a much greater security risk," the researchers stated.
Apple has declined to comment on the record about the GoFetch findings so far. However, users and software developers will likely need to keep a close eye on future Apple updates and mitigations related to this vulnerability across macOS and other operating systems.
For end-users, updating software promptly when fixes become available will be critical, especially for apps that handle cryptographic operations. Major vendors like Apple's own software, web browsers, VPNs, secure communications apps and anywhere else encryption is implemented could potentially be impacted and require mitigation updates.
As the researchers cautioned, "Unfortunately, to assess if an implementation is vulnerable, cryptanalysis and code inspection are required to understand when and how intermediate values can be made to look like pointers in a way that leaks secrets. This process is manual and slow and does not rule out other attack approaches."
While not an easy vulnerability to exploit, the GoFetch attack has significant implications as another example of performance optimizations in modern hardware clashing with critical security assumptions in a challenging way for software developers. Securing systems against these new side channel attack vectors will likely require innovative hardware-software co-design going forward.
The full technical paper titled "GoFetch: Extracting Secrets from Apple Silicon Using the Data Memory-Dependent Prefetcher" is available [PDF] online for review by security researchers and others. Impacted vendors will now have to assess exposure and mitigation options - likely setting up an ongoing cat-and-mouse game between attackers and defenders in the world of chip architecture security.