Exploiting Undefined Behavior in C/C++ Programs: The Performance Impact [pdf]

https://web.ist.utl.pt/nuno.lopes/pubs/ub-pldi25.pdf

#HackerNews #ExploitingUndefinedBehavior #C #C++ #PerformanceImpact #ProgrammingSecurity #SoftwareDevelopment

Unpatchable Vulnerability in Apple Chip Leaks Secret Encryption Keys

Date: 03/21/2024
CVE: Not provided in the source
Sources: Ars Technica

Issue Summary

A vulnerability found in Apple’s M-series chips allows attackers to extract secret encryption keys during common cryptographic operations. This flaw, rooted in the chips' microarchitecture, is deemed unpatchable and can only be mitigated by adjustments in third-party cryptographic software, potentially impacting performance. The vulnerability exposes keys through a side channel when a targeted operation and a malicious app with normal privileges run on the same CPU cluster.

Technical Key findings

The vulnerability exploits the data memory-dependent prefetcher (DMP) in the chips, which anticipates future memory needs to reduce latency. However, the DMP can misinterpret encryption key material as pointers, attempting memory access and leaking the data. Attackers can't directly access keys but can manipulate data to make intermediate encryption algorithm data resemble pointers, leading to key exposure through cache side channels.

Vulnerable products

• Apple M-series chips, particularly M1 and M2 generations.

Impact assessment

Successful exploitation allows attackers to extract sensitive cryptographic keys, undermining the confidentiality and integrity of encrypted data. The broad application of cryptographic operations on vulnerable devices elevates the risk.

Patches or workaround

Direct patching of the hardware flaw is impossible due to its microarchitectural nature. Mitigation requires implementing defenses in cryptographic software, which may significantly affect the performance of cryptographic operations.

Tags

#Apple #M-series #EncryptionKeys #SideChannel #Vulnerability #CryptographicSoftware #PerformanceImpact