current position：Home>Turn into a "poisonous" apple? The world's first MP vulnerability is unique to apple chips such as A14 and M1
Turn into a "poisonous" apple? The world's first MP vulnerability is unique to apple chips such as A14 and M1
Recent apples , It can be said that it is a good interpretation of a word ： Tall trees catch much wind .
Before, major regulatory agencies investigated its monopoly 、 Order it to be open , Later, competitive companies continued to dig corners 、 Steal secrets , Even the other day , And researchers are Apple Silicon Found the world's first data memory dependent prefetcher （Data Memory-Dependent Prefetcher, Referred to as DMP） Security vulnerabilities —— This vulnerability is known as “Augury”（ Meaning for “ Otsuge Uranainandesu ”）, At present, it only exists in Apple Silicon.
1 Has been to DMP Have doubts
Find out Augury Our research team members come from different universities , These include the University of Illinois, Urbana - Champagne 、 Tel Aviv University and Huasheng Dayton University , And the team has always been interested in DMP Have doubts .
DMP, That is, the data memory depends on the prefetcher , By understanding the contents of the whole memory , Prefetch data to improve system performance . Generally speaking , To ensure system security , Memory access will be restricted and partitioned , And the famous technology evaluation website Anandtech Launched at Apple M1 after , Yes A14 The wording of a paragraph of the evaluation caught the attention of the research team ：
In microarchitecture investigation , We see in Apple's chip design “ Memory magic ” Signs of , We speculate that apple is using some kind of pointer tracking prefetching mechanism .
Regarding this , The team guessed ： Apple chip DMP Prefetching may exceed the memory pointer set , That is, you can access and try to prefetch irrelevant memory addresses , Even deep prefetching .
Out of this concern , The team began to study M1 and A14, I found my eyebrows and eyes ：
“ We found that Apple processor has a DMP.”
“ We found this DMP Prefetched a pointer array dereference mode .”
“ We found that this prefetcher can be used to leak data that will not be read by any instruction （ The pointer ）, Even if it's just speculative ！”
Further explanation ：Apple Silicon Of DMP There are loopholes in the function “Augury”, If the vulnerability is successfully exploited by an attacker , The system will be exposed to static data attacks , That is, the leaked data is static , It will not be read by the core in a speculative or non speculative way , So it's hard to find .
2 Apple Silicon Unique vulnerabilities
say concretely , The team found that Apple Silicon It did use DMP Prefetch pointer array (AoP)：
The researchers explained ：“ Once the code sees *arr……arr happen （ Even speculative ！）, It will start prefetching arr. in other words , It prefetches first arr The content of , Then dereference . However, the traditional prefetcher will not perform the second step / Dereference .”
stay AoP in , System addressing 、 Read and cache memory that has not been accessed , And the data may never be accessed —— in other words , at present Apple Silicon Of DMP The function enables the system to over read and expose data , It's more vulnerable to attack .
Speaking of this , Maybe someone will be by this Augury, Think of the... That once caused a great sensation in the world Spectre and Meltdown Loophole （ These two vulnerabilities can enable an attacker to destroy the privileged memory of the processor by running processes in parallel , Stealing sensitive data ）, But the team points out that ,Augury and Spectre/Meltdown Is not the same ：
Augury Using only DMP function , Not transient execution ;
Spectre Can be completely disabled , and Augury There will still be ;
Apply to Augury The type of defense is also different from other microarchitecture attacks . Any defense that relies on tracking data accessed by the core cannot prevent Augury Leaking data , Because by Augury The leaked data will never be read by the core .
So we can also understand it as ,Spectre and Meltdown The vulnerability discloses the data being used , And using apple DMP,Augury May leak the entire memory content , Even if the data is not actively accessed .
3 Apple is known , But it hasn't been patched yet
According to the vulnerability data disclosed by the research team ,Augury At present, it only exists in Apple Silicon, The chips that have been confirmed to be affected include A14、M1 and M1 Max（ All have DMP function ）. They are also interested in the latest Intel and AMD The processor was tested , But none of them found Augury Signs of vulnerability .
Besides , The researchers added ：“ We think some older A Series chips and the latest M1 series （M1 Pro etc. ） The chip will also be affected , But it's only in M1 Max It has been confirmed in .”
thankfully , The research team pointed out that , Even though it sounds Augury There are no small hidden dangers , But they haven't yet “ Show any help Augury End to end exploit ”, So at least at this stage ,“ Only the pointer will be leaked ”.
As for the patch of this vulnerability , The research team said it had discussed this issue with apple , Apple also knows all the details of the vulnerability , But as far as they know , Apple hasn't released a patch yet .
Reference link ：
This article is from WeChat official account. “CSDN”（ID:CSDNnews）, Arrangement ： Zheng Liyuan ,36 Krypton authorized release .
author[36kr],Please bring the original link to reprint, thank you.
The sidebar is recommended
- Foreign venture capital news | food technology start-up "mooji meats" raised a new round of US $3 million to produce artificial meat using 3D printing technology
- The value of crayfish plummeted, and the wholesale price of a kilogram was less than 20 yuan
- Jining development training program
- Which major does the lawyer's personal IP build Tiktok short video company in Hubei
- Which is the major of Tiktok short video operation company in the sports industry
- Fitness center Xi'an Tiktok short video shooting operation company which is the major
- Netease cloud music officially released the k-song app "music street" and invested 200 million to support music stars
- Jimi h3s experience: a private theater you can enjoy at home
- Which is the major of Tiktok short video production company in Tianjin?
- 5g "cloud" life
guess what you like
What if the win11 store cannot load the page?
Last night, it ushered in the largest IPO of US stock medical this year, which fell on the ophthalmology track
Is it good to belittle yourself?
Krypton evening news tiktok has obtained the anti fraud certification of tag, an advertising self regulatory organization; Peter, chief financial officer of BMW Group: China will maintain the world's largest new energy vehicle market in the next few years
Singles exclusive benefits 360 search unveils the mystery of "black Valentine's Day"
5g RF manufacturer Fuman micro: at present, the company's wafer capacity is still in short supply
China Telecom's "SIM digital ID card" was officially launched
Lixun precision: East China factory is now in the process of orderly resumption of work and production
13 years of Alibaba e-commerce: Zhang Yong's merits and demerits
Authoritative express ｜ new quantum computing software released an important step in the combination of domestic quantum computing software and hardware
- Apple's first retail store in Japan will be dismantled by the end of 2022
- Sell spoiled overnight fruits. This is the "more delicious fruit" that Baiguoyuan wants to make?
- Musk set three fires on Twitter's "cigarette butt"
- Samsung will provide dish with 5g network equipment and other telecommunications equipment, with an estimated amount of more than 1 trillion won
- Acer: the problem of short and long materials has changed from a shortage of semiconductors to "factories can't start"
- Wechat: the official account needs to provide relevant qualification certificates for overseas recruitment. If it is not provided within 7 days, it will be directly sealed
- Apple has officially integrated icloud "manuscript and data" service into icloud cloud disk
- Jia Yueting's microblog IP territory shows that Beijing netizens say "President Jia has returned home"
- Tiktok has recently disposed 1750 videos showing off wealth in violation of regulations, such as placing and decorating RMB
- Kwai live broadcast launches intermodal plan 3.0 intermodal training high potential and high-quality anchor
- Iphone14 family photo exposure no mini version
- In January, when the powder rises 40W, @ you can't eat enough and become a new top stream of little red books?
- The most practical introduction to the middle stage
- Teach you how to use your mobile phone to remotely control another mobile phone or computer. Only one software is needed
- Installation of a fast threshold stone master asked for 200 yuan. The owner thought the price was too expensive, so he did it himself!
- Chen Zhiwu: family business will be replaced
- Shanghai auto enterprises resume work: the workers have returned to the production line after leaving the shelter
- How to create your own encyclopedia in Baidu and the skills of doing Encyclopedia
- Football field on the cliff "New Year gift" from moto, Tibet
- The second echelon is the banner of anti growth. What enlightenment will the sales of new energy vehicles bring in April?
- Hualin securities broke the Bureau's fintech dolphin stock app and upgraded it to securities trading software
- 11000 words, 11 CEOs, detailed analysis of brand growth
- The delivery of the three major businesses cost more than 3 billion yuan. Danone and Mengniu bid farewell
- Adults' daily stepping on the pit: the school didn't teach these at all
- Analysis of China's MCN market trend: it is expected that the scale will exceed 50 billion yuan in 2023
- The ups and downs of live broadcasting and delivery in 2021 will usher in an orderly development stage
- One day, one history, one country, one diplomacy (today, 49 years since the establishment of diplomatic relations between China and Germany!)
- The supplier said Huawei's mobile phone production capacity was restored, and Yu Chengdong had previously stated his position
- IP territory shows that Beijing Jia Yueting has returned home? Media disclosure: release with the assistance of domestic team
- Doctor story | medical staff & 34; Go to the countryside & 34; What have you been through? " Behind the "living Bodhisattva" is the patient's hopelessness and endless gratitude again and again
- E-commerce information / dry goods in the "April 27 express" of e-monkey.com, which gathers new e-commerce news all over the world
- Headline @ leader, I heard that telecommuting is the general trend
- Shein, is it worth $100 billion?
- R & D investment of listed game companies: more than 40 increased investment, and the per capita annual salary of 6 exceeded 500000
- Look! The working hours have changed this week
- With an annual salary of more than 400 million, who is the "working emperor" in the beauty industry?
- Methods for the company to establish Tiktok guild
- How to create school encyclopedia? Which is better to be an encyclopedia company?
- Ode to joy, an encyclopedia of growth in the new era!
- Baidu health service experience