Researchers from the University of Illinois Urbana-Champaign, Tel Aviv University, and the University of Washington have demonstrated an exclusive to Apple Silicon Data Memory-Dependent Prefetcher (DMP) vulnerability nicknamed “Augury.” If abused, the flaw might allow attackers to steal “at rest” data, which means data that hasn’t been touched by the processing cores is vulnerable.
Apple Silicon’s DMP function is used by Augury. This prefetcher tries to increase system speed by being aware of all memory content, allowing it to pre-fetch data before it is required. Memory access is usually limited and compartmentalised to improve system security, however the company’s DMP prefetch can access and attempt a prefetch of unrelated memory addresses up to its prefetch depth.
The infamous Spectre/Meltdown flaws also try to predict what data the system will require before it is even requested (hence the term speculative execution). While side-channel vulnerabilities like Spectre and Meltdown can only leak data that is currently in use, the cupertino giants DMP has the potential to disclose the full memory content even if it isn’t being used. Some of the already-engineered remedies for speculative execution vulnerabilities — those that rely on regulating what is visible to the processing cores — are rendered useless due to Apple’s DMP’s design.
The DMP solution is found in all the major Apple SoC that is the A14 SoC, which powers the 4th Gen iPad Air and 12th Gen iPhones, M1, and M1 Max
They believe that other Apple silicon chips, such as pre-A14 SoCs, the M1 Pro, and M1 Ultra, are also vulnerable, despite the fact that the researchers have only successfully shown the problem on Apple’s M1 Max so far.
The researchers went on to explain that Apple is fully aware of their findings, but that the California-based business hasn’t revealed any plans for deploying mitigations.
Also Read:
