Side-channel attacks against processors we talked often. Vulnerabilities like Specter and Meltdown opened Pandora’s box in early 2018, and the cyber landscape has never been the same since. Researchers have begun to look more closely at the internal functioning of modern processors and have discovered a number of others vulnerability security features, many of which are related to speculative execution techniques and other performance optimization mechanisms.
Vulnerability GoFetchdiscovered in SoCs Apple Siliconis a side-channel attack that exploits a weakness in the prefetcher (Data Memory Dependent Prefetcher, DMP). This security gap allows an attacker to extract sensitive dataas cryptographic keys, taking advantage of the situation in which the SoC of serie Apple M confuses memory contents with data addresses.
In practice, this is a serious problem because GoFetch allows you to extract the private key directly from the vulnerable Mac system, during encryption operations.
What is the GoFetch vulnerability in the Apple Silicon SoCs that equip modern Macs
The discovery of the existence of GoFetch vulnerability, is the result of the work of a team of academic researchers. The technical basis of the problem is illustrated on the gofetch.fail site, specifically created to inform all interested parties.
Il prefetcher consists of ahardware optimization which predicts the memory addresses that executing code is likely to access later. The main problem lies in the fact that the prefetcher implemented in Apple Silicon SoCs, unlike similar more traditional components, it uses data values to make predictions, not limiting itself only to addresses.
This involves the possibility of “mixing” the contents of the memory, for example secret keys, with pointer values used to load other data. It is the crux of the problem that opens up side-channel attacks and allows the extraction of confidential information.
The secret key exposure vulnerability can be exploited with a malicious application without root privilegesusing the rights of a normal user.
The problem is that, since it is a flaw closely related to the design microarchitetturale of the chip itself, there is no way for Apple engineers to contrive and apply a patch corrective. In other words, it is not possible to fix GoFetch through a software or firmware update since DMP is a feature implemented in hardware.
A countermeasures possibly adoptable, is to refer to one switch (which ARM-derived Apple Silicon SoCs appear to be equipped with) which allows you to disable DMP. At least on the newer M3 chips.
To mitigate the problem it would be possible to integrate corrective approaches into cryptographic softwareincluding third-party ones, but this could drastically reduce the performance of M-series chips during encryption operations.