Apple GoFetch: The Vulnerability Which is Not Easy To Fix
A secure enclave stores your most sensitive secrets, such as the private keys that identify you and your computer. This is typically a private key from a public key pair, and where the exported public key will match the private key. We can then do the processing in the secure enclave and which contains the secret keys:
With this, Bob can store the private key in a secure enclave and then use it to sign a hash of data. He can then send this to Alice and which will check his identity and the integrity of the data using his public key [here]:
If Eve was able to capture Bob’s private key, she could then pretend to be him to Alice. And, so, now, it has been revealed that Apple’s M-series of processors — as used in recent Apple Macbooks — is vulnerable to a side-channel attack and which can reveal the secret keys. This has been named GoFetch.
The focus of the attack is that sensitive data is used as an address, and where data can be converted into an address. This is related to data memory-dependent prefetchers (DMPs) and which is a program that converts data into a memory address. Using this, the research team then managed to capture Diffie-Hellman key exchange and RSA keys, along with post-quantum cryptography keys (CRYSTALS-Kyber and CRYSTALS-Dilithium) [here]:
This is a serious flaw, and it would allow an intruder to discover the most sensitive of secrets from a computer — and even mimic the computer and owner of the computer. Unfortunately, it is not easy to patch, as it relates to the microarchitectural design of the processor. The alterative is to use third-party cryptography libraries, and which will run in software. These will lead to a significant performance hit.
Many other attacks have used prefetchers, and which allow the processor to look ahead for predicted operations, and preload memory with the data that the program is likely to ask for next. These operations can reveal then reveal the operation of cryptographic operation. Typically, though, cryptography is designed to have a constant time response, and where it is not possible to discover any information about the operations used in the processing of the cryptographic operations. The new research shows that it is possible for the processor to confuse memory content for encryption keys with memory pointer values. The dereferencing of the pointer can then reveal the encryption key.
Crypto leaks
The security community has produced some wonderful encryption algorithms, which are ultra secure, but eventually, all the bits end up in silicon and metal, and it’s there, increasingly, that an intruder will place monitors in order to crack the keys.
The cracking of encryption keys has often involved brute force methods, or targeting flaws in its implementation. There is, though, increasing interest in physical side-channel attacks where there is an unintentional information leakage of cryptography information, such as from electromagnetic radiation, power consumption, electric voltage fluctuations, and even sound and thermal variations. Few companies currently protect their devices against side channel attacks, especially as it would prove costly, and require extensive testing with complex equipment.
Devices too are becoming faster, and, as they do, they are likely to emit an increasing amount of radio and electromagnetic (EM) emissions. A 2GHz processor, for example, is running at the same frequency as our wi-fi signals (2.4 GHz), and often the chips are not protected from emitting radio waves, and that is it a natural by-product of the fast operation of the device. As these high frequencies it is often difficult to stop EM emissions and from these being coupled into nearby wires and into other circuits.
Observing the cache
Recently security researchers introduced found a flaw in the GnuPG crypto library. This allowed them to crack a 1,024-bit public key and find the associated private key, and thus decrypt secret data. GnuPG is a standard open source library for cryptography (libgcrypt) and used in Windows, Mac and Linux systems [here]:
The vulnerability has been given an ID of CVE-2017–7526 and is attacked with a local FLUSH+RELOAD side-channel attack, where the “left-to-right sliding window” method leaks information about the exponent bits, and where the full key can be recovered. It involves a Level 3 Cache Side-Channel Attack where the cache memory stores the private RSA key.
The attacker observes the memory utilisation of the cache (or from the electromagnetic radiation emitted in the decryption process). While it may be difficult on physical machines, the researchers outline that it is possible to extract the key from one VM onto another. It is also likely that 2,048 bit RSA could be cracked with the same method, but would require more computing resource to crack.
1,024 bit keys fall to current flows
At the current time the limit of cracking RSA is for 768-bit keys and is attacked using the factorization of the modulus (N), but other methods of using side channel attacks, such as, in 2010, observing the current flows on a processor to crack 1,024-bit keys (in less than 100 hours) [here]:
Radio Attacks
There has been work on cracking the RSA algorithm with acoustic methods, along with electromagnetic and voltage variations. Now researchers have taken a significant step forward in a paper entitled [here]:
ECDH Key-Extraction via Low-Bandwidth Electromagnetic Attacks on PCs
Within this paper, the authors outline the cracking of ECDH (Elliptic Curve Diffie-Hellman) which is one of the most popular key exchange methods, and is often used when connecting to sites such as Microsoft Live, Google and Facebook.
In their work they attack the ECDH public key encryption algorithm, and measure electromagnetic changes. It uses carefully chosen ciphertext, and a time-frequency signal analysis technique, in order to crack the key. This releases the decryption key within seconds, including from an antenna in another room.
ECDH is now a popular method, and is basically the Diffie-Hellman key exchange method with the usage of elliptic curve methods.
Power analysis
The work of modulating the power rails on chips is well documented for discovering encryption keys, where the security and protection of the key is reduced. There has also been work on a “cold boot” where the memory chips are frozen, and which keep their bit states:
Differential Power analysis on SIM cards
So up to now, we all thought that SIM cards were secure from most types of attack. But Prof Yu-Yu from Shanghai Jiao Tong University has now shown that 3G/4G SIM cards, using 128-bit AES, can be hacked — so the nightmare of SIM card cloning could come true [paper].
The access to SIM encryption keys is a key focus for law enforcement, and it was highlighted earlier in the year when law enforcement agents were suspected of stealing the billions of encryption keys from Dutch SIM card manufacturer Gemalto. These keys would allow access to both the data and voice messages on the phones.
In his Black Hat USA 2015 presentation this week Prof Yu-Yu outlined how a differential power analysis method that recovers encryption keys from SIM cards and which allows them to be cloned. Overall it takes 10–40 minutes to recover the key, and his method has succeeded on eight of the most popular SIM card manufacturers.
He uses basically an oscilloscope to capture the power changes and a MP300-SC2 protocol analyser, along with a PC to analyse the cryptography (Figure 1). The work uses Differential Power Analysis (DPA). With Simple Power Analysis (SPA) we monitoring the power consumed by the processor, and this can give hints on the contents of its registers and data buses.
With DPA, the chips are given some tests for encryption, and then the power levels are observed for the chips, after which they are analysed to show a correlation of the bit patterns used (Figure 2). The differences in the encryption process are then used to crack the key. For example, we take some test data, and apply a range of keys to the device, and watch the power levels. Each of the power consumption levels will change depending on the activity within the chip.
DPA and CPA on AES cracking
The work we have done here cracks 128-bit AES in less than 30 minutes on an Arduino device using power analysis attacks on the AES-128 S-box with differential power analysis (DPA) and correlation power analysis (CPA) [here]:
https://youtu.be/7D-Hr4Nw0T4?t=21m30s
Conclusions
GoFetch is a serious vulnerability and not easy to fix, without a significant performance hit. This is going to be costly for Apple.
