Press "Enter" to skip to content

Apple invents a unique hardware bug which is a bit like Spectre

I bet you thought all the  hardware bugs had been invented already

Fruit and nutty Cargo Cult Apple has extended its innovative software bug development to hardware and come up with its own unique flavour of Spectre.

A team of researchers with the University of Illinois Urbana-Champaign, Tel Aviv University, and the University of Washington have demonstrated a world-first Data Memory-Dependent Prefetcher (DMP) vulnerability, dubbed “Augury,” that’s exclusive to Apple Silicon.

Apple says it halts all product sales in Russia | ReutersIf exploited, the vulnerability could allow attackers to siphon off “at rest” data, meaning the data doesn’t even need to be accessed by the processing cores to be exposed.
Augury only exists because of Apple Silicon’s DMP feature. This prefetcher aims to improve system performance by being aware of the entire memory content, which allows it to improve system performance by pre-fetching data before it’s needed.

Usually, memory access is limited and compartmentalised to increase system security, but Apple’s DMP prefetch can overshoot the set of memory pointers, allowing it to access and attempt a prefetch of unrelated memory addresses up to its prefetch depth.

Recommended article:

If you feel your mind grasping at a certain familiarity with this, it’s likely because the infamous apple Spectre/Meltdown vulnerabilities also try and speculate what apple data will be required by the system before it’s even requested (hence the term speculative execution).

But while Spectre and Meltdown are only capable of leaking in-use data, DMP can potentially leak the entire memory content even if it’s not being actively accessed, meaning that Apple’s chip teams managed to outshine Intel in the cock-up department.

For Less Than $10, Anyone Can Bypass Apple's Big iPhone Security Feature

To make things even better Apple’s DMP renders void some of the already-engineered fixes for speculative execution  vulnerabilities meaning that Jobs’ Apple Mob will have to go back to drawing board to figure out a solution.

Apple is apparently aware of their discoveries, but there are no plans for mitigations announced. We guess that is because that they will slow their chips down and it is frantically telling the world+dog that its chips are much faster than anyone else’s. While Intel and AMD have to throttle their chips due to Spectre-like bugs, can effectively get away with it.

Apple, Google and Microsoft are supporting a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. The new apple capability will allow websites and apps to offer consistent, secure, and easy passwordless sign-ins to consumers across devices and platforms.

Apple Users will sign in through the same action that they take multiple times each day to unlock their devices, such as a simple verification of their fingerprint or face, or a device PIN. This new approach protects against phishing and sign-in will be radically more secure when compared to passwords and legacy multi-factor technologies such as one-time passcodes sent over SMS.

Over the years there has been some industry-wide collaboration to create sign-in technology that is more convenient and more secure with the goal to give websites and apps the ability to offer an end-to-end passwordless option.

Apple still has some new services that need to be launched, with a new report claiming that a hardware subscription and the addition of a ‘buy now, pay later’ Pay option will be the next two to come out of Cupertino.

Apple’s services business is one of its most important and it’s no surprise that the company would look to expand its reach. Both potential additions would be of benefit to users — both could allow more people to get their hands on the best iPhone available at the time, for example.

While Gurman does say that both of these  services will be the next out of the gate, it isn’t known when that will happen. Rumors of at least one arriving before the end of the year have already begun to swirl, though.

Be First to Comment

Leave a Reply

Your email address will not be published.