With great power comes great responsibility - new attack type on Apple silicon

[porina]

Quotes

Quote

We present a new type of microarchitectural attack that leaks data at rest: data that is never read into the core architecturally. This attack technique, Augury, leverages a novel microarchitectural optimization present in Apple Silicon: a Data Memory-Dependent Prefetcher (DMP).

Summary

Apple have been making waves with the performance of their recent CPU designs. One of the techniques they used has opened the door to a new type of attack. For now, this has not been exploited as an attack but it can be used to leak pointers. In short, a data pre-fetcher looks at memory access patterns to predict what might be needed. The advancement here is that the data doesn't have to reach the execution units before triggering the pre-fetcher.

 

My thoughts

We know Apple silicon performs well, and it seems this new feature makes available a possible new attack direction. AMD and Intel are not currently affected since they have not implemented such a feature. Also, many existing speculative execution mitigations are not applicable here since this happens before execution. It will be interesting to see where this goes in future. There are other mitigations in place which may make it difficult to exploit this, but still it is a new tool available for an attacker. As a user I wouldn't be concerned about this right now.

 

Sources

https://www.prefetchers.info/

 

Doesn't seem to have hit mainstream news yet.

[emosun]

But i was told apple doesn't get viruses.

Are we to believe apple just makes.......... regular computers with the same problems as every other computer?

[Paul Thexton]

3 hours ago, emosun said:

But i was told apple doesn't get viruses.

Everything should be treated as potentially hackable. It’s simply a matter of weighing potential payoff against the time & resources required to find and exploit a vulnerability.

 

These folk who’ve found this are doing excellent research

[Paul Thexton]

In the case of Mac the real reason for fewer in the wild viruses is simply a lower user base and thus less reward for effort.

 

macOS isn’t the closed/walled garden people on LTT seem determined to believe it is. It’s like any other full fat OS, there will be vulnerabilities. Patrick Wardle‘s blog is an excellent resource for info on this.

[RejZoR]

1 hour ago, Paul Thexton said:

In the case of Mac the real reason for fewer in the wild viruses is simply a lower user base and thus less reward for effort.

 

macOS isn’t the closed/walled garden people on LTT seem determined to believe it is. It’s like any other full fat OS, there will be vulnerabilities. Patrick Wardle‘s blog is an excellent resource for info on this.

Though it might be smaller user base, the targets are often higher value.

[jagdtigger]

1 hour ago, Paul Thexton said:

Everything should be treated as potentially hackable.

The correct way to put it: It isnt a question if something is hackable, but how and how much time it takes....

[Lightwreather]

48 minutes ago, jagdtigger said:

The correct way to put it: It isnt a question if something is hackable, but how and how much time it takes....

I'm not sure if my Abacus is hackable... /s

[RejZoR]

15 minutes ago, J-from-Nucleon said:

I'm not sure if my Abacus is hackable... /s

*Picks up a saw* I'm pretty sure it is...

[Arika]

huh, it's almost like designing CPUs is hard there will always be vulnerabilities that the manufacturer doesn't even consider.

[Mark Kaine]

7 hours ago, porina said:

Data Memory-Dependent Prefetcher

Isnt that pretty much what Spectre / meltdown does... (?)  (prefetch sounds an awful lot like prediction)

 

Spoiler

Modern processors use branch prediction and speculative execution to maximize performance. For example, if the destination of a branch depends on a memory value that is in the process of being read, CPUs will try to guess the destination and attempt to execute ahead. When the memory value finally arrives, the CPU either discards or commits the speculative computation. Speculative logic is unfaithful in how it executes, can access the victim's memory and registers, and can perform operations with measurable side effects. Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim's confidential information via a side channel to the adversary

^boy, as if they couldn't say this easier lol 

 

edit:  well i guess,  yes.

 

18 minutes ago, Arika S said:

huh, it's almost like designing CPUs is hard there will always be vulnerabilities that the manufacturer doesn't even consider.

Except in this case it wasn't something unknown 

 

Quote

In short, a data pre-fetcher looks at memory access patterns to predict what might be needed

Meltdown and Spectre say hello!

 

Been talked about a lot, this "branch prediction stuff" is inherently unsecure, and new exploits keep coming up (so the only way to not be affected is, not to use it?)

[WolframaticAlpha]

3 hours ago, RejZoR said:

Though it might be smaller user base, the targets are often higher value.

Windows has enterprise though, they might be a very profitable target if you are creating malware.

[leadeater]

3 hours ago, RejZoR said:

Though it might be smaller user base, the targets are often higher value.

In what way is a Mac user higher value? How many accountants in large organizations run Mac OS? I'm not sure what this basis of evaluation is being done on but I cannot think of anything that would make either widely more valuable than the other.

 

Actual higher value targets get well.. specifically targeted. Everyone else is just hoped to be caught in wide cast nets.

[Mark Kaine]

1 hour ago, leadeater said:

In what way is a Mac user higher value?

In before only rich people buy Royal Cheese TS Macs... 

 

[HenrySalayne]

2 hours ago, leadeater said:

In what way is a Mac user higher value? How many accountants in large organizations run Mac OS? I'm not sure what this basis of evaluation is being done on but I cannot think of anything that would make either widely more valuable than the other.

 

Actual higher value targets get well.. specifically targeted. Everyone else is just hoped to be caught in wide cast nets.

The average Mac user could in fact be less knowledgeable and careful about attacks on his machine because he was told for many years that "there is no malware on Mac OS". This could make a Mac user a more valuable target because the success rate is much higher.

[RejZoR]

4 hours ago, leadeater said:

In what way is a Mac user higher value? How many accountants in large organizations run Mac OS? I'm not sure what this basis of evaluation is being done on but I cannot think of anything that would make either widely more valuable than the other.

 

Actual higher value targets get well.. specifically targeted. Everyone else is just hoped to be caught in wide cast nets.

You really have to ask? It's not like ransomware is one of most popular methods these days. Are you going to extort someone running a $500 laptop running pirated Windows or someone flexing a $3000 Macbook Pro? Because surely, person having one a) probably has valuable stuff on the device and b) they very likely don't life from paycheck to paycheck. I just gave a hypothetical example here, so you get the picture.

 

@HenrySalayne

That claim has nothing to do with any of it. People also claim they use "their own head" on Windows and they need no damn antivirus, even though that shit meant exactly dick for I don't know how many frigging years now.

[Blademaster91]

6 minutes ago, RejZoR said:

You really have to ask? It's not like ransomware is one of most popular methods these days. Are you going to extort someone running a $500 laptop running pirated Windows or someone flexing a $3000 Macbook Pro? Because surely, person having one a) probably has valuable stuff on the device and b) they very likely don't life from paycheck to paycheck. I just gave a hypothetical example here, so you get the picture.

Or someone could've used their student loan or a credit card on a $3000 macbook so that comparison doesn't really make sense. How much someone spends on something doesn't always means they're s%&*#ing gold bricks.

8 minutes ago, RejZoR said:

That claim has nothing to do with any of it. People also claim they use "their own head" on Windows and they need no damn antivirus, even though that shit meant exactly dick for I don't know how many frigging years now.

An antivirus is a bit outdated nowadays, especially if a person uses an ad blocker and isn't clicking on every random link they see.

I think its more likely a mac could be a higher value target because Apple has been telling people their computers don't get viruses.

[WkdPaul]

* thread cleaned *

 

Please keep the rules in mind.

[HenrySalayne]

27 minutes ago, RejZoR said:

That claim has nothing to do with any of it. People also claim they use "their own head" on Windows and they need no damn antivirus, even though that shit meant exactly dick for I don't know how many frigging years now.

Educating users is the most effective and first line of defence against attacks. Almost any major hack/leak/attack in the past few years was caused by an individual being careless.

It's the same story with airbags in cars. Better to have them and not needing them, but the best thing is just to drive carefully.

[Ultraforce]

I imagine a big part of looking for new attack types with Apple Silicon from the perspective of anyone who isn't a malicious entity is because it's a new toy to play with. For x86 while there's still a lot of instructions that are undocumented isn't it somewhat well tread ground whereas there's a lot more to explore with Apple Silicon and other devices that utilize alternatives to the old x86/x64.

[leadeater]

3 hours ago, RejZoR said:

You really have to ask? It's not like ransomware is one of most popular methods these days. Are you going to extort someone running a $500 laptop running pirated Windows or someone flexing a $3000 Macbook Pro?

That doesn't make them higher value target, not only that Windows laptops of the same prices also exist. You'd make a rather terrible fisherman, only going after super rare large Marlins while everyone else is long line and trawling pulling in large quantities of fish every time.

 

Also plenty of people with sufficiently large income and savings don't feel the need to splash out on expensive laptops they don't need.

[RejZoR]

8 hours ago, Blademaster91 said:

Or someone could've used their student loan or a credit card on a $3000 macbook so that comparison doesn't really make sense. How much someone spends on something doesn't always means they're s%&*#ing gold bricks.

An antivirus is a bit outdated nowadays, especially if a person uses an ad blocker and isn't clicking on every random link they see.

I think its more likely a mac could be a higher value target because Apple has been telling people their computers don't get viruses.

It's 2022 and yet people still have this fixated idea that antiviruses only catch viruses aka actual parasitic file infectors and that their only scope is on-demand scan using clumsy CLI. No wonder all sorts of dumb idiotic myths around antiviruses are still circulating around to this very day...

[porina]

15 hours ago, Mark Kaine said:

Isnt that pretty much what Spectre / meltdown does... (?)  (prefetch sounds an awful lot like prediction)

It is kinda similar but different in how it works. Speculative Execution is doing future work that might be needed to save time. DMP here is looking at past memory access patterns to predict what the next chunk of data will be needed. I believe there are software prefetch commands available for a programmer to use, but DMP would seem to be a generic hardware implementation so work on any software to try and seek performance improvements. It'll be interesting to see if AMD/Intel will implement similar in future.

[Mark Kaine]

5 hours ago, RejZoR said:

It's 2022 and yet people still have this fixated idea that antiviruses only catch viruses aka actual parasitic file infectors and that their only scope is on-demand scan using clumsy CLI. No wonder all sorts of dumb idiotic myths around antiviruses are still circulating around to this very day...

Viruses reached peak in 1994 :

 

 

"On Saturday, the 33nd anniversary of the building of the Berlin Wall, a likeness of the late East German leader popped up on thousands of computer screens in eastern and western Germany.

 

After the playing of the East German national anthem, computer programs were destroyed ″by order of the GDR (East German) Council of Ministers.″

 

″Honni’s last revenge - I’ll be back,″ was then displayed on screens."

 

More info:

https://groups.google.com/g/fido.ger.virus/c/mZtK_imKOuI

 

Also I swear I got that on my ATARI ST, not Windows 95... so a sophisticated multi attack vector trojan!!!

 

 

Its also not true that you had to delete any files, you only needed the right password  to remove it (which i sadly forgot)  but otherwise,  yeah, your computer remained locked... (i think the Atari one was more nasty)

 

Sadly cant find a picture... it was absolutely hilarious (and annoying lol)

 

4 hours ago, porina said:

It is kinda similar but different in how it works. Speculative Execution is doing future work that might be needed to save time. DMP here is looking at past memory access patterns to predict what the next chunk of data will be needed. I believe there are software prefetch commands available for a programmer to use, but DMP would seem to be a generic hardware implementation so work on any software to try and seek performance improvements. It'll be interesting to see if AMD/Intel will implement similar in future.

Well, it seems similar, they also do that to save time obviously... I don’t know I just think these things need to be rethought with security in mind primarily - I think the TPM chips are a thought in the right direction - not sure? But then TPM has also already been compromised long ago, so yeah, its weird these vulnerabilities remain so persistent, I really think we need to rethink how programs,  and by large computers work to actually prevent these things (see the example above, stuff like trojans etc are ancient and hint at fundamental design flaws)

 

 

[jagdtigger]

1 hour ago, Mark Kaine said:

think the TPM chips are a thought in the right direction

I wouldnt call a black-box the right direction. The right direction would be to obliterate the "security through obscurity" mentality and the obsession with closed source sw.

[Paul Thexton]

1 hour ago, Mark Kaine said:

I don’t know I just think these things need to be rethought with security in mind primarily

 

On 4/30/2022 at 1:26 PM, Paul Thexton said:

Everything should be treated as potentially hackable.