Researchers from the University of Illinois Urbana-Champaign, University of Washington, and Tel Aviv University have described an attack, dubbed Augury, that leaks data at rest on recent Apple processors, notably the A14 and the M1 family.
Augury could be the first of a new type of attack that leaks data at rest in memory, that is, before it even reaches the processor core. This opens up a completely different scenario than what we experienced with the side channel vulnerabilities, which can leak data in use, i.e. data that is accessed and passed through an operation not secure.
According to the researchers, the possibility of data leakage at rest is caused by special microarchitectural optimizations such as silent stores, cache compression, and data memory-dependent preloaders (DMPs). Until now, however, they say, data-at-rest attacks were only a theoretical possibility. Augury appears to demonstrate for the first time that these kinds of exploits are possible in the wild, especially using DMP.
In fact, Apple processors the Apple M1, M1 Max, M1 Pro and A14 processors all offer a Array of pointers prefetcher, used to prefetch the result of dereferencing these pointers in advance of their actual use. This mechanism is able to dereference memory locations across array boundaries.
This act of dereferencing the out-of-bounds pointer (potentially even though it’s not actually a pointer!) creates a memory-side channel that an attacker can use to learn the pointer.
While in theory it has been shown that DMPs can have disastrous security implications, this does not appear to be the case for Apple’s CPUs. First of all, given the lack of documentation on Apple M1 AoP, it is not trivial for an attacker to find the activation pattern. As David Kohlbrenner, one of the researchers who discovered Augury, explains, the type of DMP enabled by Apple processors is “about the weakest DMP and attacker”:
It only prefetches when the content is a valid virtual address and has a number of odd limitations. We show that this can be used to leak pointers and break ASLR. We believe there are better attacks possible.
Additionally, the researchers note, sandboxing is a well-known technique that already assumes that an attacker could leak any value in the virtual address space. For this reason, sandboxed systems seem to be immune to the M1 DMP. That doesn’t mean the attack shouldn’t be taken seriously, as existing unsandboxed programs and kernels could be affected and leak data into their address spaces.
The scenario opened by Augury is completely new for both attackers and defenders. The relative newness of DMP vulnerabilities means little information is available to understand how they might be exploited, but it will trigger further efforts to design new exploitation scenarios, researchers say. For defenders, the existence of DMPs will require new approaches to protect data that is not being used.