New GoFetch Vulnerability in Apple’s M Chips Allows Secret Keys Leak on Compromised Computers

The newly exposed GoFetch vulnerability affecting Apple’s M1, M2 and M3 chips lets an attacker exfiltrate secret keys from cryptographic applications on a targeted system. The exploit works by running a fraudulent process on the same CPU cluster as the targeted process on the targeted machine. No easy mitigation currently exists for this vulnerability, as it resides in the hardware.

What is the GoFetch vulnerability?

GoFetch is a cache side-channel vulnerability. This type of vulnerability targets a particular cache from the system by analyzing side data.

M1, M2 and M3 Apple silicon chips possess a Data Memory-dependent Prefetcher, which is a hardware part of the chip responsible for predicting memory addresses of data that code run on the computer is likely to access in the near future and storing it in a cache. Yet, DMPs — in contrast to classical prefetchers that only store the memory access pattern — “also take into account the contents of data memory directly to determine what to prefetch,” as written in the publication from Boru Chen, Yingchen Wang, Pradyumna Shome, Christopher W. Fletcher, David Kohlbrenner, Riccardo Paccagnella and Daniel Genkin that reveals all of the details about the GoFetch vulnerability.

The DMP has a behavior that makes the GoFetch vulnerability possible: it sometimes confuses memory content with the pointer value that is used to load other data. As explained by the researchers, the GoFetch vulnerability can be exploited by crafting “chosen inputs to cryptographic operations, in a way where pointer-like values only appear if we have correctly guessed some bits of the secret key.” Therefore, by repeating those operations on different bits, it becomes possible to guess all bits of a secret key.

The tests done by the researchers showed it was possible to extract keys from popular encryption products (OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) but also from post-quantum cryptography such as CRYSTALS-Kyber and CRYSTALS-Dilithium. Yet the researchers wrote that “while we demonstrate end-to-end attacks on four different cryptographic implementations, more programs are likely at risk given similar attack strategies.”

What is a cache side-channel vulnerability?

Imagine you have a locked safe for which you don’t know the code, but you know that the sound the dial makes when you turn it changes depending on which number you’re on. So, you listen carefully to the sound the dial makes as you turn it, and you’re able to figure out the combination that way, even though you don’t know the actual numbers.

A side-channel attack works in a similar way. Instead of trying to break the encryption directly, an attacker looks for other clues that can reveal the secret information. For example, they might use a device to measure the amount of power being used by a computer as it performs encryption operations. By analyzing the patterns in the power usage, they can figure out the key that was used to encrypt the data, even though they don’t know the algorithm. This can be a very effective way to bypass security measures and gain access to sensitive information.

What are the mandatory conditions for successful exploitation of the GoFetch vulnerability?

To successfully exploit the GoFetch vulnerability, an attacker first needs to be able to run code with the logged-in user privileges, meaning the targeted computer has already been compromised. Then, the exploiting code used by the attacker must be executed as a process running on the same CPU cluster from the targeted machine.

“These conditions are not that impossible, malware proves it every day unfortunately. No special privileges are needed,” said Fred Raynal, chief executive officer of Quarkslab, a French offensive and defensive security company, in a written interview given to TechRepublic.

Raynal added: “On OS X, a process can not access (debug) the memory of another process for the same user. It can, but it gets a pop-up window. With this attack, no pop-up. It is totally invisible without any additional privileges needed to access data between 2 processes.”

What systems are vulnerable to GoFetch?

Apple computers possessing the M1, M2 or M3 chip are vulnerable to GoFetch. There is a difference on the M3 because disabling the Data Independent Timing bit disables the DMP, which is not possible on the M1 and M2.

The researchers noted similar DMP exists on Intel’s latest 13th generation (Raptor Lake) architecture, yet with more restrictive activation criteria, making it robust to the GoFetch vulnerability. In addition, similar to the M3 chip, the Raptor Lake processors can disable DMP by using the Data Operand Independent Timing bit.

GoFetch threat mitigation

Disabling the DMP would incur heavy performance penalties and is likely not possible on M1 and M2 CPUs, according to the researchers.

Cryptographic blinding-like techniques might be applied. “For example, by instrumenting the code to add/remove masks to sensitive values before/after being stored/loaded from memory,” explains the researchers. Yet a major downside of this approach is that it requires potentially DMP-bespoke code changes to every cryptographic implementation, as well as heavy performance penalties for some cryptographic schemes.

It is also possible to only run all cryptographic code on Icestorm cores, as the DMP does not activate on those. This solution would greatly reduce performance, though, and there is a risk that in the future the DMP might silently be enabled on those cores as well.

DOWNLOAD: Cybersecurity Countermeasures Quick Glossary from TechRepublic Premium

Hardware support therefore seem to be the long-term solution, as written by the researchers:

“Longer term, we view the right solution to be to broaden the hardware-software contract to account for the DMP. At a minimum, hardware should expose to software a way to selectively disable the DMP when running security-critical applications. This already has nascent industry precedent. For example, Intel’s DOIT extensions specifically mention disabling their DMP through an ISA extension. Longer term, one would ideally like finer-grain control, e.g., to constrain the DMP to only prefetch from specific buffers or designated non-sensitive memory regions.”

The best protection for now is still to forbid any remote code execution on the vulnerable computer so that an attacker cannot exploit GoFetch, as with any other kind of malicious code. Therefore, it’s strongly advised to always keep hardware, systems and software up to date and patched in order to avoid being compromised by any malware or attacker who could then execute a GoFetch exploit.

In addition, users should not be allowed to install any software originating from untrusted third parties; they should also be cautious about phishing emails that could contain malicious code or links to malicious code.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

William Murphy

Related post