Recent developments have shed light on the GoFetch vulnerability, a security exploit that affects both Apple M-series and Intel Raptor Lake CPUs. This exploit leverages data memory-dependent prefetchers (DMPs), a feature similar to speculative execution vulnerabilities like Spectre, to potentially leak sensitive data.
Understanding the GoFetch Exploit
GoFetch operates by exploiting DMPs, which are present in all Apple M-series CPUs and Intel’s Raptor Lake processors. When DMP is enabled, data can be siphoned off a core’s cache, thereby providing a potential entry point for cyber attackers.
Researchers have demonstrated the exploit on a dedicated website for GoFetch, showing how within a matter of minutes, 560 bits of data were leaked from an RSA-protected server.
Comparing GoFetch to Other Known Vulnerabilities
While GoFetch may not be groundbreaking, it shares similarities with other known vulnerabilities such as Spectre and Meltdown. These exploits also take advantage of a CPU’s performance-enhancing prediction features. Typically, software-based patches are used to address hardware-level exploits, often by disabling the speculative feature, which in turn reduces performance. However, this solution is not viable for M1 and M2 CPUs.
FAQ: Can DMP be disabled?
Yes, but only on certain processors. Researchers have found that setting the DIT bit on M3 CPUs effectively disables the DMP. Unfortunately, this is not the case for the M1 and M2 CPUs. Therefore, while a software patch can resolve GoFetch for M3 and Raptor Lake CPUs, it cannot be used for M1 and M2 chips as DMP will run regardless.
The Implications of the GoFetch Exploit
It’s always a concern when a performance-enhancing feature needs to be disabled due to potential data leaks. The situation is even more dire when the feature cannot be disabled at all. One proposed workaround is to blind the DMP to sensitive data whenever it’s being stored or loaded from memory. However, this solution would necessitate extensive code rewrites and could result in performance penalties.
A Potential Workaround
Interestingly, there is a workaround that doesn’t require any code rewrites. Like many modern CPUs, Apple’s M-series has two types of cores: the larger Firestorm cores and the smaller Icestorm cores. The DMP-based GoFetch exploit only works on Firestorm cores, including for M1 and M2 CPUs. Therefore, the researchers suggest running all cryptographic work solely on the Icestorm cores for now. While this may result in slower performance, it should ensure security.
Even this approach may not be foolproof. If Apple releases a future M processor with DMP enabled in its efficiency cores, there would be no safe place to run code without potentially exposing sensitive data. Given that DMP is not entirely secure, it is hoped that Apple will either fix it, remove it, or find an alternative feature before making its next-generation CPUs even more vulnerable.
