Jump to content
7 posts in this topic

Recommended Posts

https://cryptonews.com/news/security-vulnerability-in-apples-m-series-chips-puts-mac-users-crypto-private-keys-at-risk.htm

 

Fundamental Weakness in Apple’s M-Series Chips Security Poses Threat to Crypto Holders

Unlike typical vulnerabilities that can be addressed through software patches, this particular flaw resides in the microarchitectural design of the chips themselves, rendering it “unpatchable.” 

 

To mitigate the issue, third-party cryptographic software would need to be employed, but this could severely impact the performance of earlier M-series chips, including the M1 and M2.

 

  • Sad 2

*Sigh*
 

- Nobody knows whether this is unpatchable, this is made up by ignorant news outlets.

- This has nothing to do with first- vs third-party.

- M3 is immune when following the correct guidelines and all Apple cryptographic libraries do.

- Stuff like FV2 is done by the SoC. While crypto operations on secret data may require slower algos on M1 and M2, they can be employed very localised. I don’t think general-purpose stuff would really suffer much on average.

  • Like 1
On 3/30/2024 at 9:08 AM, mhaeuser said:

*Sigh*
 

- Nobody knows whether this is unpatchable, this is made up by ignorant news outlets.

- This has nothing to do with first- vs third-party.

- M3 is immune when following the correct guidelines and all Apple cryptographic libraries do.

- Stuff like FV2 is done by the SoC. While crypto operations on secret data may require slower algos on M1 and M2, they can be employed very localised. I don’t think general-purpose stuff would really suffer much on average.

 

Given the list of researchers:

 

The team of researchers consists of:

  • Boru Chen, University of Illinois Urbana-Champaign
  • Yingchen Wang, University of Texas at Austin
  • Pradyumna Shome, Georgia Institute of Technology
  • Christopher W. Fletcher, University of California, Berkeley
  • David Kohlbrenner, University of Washington
  • Riccardo Paccagnella, Carnegie Mellon University
  • Daniel Genkin, Georgia Institute of Technology

And an actual exploit exists:

https://gofetch.fail/

 

It does not appear that this is made up by ignorant news outlets.

 

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/

  • 2 weeks later...

@mek21 Thanks for stating the obvious, you clearly did not understand my post at all. What was made up by ignorant news outlets is that it is unpatchable. This word does not appear in the research at all, the news added it out of the blue. In fact, we now have proof that it is indeed patchable: https://social.treehouse.systems/@marcan/112238385679496096

 

 

  • Like 1
On 4/10/2024 at 5:41 AM, mhaeuser said:

@mek21 Thanks for stating the obvious, you clearly did not understand my post at all. What was made up by ignorant news outlets is that it is unpatchable. This word does not appear in the research at all, the news added it out of the blue. In fact, we now have proof that it is indeed patchable: https://social.treehouse.systems/@marcan/112238385679496096

 

 

Refences a linux patch:

So yeah, as I predicted, GoFetch is entirely patchable. I'll write up a patch for Linux to hook it up as a CPU security bug workaround.

 

Perhaps you did not understand my post.

@mek21 So Linux is not software, but a magical unicorn mitigating the vulnerability with fairy dust? Maybe Apple should hire their own fairies…

 

For the people who actually care about the technical facts, likely Apple will augment their current DIT API implementation with toggling this chicken bit next release and that’s the end of it - “unpatchable” vulnerability fully resolved.

Edited by mhaeuser
  • 3 weeks later...
On 4/12/2024 at 3:44 PM, mhaeuser said:

@mek21 So Linux is not software, but a magical unicorn mitigating the vulnerability with fairy dust? Maybe Apple should hire their own fairies…

 

For the people who actually care about the technical facts, likely Apple will augment their current DIT API implementation with toggling this chicken bit next release and that’s the end of it - “unpatchable” vulnerability fully resolved.

The point is not well considered as the researchers were not contemplating a patchability issue for users running linux on mac hardware.

×
×
  • Create New...