GoFetch Rips Secret Keys From Apple's M-Series Processors Through a New Side-Channel Attack

A team of security researchers from the Universities of Illinois Urbana-Champaign, Texas at Austin, California at Berkeley, Washington, Carnegie Mellon University, and the Georgia Institute of Technology have warned of a side-channel attack against Apple's M-series processors that can reveal secret keys for a range of cryptography implementations: GoFetch.

"GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs)," the researchers explain. "We show that DMPs are present in many Apple CPUs and pose a real threat to multiple cryptographic implementations, allowing us to extract keys from OpenSSL Diffie-Hellman, Go RSA, as well as CRYSTALS Kyber and Dilithium."

The team's focus was on Apple's M-series processors, developed in-house using the Arm architecture to deliver high-performance yet energy-efficient computing. These, the researchers explain, include Apple's implementation of a performance-improving DMP — which can be exploited to reveal private information, including secret keys used for cryptography running on the device.

"Undergirding our attacks is a new understanding of how DMPs behave," the team writes of its discovery, "which shows, among other things, that the Apple DMP will activate on behalf of any victim program and attempt to 'leak' any cached data that resembles a pointer. The Apple m-series DMP was first discovered by Augury, which suggested that DMPs might mix data and addresses under some conditions. GoFetch shows that the DMP is significantly more aggressive than previously thought, and thus poses a much greater security risk."

The team's attack successfully leaked secret key information for a range of real-world cryptographic implementations, though the researchers say the attack can be mitigated at a performance cost on Apple's latest M3 chips by setting the "DIT bit" to disable DMP — a feature not available on earlier M2 and M1 processors. Intel's 13th generation "Raptor Lake" chips, which feature a similar DMP, is also theoretically vulnerable — but with more restrictive activation criteria making it "robust to our attacks," the researchers note.

"For users, we recommend using the latest versions of software, as well as performing updates regularly," the team writes of potential mitigations — the core flaw being in the hardware itself and, thus, not easily patched. "Developers of cryptographic libraries can either set the DOIT bit and DIT bit bits, which disable the DMP on some CPUs. Additionally, input blinding can help some cryptographic schemes avoid having attacker-controlled intermediate values, avoiding key-dependent DMP activation. Finally, preventing attackers from measuring DMP activation in the first place, for example by avoiding hardware sharing, can further enhance the security of cryptographic protocols."

More details, with a link to the team's paper, is available on the GoFetch website; the team has promised to release proof-of-concept code in the near future, but it was not available at the time of publication.