A new paper revealed the presence of a microarchitectural flaw in Apple Silicon chips. Although the issue may not be too serious, it could still lead to data leakage if abused by attackers.
Augury Flaw in Apple Silicon Chips
Jose Rodrigo Sanchez Vicarte from the University of Illinois at Urbana Champaign and Michael Flanders of the University of Washington led the research team. The research team discovered (PDF) an “augury flaw” in both Apple’s M1 and A14 chips.
The report mentioned that the augury flow existed in the Data-Memory Dependent Prefetcher (DMP) in Apple Silicon chips. DMPs determine what memory content to prefetch, or download in the background.
Research Demonstrates Possibility of Leaking Data at Rest
The research is quite complicated and technical. Essentially, the research team wanted to demonstrate the existence of a pointer-chasing DMP on Apple’s processors. To do this, the team reverse-engineered the details of the DMP. They were able to determine the opportunities for and restrictions the DMP places on attackers.. The team also demonstrated several basic attacks that can leak pointer values using the DMP.
To put it simply, the presence of DMP in Apple Silicon chips could leak data that isn’t read by any instructions.
The Need for Compiler and Program Transformation Tools
The researchers concluded that exotic microarchitectural optimizations that leak data never accessed by the core have arrived in mainstream processors such as the M1 and A14. It is unlikely that it will disappear anytime soon. While it’s not easy to read DMPs, adversaries could still abuse the flaw.
It can read and transmit some types of memory values outside of sandboxes or test the validity of pointers controlled by an attacker. This is despite a single-level pointer-chasing DMP being nearly the worst-case DMP for an attacker, leaking only pointers and only under restricted situations.
Finally, the paper also emphasized the need for compiler and program transformation tools. These tools will help mitigate data at rest leakage. Knowing how to mitigate this potential data leak could prevent similar incidents in the next generation of microarchitectural attacks.