Summary:
A new vulnerability dubbed GoFetch was discovered in Apple M-series chips, allowing attackers to extract secret keys used in cryptographic operations. This vulnerability exploits a feature called data memory-dependent prefetcher to target constant-time cryptographic implementations and access sensitive data from the CPU cache. A team of academics alerted Apple to this issue in December 2023. Prefetchers are hardware optimizations that predict memory addresses a program will access soon and retrieve data into the cache to reduce latency. DMP, a type of prefetcher, considers memory contents based on past access patterns, making it susceptible to cache-based attacks like GoFetch and a similar attack called Augury.

GoFetch violates the constant-time programming paradigm by activating and dereferencing data that appears like a pointer, potentially leaking sensitive data. This attack requires the victim and attacker to share the same machine and CPU cluster but not memory. It can be executed by enticing a target to download a malicious app.

This vulnerability undermines the security provided by constant-time programming against timing side-channel attacks, as it allows attackers to influence prefetched data, enabling access to sensitive information. While it can't be fixed in existing Apple CPUs, cryptographic library developers must take precautions. Enabling data-independent timing on Apple M3 chips mitigates DMP but isn't feasible on M1 and M2 processors.

Security Officer Comments:
Additionally, a GPU attack demonstrated by researchers affects browsers and graphics cards, using specially crafted JavaScript code to infer sensitive data like passwords. This attack, leveraging WebGL and WebGPU APIs, requires no user interaction and impacts various operating systems and browsers.

Suggested Corrections:
As countermeasures, the researchers propose treating access to the host system's graphics card via the browser as a sensitive resource, requiring websites to seek users permission (like in the case of camera or microphone) before use.

Link(s):
https://thehackernews.com/2024/03/new-gofetch-vulnerability-in-apple-m.html