Unpatchable Bug in Apple M1, M2 and M3 silicon

[bizzehdee]

Summary

There is a silicon design level bug in the apple M1, M2 and M3 SoCs, and the only way to get rid of it, is to release the M4 and throw all M1/2/3 systems away.

 

Quotes

Quote

This is unpatchable, but requires direct device access

 

My thoughts

This would have been hard to find, it would have taken a lot of people, a lot of time, specifically looking for this sort of thing to find it. To dedicate that time to finding this, means that it is worth the time to find this, showing that the Apple Silicon chips are now popular enough in the general public to warrant somebody looking for this.

 

Sources

 

https://gofetch.fail/

https://gofetch.fail/files/gofetch.pdf

 

[Lightwreather]

ArsTechinca source:

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/

It appears it can be mitigated, but only by the third party cryptographic software.

It seems that it doesn't need root access to be performed, and take advantage of DMPs and predictive memory access.

Both the attack and the target need to be run on the same cluster

Quote

The attack, which the researchers have named GoFetch, uses an application that doesn’t require root access, only the same user privileges needed by most third-party applications installed on a macOS system. M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores. As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster—even when on separate cores within that cluster—GoFetch can mine enough secrets to leak a secret key.

 

Also interesting to note that DMPs are also found in 13th gen intel

[manikyath]

for those who care about more than pointing and laughing at apple.. here's some detail:

Quote

GoFetch is a microarchitectural side-channel attack that can extract secret keys from constant-time cryptographic implementations via data memory-dependent prefetchers (DMPs).

We show that DMPs are present in many Apple CPUs and pose a real threat to multiple cryptographic implementations, allowing us to extract keys from OpenSSL Diffie-Hellman, Go RSA, as well as CRYSTALS Kyber and Dilithium.

 

[porina]

38 minutes ago, Lightwreather said:

Also interesting to note that DMPs are also found in 13th gen intel

Still reading through this, but the link in OP also says:

Quote

Finally, we found that Intel's 13th Gen Raptor Lake microarchitecture also features a DMP. However, its activation criteria are more restrictive, making it robust to our attacks.

 

[dilpickle]

Silicon not silicone.

[da na]

48 minutes ago, manikyath said:

for those who care about more than pointing and laughing at apple.. here's some detail:

 

Thanks for the context... was about to ask what does it actually do

 

 

 

[porina]

Reading more it looks like that M3 and Raptor Lake support a feature where software can request the CPU to disable the feature enabling the vulnerability. As it will hit performance, it looks like it is up to the cryptographic software to only turn it on when required. It is ambiguous if M1/M2 either don't support it at all, or it is not effective in some way.

 

I'm more concerned that this feature may be used by malware to make your system go slower. I don't know how it is communicated e.g. if the OS can override it.

[Lunar River]

just like the rest of the CPU vulnerabilities that have popped up recently, if something requires physical access to the device, then the exploit doesn't even matter.

[StDragon]

1 hour ago, Lunar River said:

just like the rest of the CPU vulnerabilities that have popped up recently, if something requires physical access to the device, then the exploit doesn't even matter.

The end-user has physical access. So it's a moot point when they open up a malicious link or app coded to exploit and exfiltrate sensitive information.

[StDragon]

3 hours ago, dilpickle said:

Silicon not silicone.

Well it's been tough titties for Apple lately, so...

[Fasterthannothing]

Oof that's pretty bad 

[Kisai]

2 hours ago, antonymagnus said:

Yeah good thing for me to find this out cause I was gonna buys me a shiny new Maccie laptop soon. The funny thing is din they axe intel for the same thing? The vulnerabilities

No, Apple ditched Motorola/IBM and later Intel largely over the lack of innovation in the CPU to keep the TDP down. Ever notice how you can get 8 hours of life out of iphones, ipads, and macbooks, and you have to try really hard to get less? Now try that with any Intel laptop, and you might get 2 hours out of most laptops if you try to use it like a desktop. Only some of the crappiest laptops (Eg the Y and U parts) get long run times, but they have the most miserable performance and are on the level of 10th's of the performance of a desktop.

 

[IAmAndre]

On 3/24/2024 at 9:46 PM, Kisai said:

No, Apple ditched Motorola/IBM and later Intel largely over the lack of innovation in the CPU to keep the TDP down. Ever notice how you can get 8 hours of life out of iphones, ipads, and macbooks, and you have to try really hard to get less? Now try that with any Intel laptop, and you might get 2 hours out of most laptops if you try to use it like a desktop. Only some of the crappiest laptops (Eg the Y and U parts) get long run times, but they have the most miserable performance and are on the level of 10th's of the performance of a desktop.

 

I agree to some extent. The battery life is usually better on MacBooks but Ryzen and even Intel CPUs have caught up a lot over the past few years. I'm getting 8 hours of use at work on my 16" 13th gen Intel laptop and I could get much more with less intensive use cases, and the results are better on the 14th gen. Still not Apple-level but pretty close and I would take that over the Apple tax and still enjoy the extra flexibility on the Windows side. The performance also exceeds what I would get on the M2 MBA that I was considering getting.

 

In any case, as my colleague pointed out this morning, for us it just means that we can ask our employer to upgrade our work MacBook Pros as soon as the M4 chips become available if they don't want their "highly" confidential data to be compromised.

[Mark Kaine]

On 3/24/2024 at 10:46 PM, Kisai said:

Eg the Y and U parts) get long run times, but they have the most miserable performance and are on the level of 10th's of the performance of a desktop

tbh my 5200"u" barely lasts 2 hours on battery,  and performance isnt actually that bad: plays almost everything between ps360 and ps4 gen / low settings so idk that seems almost backwards to me.

 

what's also funny the "nvidia" gpu in this laptop is barely faster than the intel igpu... granted its still faster,  but not by much (around 10%) 

[Mark Kaine]

On 3/26/2024 at 1:21 PM, IAmAndre said:

I agree to some extent. The battery life is usually better on MacBooks but Ryzen and even Intel CPUs have caught up a lot over the past few years. I'm getting 8 hours of use at work on my 16" 13th gen Intel laptop and I could get much more with less intensive use cases, and the results are better on the 14th gen. Still not Apple-level but pretty close and I would take that over the Apple tax and still enjoy the extra flexibility on the Windows side. The performance also exceeds what I would get on the M2 MBA that I was considering getting.

 

In any case, as my colleague pointed out this morning, for us it just means that we can ask our employer to upgrade our work MacBook Pros as soon as the M4 chips become available if they don't want their "highly" confidential data to be compromised.

yeah, so you reward them for this, why?

[GOTSpectrum]

1 hour ago, Mark Kaine said:

yeah, so you reward them for this, why?

Basically every major modern chip has some form of zero day bugs, Ryzen, core et al

 

All the tricks we like to do to keep pushing performance has a cost

[Mark Kaine]

22 minutes ago, GOTSpectrum said:

Basically every major modern chip has some form of zero day bugs, Ryzen, core et al

 

All the tricks we like to do to keep pushing performance has a cost

whats the current intel and amd vulnerabilities tho?

 

im just honestly wondering why support something that's known to be lacking in certain aspects (and did they even fix it yet? when intel amd had these issues years ago they at least fixed it asap, ie spectre/meltdown) 

[Kisai]

3 hours ago, Mark Kaine said:

tbh my 5200"u" barely lasts 2 hours on battery,  and performance isnt actually that bad: plays almost everything between ps360 and ps4 gen / low settings so idk that seems almost backwards to me.

 

what's also funny the "nvidia" gpu in this laptop is barely faster than the intel igpu... granted its still faster,  but not by much (around 10%) 

Considering that's a 9 year old chip, I doubt you'd get 8 hours today. 

 

Intel parts generally go

Xeon (no power saving)

X/KF (little power saving)

K/KS (little power saving)

H/HX (little power saving / Mobile)

non-K/T

U

Y

Those are the "most power efficient"

H/HX/T/non-K are way down here:

Notice where the M1 is.

This is where the highest energy efficient Apple is

 

 

Now re-compare this on the performance graph:

 

So the M1 8 core is similar to the i5 1334U and i3-12100E/F in performance

 

Meanwhile the 20 core:

Note the 14th gen HX part AND the 12900K/KF and the Ryzen ThreadRipper PRO are pretty close.

 

 

Apple's parts are running circles around the Intel parts, for obvious reasons. The 20 core is 16+4 at 60TDP, the M1 8 core is 4+4 at 15W

 

The 12900TE is 35W, The 12900KF is 241W

 

So the Apple M1 Ultra 20 core has the same performance as a Intel chip 4 times the TDP. The M1 8 core is a bit less than half the TDP of the closest Intel part.

 

By any reasonable measure, what is crippling Apple is the adherance to these crappy "ultrabook" designs that have thin, hot, batteries that don't last very long. People like "thin and light" laptops, but they are the absolute worst performers, and when they are paired with small batteries, makes them completely pointless to have. 

 

You know how long a battery should last in a laptop? As standard? It should last the same as the longest flight/train ride someone can reasonably expect to take. So NYC to Shanghai is about 19 hours. The trans-siberian train is 7 days. The longest train ride in North America is about 4 days (Vancouver to Toronto) or 3 days( Seattle WA to Chicago/Emeryville CA to Chicago/LA to Chicago)

 

So the most reasonable "battery life" someone should expect from a laptop is 7 days of standby time with about 60 hours of active runtime. What does the Apple Macbook Air actually get? 17 hours of active runtime (Pro gets 19, Pro max gets 22.) This is a far cry from the worst-case scenario. However if you use the US or Canada travel time, it's probably fine which is 4 days of standby time with 35 hours of active time. Really the battery length in the Pro will last you the flight from NYC to Shanghai, and most Americans would rather fly than drive/train.

 

This also intentionally ignores that trains and ferries generally have had native power outlets since the 80's, where as airplanes might not have any at all. If a laptop is under 65w, you can just take along additional USB-C batteries. Good luck taking those on an airplane, but you can on trains and ferries.

 

 

[IAmAndre]

13 hours ago, Kisai said:

If a laptop is under 65w, you can just take along additional USB-C batteries. Good luck taking those on an airplane, but you can on trains and ferries.

Well you can use a power bank. I'm able to charge my MBA at 65W with my 20,000 maH power bank, which is around 75Wh. There are bigger ones out there. This same power bank is also able to charge my 2023 LG Gram, with its core i7 1360p and RTX 3050. The 2024 version is even more power efficient so it's a good time to be an ultrabook owner, whether it's a Mac or not.

13 hours ago, Kisai said:

The 12900KF is 241W

 

So the Apple M1 Ultra 20 core has the same performance as a Intel chip 4 times the TDP.

I don't find this particularly relevant. The Intel CPU is still more powerful and MUCH cheaper than the Mac Pro. Since none of them relies on a battery, it would take forever for the energy cost savings to make up for the actual price of the hardware. I would still consider Intel but more particularly AMD as the better option on the desktop side.

 

[Sauron]

On 3/22/2024 at 10:28 PM, bizzehdee said:

This would have been hard to find, it would have taken a lot of people, a lot of time, specifically looking for this sort of thing to find it. To dedicate that time to finding this, means that it is worth the time to find this, showing that the Apple Silicon chips are now popular enough in the general public to warrant somebody looking for this.

Not necessarily, there are people whose job it is to do this sort of research as well as bug bounties by Apple and others to incentivize them. Not that I think apple silicon macs are unpopular, just that this isn't really an indication of either.

34 minutes ago, IAmAndre said:

I don't find this particularly relevant. The Intel CPU is still more powerful and MUCH cheaper than the Mac Pro. Since none of them relies on a battery, it would take forever for the energy cost savings to make up for the actual price of the hardware. I would still consider Intel but more particularly AMD as the better option on the desktop side.

Not to mention the ability to expand your memory.

[Dracarris]

16 hours ago, Kisai said:

By any reasonable measure, what is crippling Apple is the adherance to these crappy "ultrabook" designs that have thin, hot, batteries that don't last very long. People like "thin and light" laptops, but they are the absolute worst performers, and when they are paired with small batteries, makes them completely pointless to have. 

Nothing of this applies to Apples current Ultrabooks, aka the MBP. The battery capacity of the 16“ model is identical to what the FAA allows on airplanes.

[leadeater]

On 4/3/2024 at 11:25 AM, Mark Kaine said:

whats the current intel and amd vulnerabilities tho?

Have you already forgotten all the side channel stuff? That still exists, only some vectors have been patched, some done via OS/software but it's true all CPUs have "errata" aka bugs.

 

Intel publishes them, not sure if this is all of them for 13th Gen but you get the gist:

https://edc.intel.com/content/www/us/en/design/products/platforms/details/raptor-lake-s/13th-generation-core-processor-specification-update/errata-details/

[leadeater]

23 hours ago, Kisai said:

Xeon (no power saving)

X/KF (little power saving)

K/KS (little power saving)

You have these reversed, Xeons do have power saving and all the Intel Turbo technologies. Intel Core K etc SKUs are far worse power efficiency wise to Xeons at the same core counts. Intel doesn't sell anything without C-States & P-States, for a long time now, but I do get the point you are trying to make but Xeon has more "power saving" than Intel Core K/KS etc etc does.

 

23 hours ago, Kisai said:

Apple's parts are running circles around the Intel parts, for obvious reasons. The 20 core is 16+4 at 60TDP, the M1 8 core is 4+4 at 15W

 

The 12900TE is 35W, The 12900KF is 241W

 

So the Apple M1 Ultra 20 core has the same performance as a Intel chip 4 times the TDP. The M1 8 core is a bit less than half the TDP of the closest Intel part.

Passmark benchmark scores are among some of the most worthless though, sure the Apple chips are more efficient and have the performance as well but it's not to the degree that Passmark shows in their scoring.

 

Like all these aggregated benchmark suites that give a final scoring you are subjected to their interpretation of scoring and how they balance that across each performance test measurement. For example CPU A could have double the INT performance of CPU B but one quarter the FP performance and CPU A could also have hardware encryption acceleration, meaning CPU A would "score" higher but odds are for most applications and especially gaming you would be much better by a huge amount choosing CPU B and this is not reflected in a "benchmark score".

[Mark Kaine]

7 minutes ago, leadeater said:

Have you already forgotten all the side channel stuff? That still exists, only some vectors have been patched, some done via OS/software but it's true all CPUs have "errata" aka bugs.

 

Intel publishes them, not sure if this is all of them for 13th Gen but you get the gist:

https://edc.intel.com/content/www/us/en/design/products/platforms/details/raptor-lake-s/13th-generation-core-processor-specification-update/errata-details/

i mean i know all cpus have vulnerabilities but i meant big, easy to exploit ones. a lot of those vulnerabilities / bugs you hear about being the next thing needs basically users to download and consequently install stuff (in some fashion) at least in my impression.

 

and nah, im not sure what sidechannel stuff means, I'll have to look that up. 

 

 

ps: In computer security, a side-channel attack is any attack based on extra information that can be gathered because of the fundamental way a computer protocol or algorithm is implemented, rather than flaws in the design of the protocol or algorithm itself or minor, but potentially devastating, mistakes or oversights [...]

 

so this is basically like spectre? "branch prediction" yada yada or similar? 

 

still would be interesting if they need user interaction or not imo?

 

ps2: well i don't agree with the description,  these *are* inherent flaws, get better software devs.

 

[leadeater]

3 minutes ago, Mark Kaine said:

i mean i know all cpus have vulnerabilities but i meant big, easy to exploit ones. a lot of those vulnerabilities / bugs you hear about being the next thing needs basically users to download and consequently install stuff (in some fashion) at least in my impression.

This is not easy to exploit and is functionally just as difficult as the Intel and AMD side channel vulnerabilities

 

3 minutes ago, Mark Kaine said:

and nah, im not sure what sidechannel stuff means, I'll have to look that up. 

This Apple vulnerability is also a Side Channel exploit