Skip to main content

Apple Silicon Exclusively Hit With World-First "Augury" DMP Vulnerability

Apple Augury vulnerability disclosed
(Image credit: Shutterstock)

Apple has achieved yet another world-first, but this time the achievement comes closer to a poisoned apple than to a positive turn of events. A team of researchers with the University of Illinois Urbana-Champaign, Tel Aviv University, and the University of Washington have demonstrated a world-first Data Memory-Dependent Prefetcher (DMP) vulnerability, dubbed "Augury," that's exclusive to Apple Silicon. If exploited, the vulnerability could allow attackers to siphon off "at rest" data, meaning the data doesn't even need to be accessed by the processing cores to be exposed.

Augury takes advantage of Apple Silicon's DMP feature. This prefetcher aims to improve system performance by being aware of the entire memory content, which allows it to improve system performance by pre-fetching data before it's needed. Usually, memory access is limited and compartmentalized in order to increase system security, but Apple's DMP prefetch can overshoot the set of memory pointers, allowing it to access and attempt a prefetch of unrelated memory addresses up to its prefetch depth.

If you feel your mind grasping at a certain familiarity with this, it's likely because the infamous Spectre/Meltdown vulnerabilities also try and speculate what data will be required by the system before it's even requested (hence the term speculative execution). But while side-channel vulnerabilities such as Spectre and Meltdown are only capable of leaking in-use data, Apple's DMP can potentially leak the entire memory content even if it's not being actively accessed. The nature of Apple's DMP also renders void some of the already-engineered fixes for speculative execution vulnerabilities — those that rely on controlling what is visible to the processing cores.

The researchers have so far found that Apple's A14 SoC (which powers the 4th Gen iPad Air and 12th Gen iPhones), M1, and M1 Max all feature the DMP solution. They speculate that other Apple Silicon chips such as pre-A14 SoC as well as the M1 Pro and M1 Ultra also carry the same vulnerability, although the researchers have only so far successfully demonstrated the vulnerability's existence on Apple's M1 Max.

The researchers further stated that Apple is fully aware of their discoveries, but say that the California-based company hasn't shared plans for whether or not they'll deploy mitigations.

Francisco Pires
Francisco Pires

Francisco Pires is a freelance news writer for Tom's Hardware with a soft side for quantum computing.

  • hotaru.hino
    Seems like predicting the future and being secure is mutually exclusive.

    But I guess "predicting the future" falls under convenience.
    Reply
  • JarredWaltonGPU
    hotaru.hino said:
    Seems like predicting the future and being secure is mutually exclusive.

    But I guess "predicting the future" falls under convenience.
    I predict more security vulnerabilities for the foreseeable future. 🙃
    Reply
  • mogster
    Any word yet on active exploits or mitigations?
    Reply
  • hotaru251
    if this is indeed liek meltdown/specter....Guess who's CPU's are about to get gutted in mitigation fixes.
    Reply
  • Alvar "Miles" Udell
    Depends on how hard it is to actually take advantage of. Spectre and Meltdown, for example, are incredibly difficult to execute, and unless I missed it they have never been exploited in the wild, only in the lab, so I wouldn't be surprised if this never gets "fixed".
    Reply
  • digitalgriffin
    Admin said:
    Apple achieves a "poisoned" world first as a research team describes a new DMP vulnerability dubbed Augury, which enables data theft at rest from Apple's SoCs.

    Apple Silicon Exclusively Hit With World-First "Augury" DMP Vulnerability : Read more

    Now isn't the next next gen of chips (Zen 5 / Meteor ) supposed to enact per thread data/instruction encryption to prevent this from happening?
    Reply