Apple M-Series Processors Vulnerable to Microarchitectural Side-Channel Attacks, Exposing Confidential Encryption Algorithm Keys

Apple M-Series Processors Vulnerable

Researchers have discovered that Apple M-series processors are susceptible to GoFetch, a microarchitectural side-channel attack that allows attackers to extract confidential encryption algorithm keys by leveraging the Data Memory-dependent Prefetcher (DMP).

The researchers have successfully extracted confidential keys from OpenSSL’s Diffie-Hellman, Go RSA, and the Kyber and Dilithium encryption algorithms of the CRYSTALS project using the M-series processors. Affected Apple chips include the M1, M2, and M3 models. It is worth noting that although Intel’s 13th generation Raptor Lake microarchitecture also features DMP, it has stricter activation standards and is more resilient against GoFetch attacks.

The GoFetch attack exploits the concept of constant-time programming, a paradigm that ensures all operations take the same amount of time to strengthen the code’s resistance against side-channel attacks. In non-constant-time algorithms, the execution speed of the encryption process may vary due to different inputs or keys, allowing attackers to measure these timing differences and obtain information about the encryption process or keys.

To comply with constant-time programming, the code must not contain branches, loops, or control structures that depend on sensitive information. Additionally, constant-time algorithms should not mix data and locations in any way, as attackers can observe the latency of different memory locations in the CPU cache to infer information stored in memory. Furthermore, accessing or indexing arrays dependent on confidential data in constant-time algorithms is strictly prohibited.

The key to the success of the GoFetch attack lies in the fact that even if the encryption algorithm follows constant-time programming principles by separating data from memory addresses, the presence of DMP can still result in memory access behavior dependent on confidential data. This mechanism leads to inconsistent execution times for constant-time algorithms, which can be observed and exploited by attackers to extract keys and break the encryption.

DMP, which causes the failure of constant-time encryption, is a CPU feature present in Apple’s M-series CPUs. Through reverse engineering of the M-series CPUs, the researchers discovered that DMP is activated and attempts to dereference data from memory-like locations. The researchers noted that such a DMP mechanism clearly violates the requirement of constant-time programming to avoid mixing data and memory access patterns.

Attackers can exploit this vulnerability by carefully designing encryption operations to guess the keys. The researchers arranged the input of encryption operations to produce pointer-like values only when a partial bit of the key is guessed correctly. By analyzing cache timing and monitoring the execution of DMP dereferences, the researchers can verify their guesses and gradually determine the key bits. According to the researchers’ published paper, they have successfully compromised four popular constant-time encryption implementations, including OpenSSL Diffie-Hellman key exchange, Go RSA decryption, and post-quantum encryption algorithms CRYSTALS-Kyber and CRYSTALS-Dilithium.

It is worth noting that prior to GoFetch, a security research team developed the Augury attack method, which discovered the issue of abusing the mixing of data and memory positions in Apple’s M-series chips’ DMP. However, Augury did not identify the activation standard for M-series chips’ DMP as strictly as GoFetch. The GoFetch researchers mentioned that any value loaded from memory, regardless of its actual content and expected use, is treated as a memory address by the M-series chips’ DMP and attempted to be dereferenced. This finding makes GoFetch more dangerous, as DMP can be used to attack real-world constant-time encryption algorithms.

The researchers attempted end-to-end GoFetch attacks on the M1 processor and discovered similar exploitable behavior in the M2 and M3 processors. Although the researchers did not test other variants of the M-series, such as the M2 Pro, they speculated that these variants have the same microarchitecture and may suffer from the same issues.

Currently, disabling DMP is possible for the M3 chip by setting the Data Independent Timing (DIT) bit, but it is not feasible for the M1 and M2 chips. On the other hand, Intel’s Raptor Lake processor allows disabling DMP by setting the Data Operand Independent Timing (DOIT) bit. Encryption library developers can mitigate GoFetch attacks on specific CPUs by setting the DIT and DOIT bits to disable DMP.

Adopting input blinding techniques can also assist certain encryption schemes in avoiding DMP activation controlled by attackers. Furthermore, the researchers suggested that preventing the measurement of DMP activation can further enhance the security of encryption protocols. As of now, Apple has not responded to this issue. The researchers disclosed the vulnerability to Apple on December 5, 2023, and are now responsibly disclosing the attack technique publicly. They also plan to release conceptual verification code in the future.