Researchers find not-too-serious flaw in Apple’s M1, A14 chips

9to5Mac reports that researchers have discovered a new vulnerability that affects Apple’s latest M1 and A14 chips. The Augury Apple Silicon microarchitectural flaw has been demonstrated to leak data at rest but doesn’t appear to be “that bad” at this point, the article adds.

Jose Rodrigo Sanchez Vicarte at the University of Illinois at Urbana Champaign and Michael Flanders at the University of Washington led a group of researchers who published details on their discovery of the novel Augury microarchitectural Apple Silicon flaw (all details were shared with Apple prior to publishing).

Here are their conclusions (for the technical minded among our readers): Exotic microarchitectural optimizations that leak data never accessed by the core have arrived in mainstream processors and are unlikely to disappear any time soon. The M1 has been rightfully lauded for performance and efficiency, and the recent M1 Pro and Max continue to drive excitement for novel microarchitectural approaches. While exceptional now, we expect that this AoP DMP is only the first of many DMPs to be deployed across all architectures and manufacturers.

Here, we’ve demonstrated that, while difficult to wield, the M1’s DMP is capable of being abused by an adversary. It can read and transmit some types of memory values outside of sandboxes or test the validity of pointers controlled by an attacker. This is despite a single-level pointer-chasing DMP being nearly the worst-case DMP for an attacker, leaking only pointers and only under restricted situations. Thankfully, many particularly worrying scenarios like JavaScript sandboxes al- ready assume that an adversary can leak any value in the virtual address space. These systems are unlikely to have significant security impacts from the M1 DMP. However, given the ease with which the DMP can be activated, it is likely that existing programs and kernels contain latent DMP gadgets that can be leveraged to leak data in their own address spaces.

As with timing attacks, Spectre attacks, and others, we emphasize the need for compiler and program transformation tools to adapt to mitigate data at rest leakage. The M1 DMP is an opportunity to prepare our defensive software techniques for the next generation of microarchitectural attacks.

Dennis Sellers
the authorDennis Sellers
Dennis Sellers is the editor/publisher of Apple World Today. He’s been an “Apple journalist” since 1995 (starting with the first big Apple news site, MacCentral). He loves to read, run, play sports, and watch movies.