Friday, October 4, 2024
HomeAppleGoFetch Side-Channel Attack Impact Apple CPUs: Attackers Steal Secret Keys

GoFetch Side-Channel Attack Impact Apple CPUs: Attackers Steal Secret Keys

Published on

Researchers have unveiled a new class of microarchitectural side-channel attacks that pose a severe threat to the security of Apple CPUs.

The attack, GoFetch, exploits the Data Memory-dependent Prefetchers (DMPs) in modern processors to extract secret cryptographic keys from constant-time cryptographic implementations.

Understanding the GoFetch Attack

The GoFetch attack is based on a new understanding of how DMPs behave.

- Advertisement - EHA

Researchers have found that DMPs can be activated by any program and attempt to dereference any data brought into the cache that resembles a pointer.

This behavior places a significant amount of program data at risk and challenges the previously believed restrictions reported by prior work.

Document

Free Webinar : Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.:

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

AcuRisQ, which helps you to quantify risk accurately:

The cornerstone defense against side-channel attacks has been to ensure that security-critical programs do not use secret-dependent data as addresses.

However, the GoFetch attack demonstrates that attackers can bypass these defenses by exploiting the DMP to perform end-to-end key extraction on popular constant-time implementations of classical and post-quantum cryptography.

Reverse Engineering Apple and Intel DMPs

Researchers have reverse-engineered the DMP found on Apple CPUs and discovered new activation criteria.

They have also confirmed the existence of a similar DMP on Intel’s latest 13th generation (Raptor Lake) architecture, albeit with more restrictive activation criteria.

The researchers developed a new type of victim-agnostic chosen-input attack and associated attack primitives that do not require the attacker and victim to share memory.

They used these techniques to mount a proof-of-concept attack on constant-time swap operations.

Binni Shah recently tweeted about a new side-channel attack that exploits data memory-dependent prefetchers.

This attack leverages the timing behavior of memory access patterns to leak sensitive information from a victim process.

Disclosure and Industry Response

The findings were disclosed to Apple, OpenSSL, Go Crypto, and the CRYSTALS team.

Apple is investigating the proof of concept, while OpenSSL reported that local side-channel attacks fall outside their threat model.

The Go Crypto team considers the attack low severity, and the CRYSTALS team suggested pinning to the Icestorm cores without DMP as a short-term solution, with hardware fixes needed in the long term.

Implications for Processor Design

The GoFetch attack has shaken the foundations of modern processor design, calling into question the security of data memory-dependent prefetchers.

The discovery highlights the need to reevaluate current defenses and develop new strategies to protect against such microarchitectural side-channel attacks.

Memory access patterns and subsequent prefetches
Memory access patterns and subsequent prefetches

The above figure compares memory access patterns and subsequent prefetches, illustrating the activation pattern reported by Augury and the new findings that show DMP activations even when the training array contains non-pointer values.

The GoFetch attack is a stark reminder of the evolving landscape of cybersecurity threats and the continuous arms race between attackers and defenders.

As processors become more complex, the potential for such vulnerabilities increases, necessitating vigilant research and proactive defense mechanisms to secure our digital infrastructure.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Cloud Penetration Testing Checklist – 2024

Cloud Penetration Testing is a method of actively checking and examining the Cloud system...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Doppler Launches ‘Change Requests’ to Strengthen Secrets Management Security with Audited Approvals

Doppler, the leading platform in secrets management, today announces the launch of Change Requests,...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Linux Malware perfctl Attacking Millions of Linux Servers

Researchers have uncovered a sophisticated Linux malware, dubbed "perfctl," actively targeting millions of Linux...

Northern Ireland Police to Pay £750,000 Fine Following Data Breach

The Police Service of Northern Ireland (PSNI) has been ordered to pay a £750,000...