Sign up
Entertainment

Augury – Using Data Memory-Dependent Prefetchers to Leak Data at Rest

Knowasiak
Knowasiak
1 year ago
51
0
Augury – Using Data Memory-Dependent Prefetchers to Leak Data at Rest

We present a new type of microarchitectural attack that leaks data at
rest: data that is never read into the core architecturally. This
attack technique, Augury, leverages a novel microarchitectural
optimization present in Apple Silicon: a Data Memory-Dependent
Prefetcher (DMP).

At a high level:

We found that Apple processors have a DMP
We found that this DMP prefetches an array-of-pointers dereferencing pattern
We found that you can use this prefetcher to leak data (pointers)
that are never read by any instruction, even speculatively!

No logo, but please do use our fun name!

We had a big team across UIUC, UW, and Tel Aviv University.

Co-first authors:

Jose Rodrigo Sanchez Vicarte (UIUC)
Michael Flanders (UW)
Riccardo Paccagnella (UIUC)
Grant Garrett-Grossman (UIUC)
Adam Morrison (Tel Aviv)
Christopher W. Fletcher (UIUC)
David Kohlbrenner (UW)

What processors are affected?

Only Apple silicon processors are affected. We have confirmed the
existence of the DMP on the A14, M1, and M1 Max. We believe some older A-series
processors and the newest M1-family (M1 Pro, etc.) chips are also
affected but have only confirmed this on the M1 Max.

We have tested several recent families of Intel and AMD processors and
seen no evidence they are affected.

How bad is this?

Right now not that bad! We have not demonstrated any end-to-end
exploits with Augury techniques at this time. Currently, only pointers
can be leaked, and likely only in the sandbox threat model.

If you are counting on ASLR in a sandbox, I’d be worried. Otherwise,
be worried when the next round of attacks using Augury come out 🙂

What exactly is a DMP?

A Data Memory-Dependent Prefetcher (DMP) is a prefetcher that takes
into account the content of memory when deciding what to prefetch. A
conceptually simple (if tricky to implement) DMP is one that watches
the stream of cache lines returned from the memory system, and
attempts a prefetch on any 64-bit chunk that appears to form (or help in
the formation of) a pointer.

What DMP structure did you find?

In Apple Silicon we found an Array-of-Pointers (AoP) DMP. This
prefetcher looks for access patterns of the following form:

for( i=0; i
Read More
Share this on knowasiak.com to discuss with people on this topicSign up on Knowasiak.com now if you’re not registered yet.

Knowasiak
WRITTEN BY

Knowasiak

Hey! look, i give tutorials to all my users and i help them!Bio: About:

Leave a Reply

Your email address will not be published. Required fields are marked *