Apple Silicon chip vulnerability ‘Augury’ surfaces, but researchers aren’t worried yet
After digging into Apple Silicon, researchers have discovered a new vulnerability that affects Apple’s latest M1 and A14 chips. Although the Augury Apple Silicon microarchitectural flaw was shown to allow data to be leaked at rest, it doesn’t seem to be that bad at all.
Jose Rodrigo Sanchez Vicarte at the University of Illinois at Urbana Champaign and Michael Flanders at the University of Washington led a group of researchers who published details on their discovery of the novel Augury microarchitectural Apple Silicon flaw (all details were shared with Apple prior to publishing).
The group discovered that Apple chips employ a Data-Memory Dependent Prefetcher, (DMP), which examines memory content in order to determine what prefetch to use.
How the Augury Apple Silicon vulnerability works
Specifically, Apple’s M1, M1 Max, and A14 were tested and found to prefetch with an array-of-pointers dereferencing pattern. The researchers discovered that process can leak data that is “never read by any instruction, even speculatively!” They also believe the M1 Pro and possibly older A-series chips are vulnerable to the same flaw.
Here’s how the researchers say Apple’s DMP is different from traditional ones:
Once the *arr[0] has been *arr [2] occurred (even speculationally! It will start prefetching from *arr [3]. That is, it will first prefetch ahead the contents of arr and then dereference those contents. In contrast, a conventional prefetcher would not perform the second step/dereference operation.
As for why data at rest attacks like this are troublesome, the paper says most hardware or software defensive strategies to prevent “microarchitectural attacks assume there is some instruction that accesses the secret.” But data at rest vulnerabilities don’t work that way. Further explanation is provided by the research: :
Any defense that depends on tracking which data was accessed by core (speculatively and non-speculatively), cannot protect against Augury. The core never has access to the leak data!
But David Kohlbrenner (Assistant Professor, University of Washington) and one of the advisors to the research team points out that this DMP is “about the weakest DMP an attack can get .”
The good news here is that this is about the weakest DMP an attacker can get. This DMP only works if the content can be verified as valid virtual addresses. It also has some odd restrictions. This can be used as a leaker pointer and to break ASLR.
We believe there are better attacks possible.
— David Kohlbrenner (@dkohlbre) April 29, 2022
The researchers highlight that sentiment in the paper saying this vulnerability isn’t “that bad” for now and they haven’t demonstrated any “end-to-end exploits with Augury techniques at this time. Only pointers are currently available, but they can only be leaked in the sandbox danger model .
9to5Mac’s take
This is a fascinating discovery. Fortunately, there aren’t many to be concerned about, as researchers consider it the weakest DMP attackers can use. But, Apple has made important discoveries that will allow them to improve security and prevent malicious usage.
In the year and a half since Apple went all-in on making its own chips, we’ve only seen a few security concerns specifically around the M1 pop-up. One saw apps exchange data covertly but that wasn’t a real issue and another was custom-made Apple Silicon malware (a perennial problem on any hardware).
The researchers are not aware of Apple working on a patch for Augury, but we’ll be keeping an eye out for any developments around this flaw.