Augury is a Novel Microarchitectural Attack Affecting Apple Silicon : Augury is an exploit described by researchers from the University of Illinois Urbana-Champaign, the University of Washington, and Tel Aviv University that leaks data at rest on contemporary Apple processors, notably the A14 and M1 families.
Augury may be the first of a new class of attacks that leak data while it is still in memory, before it reaches the processor core. This creates a fundamentally different scenario than the one we’ve seen with side-channel vulnerabilities, which might expose data in use, i.e. data accessed and transferred in an unsafe manner.
Special microarchitectural optimizations like silent stores, cache compression, and data memory-dependent prefetchers, according to the researchers, can lead to data leakage at rest (DMP). Data-at-rest attacks, they claim, have only been a theoretical possibility until now. Augury appears to be the first to show that such exploits, specifically employing DMP, are possible in the field.
Augury is a Novel Microarchitectural Attack Affecting Apple Silicon
In truth, Apple’s M1, M1 Max, M1 Pro, and A14 processors all include an Array-of-Pointers prefetcher, which is used to prefetch the result of dereferencing those pointers before they’re used. This approach can dereference memory addresses that are outside of the array’s bounds.
This act of dereferencing the out-of-bounds pointer (potentially even if it is not actually a pointer!) creates a memory side channel that an attacker can use to learn the pointer.
While DMPs have been proven to have terrible security implications in theory, this does not appear to be the case with Apple’s CPUs. To begin with, finding the activation pattern for the Apple M1 AoP is not easy because to the lack of documentation. As one of the researchers who discovered Augury, David Kohlbrenner, puts it, the type of DMP enabled by Apple CPUs is “about the weakest DMP and attacker can get”:
It only prefetches when content is a valid virtual address, and has number of odd limitations. We show this can be used to leak pointers and break ASLR. We believe there are better attacks possible.
Sandboxing is a well-known approach that already assumes that an attacker might leak any value in the virtual address space, according to the researchers. As a result, it appears that sandboxed systems are immune to the M1 DMP. This does not negate the fact that the attack should be taken seriously, as existing non-sandboxed programmes and kernels may be compromised, leaking data in their address spaces.
Augury has created an entirely new environment for both attackers and defenders. Because DMP vulnerabilities are relatively new, there is limited knowledge about how they might be exploited. However, the researchers believe that this will spur new efforts to create new exploit scenarios. The existence of DMP will necessitate new ways by defenders to secure data that is not being used.