Researchers have discovered a massive security vulnerability inside Apple M1, M2, and M3 silicon. The vulnerability, dubbed 'GoFetch,' steals cryptographic information from the CPU cache enabling an attacking program to build a cryptographic key from stolen data, allowing the application to access sensitive encrypted data. Ars Technica first reported on the security flaw.
GoFetch takes advantage of an overlooked security exploit in Apple silicon surrounding its state-of-the-art data memory-dependent prefetcher (DMP). A next-generation prefetcher only found in Apple silicon and Intel's Raptor Lake CPU architectures that loads memory contents into cache before they are needed. The vulnerability surrounds an overlooked behavior in the prefetcher where it will load key material into the CPU cache featuring a pointer value that is used to load other data. DMP will sometimes confuse memory content and load inappropriate data into the CPU cache.
Article continues below
The only exception is Apple's M3 silicon which purportedly features a special "switch" that developers can turn on to disable the chip's data memory-dependent prefetcher. However, nobody knows yet how much performance will be lost if this special optimization is turned off. For all we know, it could hinder performance just as much as software mitigation.
The interesting tidbit is that Intel's Raptor Lake CPU architecture (which includes both 13th and 14th Gen CPUs) doesn't have this vulnerability despite sharing the same prefetcher as Apple's M series chips. We don't know why this is the case, but it demonstrates that this vulnerability can be patched in silicon. However, this will only occur in future Apple M series architectures (i.e. M4) when Apple's engineers have time to re-design its CPU architecture to account for the recently discovered vulnerabilities.