For people in our industry to understand the recent university research on the potential security issues around Apple’s new Arm chips, it’s important to go back almost six years and learn about the Spectre and Meltdown cases.
In early 2018, two research teams working independently of each other unveiled these two attacks. Both could recover confidential information by exploring a newly-discovered side channel in a performance-enhancing feature known as speculative execution, a technique built into virtually all modern CPUs. Moving data from main system memory to a CPU is time-consuming. To reduce wait times, modern CPUs execute instructions as soon as the required data becomes available rather than in a sequential order.
Unfortunately, during speculative execution, the CPU can work on instructions that might not ultimately be committed to the program's execution. If these speculative instructions access sensitive data or perform sensitive operations, there’s a risk that they could leave information behind, even if the instructions are later discarded.
At the time these issues attracted a lot of attention as well as extensive efforts to mitigate them. The vulnerabilities are challenging to fix completely, as they are deeply-rooted in the design of modern microprocessors. Despite this, hardware manufacturers, software developers, and security researchers have been working collaboratively to develop and implement security patches, microcode updates, and best practices to protect systems against these vulnerabilities while minimizing the performance impact.
One important element of the original vulnerabilities was to scrutinize timestamp details of each predictive task to help enable the extraction of sensitive information. That’s because speculatively executed instructions can access data and cache lines, and the timing of these memory accesses can reveal information to an attacker.
So one mitigation was to limit the availability of timer information. Although the original research focused on Intel, Apple took note also and implemented a degradation of the timer resolution in both native and browser-based code to mitigate speculative side-channel attacks.
What's new: iLeakage
Fast forward to today - a new research paper from a team of academics from Georgia Tech, University of Michigan, and Ruhr University Bochum in Germany set out to study the security issues with Apple’s new Arm chip architecture. The paper details the steps taken and also shows how it all comes together in an end-to-end attack.
“While significant effort has been invested analyzing x86 CPUs, the Apple ecosystem remains largely unexplored,” explained the team in a research paper.
The team applied Spectre v1 to the Apple chips. They also discovered that Apple CPUs have speculation windows running as long as 300 cycles, which presents a broad exposure to this attack.
The researchers had to crack a number of hard problems to make it work including bypassing the Apple timer mitigation with a “timerless” approach to distinguish cache hits from cache misses. They also uncovered a new technique that lets the attacker page share the address space with arbitrary victim pages, simply by opening them using the JavaScript window. These along with other elements were combined to demonstrate that attackers can recover sensitive website content as well as the target’s login credentials
The team initially disclosed their findings to Apple in September 2022. Apple has acknowledged the issues, and has been working on mitigation involving a major refactoring of Safari’s multi-process architecture significantly.
Mainly an issue for mobile app security?
iLeakage performs its side channel attack in part by targeting WebKit, the JavaScript engine powering Apple's Safari browser. Users of macOS devices who use other browsers such as Chrome, Firefox, and Edge – which incorporate different JavaScript engines – are not susceptible to iLeakage. But iOS-based devices – essentially, iPhone and iPads – are a different story.
As a result of Apple’s sandboxing policies and techniques for iOS devices, the researchers say, other browsers for IOS devices must use the Safari JavaScript engine, and so iPhones and iPads with the vulnerable CPUs are all affected no matter which browser gets used.
Lots of the coverage on the new research has been around how esoteric and complex the steps the researchers used to exploit this issue, and that it’s beyond the average hacker. But could attackers package up the complex steps and sell “iLeakage-as-a-Service” similar to Ransomware-as-as-Service?
Well, yes. So we better not be too complacent: nation-state actors could have the resources to do exactly that.
What should CISOs do?
In light of the recent research on potential security flaws in Apple's ARM chips, it’s crucial for chief information security officers (CISOs) and their security teams to take proactive measures to safeguard their organization’s systems and data.
The iLeakage vulnerability poses a significant risk to iOS-based devices such as iPhones and iPads. While users of macOS devices using alternative browsers may be immune to this specific vulnerability, iOS devices are universally affected because of Apple's sandboxing policies and the requirement for other browsers to rely on Safari's JavaScript engine.
To mitigate the risks associated with speculative execution vulnerabilities like iLeakage, CISOs should prioritize the following actions:
- Stay vigilant and keep systems up-to-date: Ensure that all devices and software within the organization's ecosystem are regularly updated with the latest security patches. This includes Apple devices with Arm chips, and also other platforms susceptible to speculative execution vulnerabilities, such as Intel and AMD.
- Implement recommended security practices: Adhere to best practices for system hardening, access control, and data protection. This includes employing robust authentication mechanisms, encryption protocols, and secure coding practices.
- Monitor and mitigate WebKit usage: Identify areas within the organization where WebKit gets employed, such as web browsers and applications, and implement appropriate mitigations to minimize the risk of exploitation.
- Track Apple's response: Stay informed about Apple's mitigation efforts and recommendations regarding the iLeakage vulnerability. Act promptly to apply any patches or updates provided by Apple to address the issue effectively.
By taking these proactive measures, security teams can enhance their organization's resilience against potential attacks, leveraging speculative execution vulnerabilities. It’s crucial to remain proactive, adaptable, and responsive in the face of evolving security threats, ensuring the ongoing protection of sensitive data and systems.
Richard Taylor, co-founder and CTO, Approov Mobile Security
