Welcome to the world of GoFetch!

What is GoFetch?

GoFetch is a family of Side-Channel Attacks on recent Apple silicon CPUs that exploits the CPU's on-chip data memory-dependent prefetcher (DMP) and Cache to investigate the contents of memory. CPUs affected include the M1, M2, M3 and A14 series system-on-a-chip processors.

Basic Knowledges

This webpage aims to offer viewers a comprehensive introduction to the working mechanisms of GoFetch. Before diving into detailed explanations and simulations, please make sure you have a basic understanding of the following concepts:

  • Cache
  • DMP
  • Side-Channel Attacks

If you are unfamiliar with any of the terms, please click on the term and explore the underlying principles and mechanisms.

If you are ready, LET's GET START!!!

Example: Hack the ct-swap Program

CT-Swap

We have already learned that if the time required for the program to run under different branches is various, we can obtain the running information of the program by measuring the time.

Such as, if we use the function shown below to swap values in two arrays, the attacker could easily deduce the secret, because when secret == False, the function would terminate much more quickly than when secret == True.

                    
void swap(boolean secret, int[] a, int[] b, int len) {
    if (secret) {
        for (int i = 0; i < len; i++) {
            int tmp = a[i];
            a[i] = b[i];
            b[i] = tmp;
        }
    }
}

Thus, we should use a constant-time swap function to enhance the system security. ct-swap program is a constant-time swap primitive used in various cryptographic implementations. No matter what value the secret takes, the function would terminate in a constant time.

                    
void ct-swap(int secret, int[] a, int[] b, int len) {
    int delta;
    int mask = ~(secret - 1);
    for (int i = 0; i < len; i++) {
        delta = (a[i] ^ b[i]) & mask;
        a[i] = a[i] ^ delta;
        b[i] = b[i] ^ delta;
    }
}

By using ct-swap, the attacker can't guess program running branches by measuring the execution time. However, DMP makes it different.

Understanding the Vulnerability

Data Memory-dependent Prefetchers (DMPs) are hardware optimizations designed to speed up irregular memory access patterns by prefetching data into the cache based on the contents of data memory. However, this behavior can be exploited to leak sensitive information, even from constant-time cryptographic implementations.

Here's a simplified explanation of how DMPs can be leveraged in an attack:

  1. The attacker crafts input data that, when processed by the ct-swap program, results in intermediate states that resemble pointers.
  2. The DMP, which attempts to prefetch data based on these intermediate states, brings sensitive data into the cache.
  3. The attacker then measures the cache state to infer information about the sensitive data.

Detailed Steps

The following steps outline how an attacker can use GoFetch to exploit the ct-swap program:

  1. Craft Inputs: The attacker carefully constructs a set of data to make a[] is filled with ordinary values and b[] is filled with values that look like addresses. DMP will prefetch the data pointed to by the addresses in b[] and tag b[] with a scanned label.
  2. Run Prime&Probe: The attacker starts running Prime&Probe to continuously load data and control the cache.
  3. Run ct-swap: If secret == False, the data in a[] and b[] are not swapped, and DMP does not work. If secret == True, the data in a[] and b[] are swapped. Since a[] satisfies the conditions of 'don't have scanned label' and 'values seem like addresses', DMP will be activated, moving the data pointed to by the addresses to the cache.
  4. Measure Time: If the Prime&Probe program running continuously in the background detects an increase in access cache time, it proves that other data has been written to the cache after ct-swap has been run. Attackers can use this to infer the running information of the secret program.

Simulation of Attack

Let's simulate an attack using GoFetch on a simplified program which simulates the cache, ct-swap funciton, and the attacker!

Defense Mechanisms

To mitigate such attacks, developers can employ several defense mechanisms:

  • Disable Prefetchers: Disabling DMPs at the hardware level can prevent such attacks, though it might affect performance.
  • Constant-Time Programming: Ensure that cryptographic operations do not create data-dependent memory access patterns.
  • Cache Partitioning: Use techniques like cache partitioning to isolate sensitive data from attacker-controlled processes.

Conclusion

This example highlights the importance of understanding hardware mechanisms like DMPs and their potential security implications. By studying and simulating attacks, developers can better protect their applications against sophisticated side-channel attacks.

For more detailed information on GoFetch and its capabilities, please refer to the full research paper.