Mike Peterson
Researchers have discovered a microarchitectural flaw present in Apple Silicon chips that could lead to data leakage, though they said there is currently little cause for concern.
The so-called Augury flaw was discovered by a team of researchers led by Jose Rodrigo Sanchez Vicarte of the University of Illinois at Urbana Champaign and Michael Flanders of the University of Washington. Vicarte, Flanders, and other members of the team recently published details of the flaw in a new paper.
According to the researchers, the flaw exists in the Data-Memory Dependent Prefetcher (DMP) in Apple Silicon chips. DMPs, which decide what memory content to prefetch, are well-known in academic circles but have yet to be deployed in a commercial product.
We found a way to leak data on Apple Silicon processors that is "at rest": that is, data the core never reads speculatively or non-speculatively.
— David Kohlbrenner (@dkohlbre) April 29, 2022
This will be an odd one, so stick around for the and see https://t.co/KCnw9PAlSS
"Classical prefetchers look only at the stream of previous addresses accessed. DMPs also consider on the content of the previously prefetched memory," said David Kohlbrenner, another member of the team. "Inherently, the DMP's choice thus reveals something about the content of memory."
Apple's M1 and A14 family of chips use a prefetcher that targets an array-of-pointers access pattern. Thought the exact details are complicated, this essentially means that the chips can leak data that isn't read by any instruction.
Kohlbrenner noted, however, that this is "about the weakest DMP an attacker can get."
"It only prefetches when content is a valid virtual address, and has a number of odd limitations," he wrote on Twitter. "We show this can be used to leak pointers and break ASLR. We believe there are better attacks available."
The flaw isn't "that bad" currently, since it can only leak data pointers and "likely only in the sandbox threat model."
However, similar flaws centered around data at rest can be tricky to protect against. That's because leaked data is never read by the core, speculatively or non-speculatively.
AppleInsider Staff
Chip Loder
Christine McKee
Malcolm Owen
William Gallagher
Andrew Orr
11 Comments
Except the government and law enforcement can exploit it. Probably. Apple should consider fixing this for the long haul.
Don't panic, these CPU level exploits are extremely difficult to exploit and are basically never seen in the wild. Remember Meltdown and Spectre a few years back? Not a single documented exploit in the wild. It's worthwhile to look for and fix these issues, however, as Flava Flave says "Dont believe the hype!"
Just like software, no CPU is "perfect". That doesn't mean I'm giving Intel a free-pass for all the huge CPU errata problems, it's just something to know and to work with.