current position:Home>Turn into a "poisonous" apple? The world's first MP vulnerability is unique to apple chips such as A14 and M1

Turn into a "poisonous" apple? The world's first MP vulnerability is unique to apple chips such as A14 and M1

2022-05-07 20:01:5436kr

Recent apples , It can be said that it is a good interpretation of a word : Tall trees catch much wind .

Before, major regulatory agencies investigated its monopoly 、 Order it to be open , Later, competitive companies continued to dig corners 、 Steal secrets , Even the other day , And researchers are Apple Silicon Found the world's first data memory dependent prefetcher (Data Memory-Dependent Prefetcher, Referred to as DMP) Security vulnerabilities —— This vulnerability is known as “Augury”( Meaning for “ Otsuge Uranainandesu ”), At present, it only exists in Apple Silicon.

1 Has been to DMP Have doubts

Find out Augury Our research team members come from different universities , These include the University of Illinois, Urbana - Champagne 、 Tel Aviv University and Huasheng Dayton University , And the team has always been interested in DMP Have doubts .

DMP, That is, the data memory depends on the prefetcher , By understanding the contents of the whole memory , Prefetch data to improve system performance . Generally speaking , To ensure system security , Memory access will be restricted and partitioned , And the famous technology evaluation website Anandtech Launched at Apple M1 after , Yes A14 The wording of a paragraph of the evaluation caught the attention of the research team :

In microarchitecture investigation , We see in Apple's chip design “ Memory magic ” Signs of , We speculate that apple is using some kind of pointer tracking prefetching mechanism .

Regarding this , The team guessed : Apple chip DMP Prefetching may exceed the memory pointer set , That is, you can access and try to prefetch irrelevant memory addresses , Even deep prefetching .

Out of this concern , The team began to study M1 and A14, I found my eyebrows and eyes :

  • “ We found that Apple processor has a DMP.”

  • “ We found this DMP Prefetched a pointer array dereference mode .”

  • “ We found that this prefetcher can be used to leak data that will not be read by any instruction ( The pointer ), Even if it's just speculative !”

Further explanation :Apple Silicon Of DMP There are loopholes in the function “Augury”, If the vulnerability is successfully exploited by an attacker , The system will be exposed to static data attacks , That is, the leaked data is static , It will not be read by the core in a speculative or non speculative way , So it's hard to find .

2 Apple Silicon Unique vulnerabilities

say concretely , The team found that Apple Silicon It did use DMP Prefetch pointer array (AoP):

The researchers explained :“ Once the code sees *arr[0]……arr[2] happen ( Even speculative !), It will start prefetching arr[3]. in other words , It prefetches first arr The content of , Then dereference . However, the traditional prefetcher will not perform the second step / Dereference .”

stay AoP in , System addressing 、 Read and cache memory that has not been accessed , And the data may never be accessed —— in other words , at present Apple Silicon Of DMP The function enables the system to over read and expose data , It's more vulnerable to attack .

Speaking of this , Maybe someone will be by this Augury, Think of the... That once caused a great sensation in the world Spectre and Meltdown Loophole ( These two vulnerabilities can enable an attacker to destroy the privileged memory of the processor by running processes in parallel , Stealing sensitive data ), But the team points out that ,Augury and Spectre/Meltdown Is not the same :

  • Augury Using only DMP function , Not transient execution ;

  • Spectre Can be completely disabled , and Augury There will still be ;

  • Apply to Augury The type of defense is also different from other microarchitecture attacks . Any defense that relies on tracking data accessed by the core cannot prevent Augury Leaking data , Because by Augury The leaked data will never be read by the core .

So we can also understand it as ,Spectre and Meltdown The vulnerability discloses the data being used , And using apple DMP,Augury May leak the entire memory content , Even if the data is not actively accessed .

3 Apple is known , But it hasn't been patched yet

According to the vulnerability data disclosed by the research team ,Augury At present, it only exists in Apple Silicon, The chips that have been confirmed to be affected include A14、M1 and M1 Max( All have DMP function ). They are also interested in the latest Intel and AMD The processor was tested , But none of them found Augury Signs of vulnerability .

Besides , The researchers added :“ We think some older A Series chips and the latest M1 series (M1 Pro etc. ) The chip will also be affected , But it's only in M1 Max It has been confirmed in .”

thankfully , The research team pointed out that , Even though it sounds Augury There are no small hidden dangers , But they haven't yet “ Show any help Augury End to end exploit ”, So at least at this stage ,“ Only the pointer will be leaked ”.

As for the patch of this vulnerability , The research team said it had discussed this issue with apple , Apple also knows all the details of the vulnerability , But as far as they know , Apple hasn't released a patch yet .

Reference link :



This article is from WeChat official account. “CSDN”(ID:CSDNnews), Arrangement : Zheng Liyuan ,36 Krypton authorized release .

copyright notice
author[36kr],Please bring the original link to reprint, thank you.

Random recommended