Want early access to new videos and some behind the scenes content? Consider becoming a channel member ua-cam.com/channels/QvW_89l7f-hCMP1pzGm4xw.htmljoin
Really like the off-the-cuff, unrehearsed style! Came from your more scripted full-length videos and still definitely enjoy those, but this feels like a lecture with someone who is really in their element, and that scratches an entirely different itch.
Thanks for the feedback! I’m experimenting with other types of content at the moment, I love doing the big project style videos but they take so long to make, script, film and edit. This was really fun to just switch on the camera and start talking
After watching your video I checked out some of the articles online regarding this. It's funny to read 1) Their different attempts to reword the paper into simpler terms for people to understand, and 2) the level of scaremongering used from article to article - some are very upfront about the fact that this isn't something to worry about right now, while others are very happy to leave you in the dark about if you're safe or not. Great video.
"local": unless i'm mistaken, local access doesn't mean physical access, it means a process running on the machine. (this is in contrast to remote attack, e.g. by sending malformed network packets). local: so an attacker still somehow needs to get code to execute on your machine. * that could be code executed by another user on the same machine. generally a situation In server environments, e.g. on a shared host. * on a client device, that could be another process, e.g. a website, because a browser executes the JavaScript. JavaScript just being an example here. To my knowledge, browsers now all slightly abstract the clock as javascript sees it, so that javascript can no longer do timing attacks. it could also be an app from the app store, that despite having restricted access executes on the same cpu you could say. summary: "local": should not need physical access, but will still need some way to get a user or machine to execute your code.
Really been enjoying your content lately, thanks for doing what you do. You answer a lot of questions I had as a kid playing games and never bothered to find out now as an adult in software engineering. A comment on your presentation where you illustrate by hand, this is something I’ve been dabbling with in my team at work and I’ve found that using different colours makes it not only more interesting, and thus more likely for people to follow along, but also easier to separate things or group common ideas, which makes it easier to follow along.
I quite like this format, I'd definitely enjoy seeing more technical deep-dives into vulnerabilities like this. Also yes lattice cryptography is still a big thing in post-quantum cryptography (27:31). In 2022 NIST released 4 quantum-resistant crypto algorithms and three of them were based on lattice cryptography
Great video. It's nice for someone to go a bit more into the finer details of the attack rather than just harping on "It's in hardware! It's unfixable! Ohmygod ohmygodohmygod, P A N I C!!!111!!eleven!!" part. (Yes, I am late to the party. Been figuratively literally living under a rock for the past few months and am currently catching up on tech news ;) One minor correction though: Being a "local attack" does not mean "requiring physical access". No one needs to sit at your machine for this exploit. They'd only need to be able to run code on your machine, which sets the bar far lower as that could be done remotely, especially if your machine is already compromised (say by being infected with a virus). Hell, there are even ways to run code on your machine without compromising it (JavaScript, anyone?), though those are most likely unsuited for such highly timing-sensitive attacks at this, so I'd assume your machine would need to be already compromised for this attack to be realistically feasible. Still, whether you should be concerned about this attack with your threat model isn't something any article or UA-cam video can tell you. Sorry to say, that'd be something you'd have to decide for yourself.
Another killer video Nathan, fast becoming the best (and most entertaining) engineering content on YT. I work in applied crypto. Funny that OpenSSL don’t care as local exploit out of scope, I mean they care enough to implement constant time functions for crypto in the first place and this only protects against local side channel anyway. Also with M3 and above you can use chicken bits to disable the DMP during critical path.
Half the time i have no idea what your talking about. Sounds like gibberish yet i keep coming back. 😂 Keep up the great work. I like this on the fly kind of video. 🤙
I think you mentioned it right at the end that it could be part of a payload/remote exploit - but what part of the process needs local access to the computer? It seems like you're just running some very unique code for sure, but still just code nonetheless. Regarding the multi hour part, surely you're also fine to scale that back, run it at 10% speed to not be noticed and accept you're going to get a result in a day or two rather than a trip to the movies. I would guess timing would be the most tricky, but I would guess that should just fall down to counting CPU cycles, not hooking up a multi-GHz oscilloscope. I don't know a huge amount about crypto, so excuse my ignorance :)
yeah, I didn't understand why this can't be the payload of some virus-like thingy, but I'm not exactly an expert, as one might guess : p Maybe the point is that if you can do that, than there are other, much more dangerous things you'd rather be doing with this access, so who cares about this specific threat?
I remember a while back PHP hd an exploit similar to this, new functions were added and patched to make them time safe, I have no idea how to phrase that, anyway, thats my personal experience of this type of attack and it's super interesting to see it on a hardware level even though I have zero understanding of whats going on I can follow along, another great vid cheers man.
From my understanding, the M3 chips have the ability to turn off DMP for a performance hit unlike the M1/M2 which do not have this ability. Has anyone heard anything about Apple pushing out a patch to allow users to disable the prefetching just in case?
15:50 Wow nice explanation of how can run a function at constant time. It's interesting at the beginning of video, how can use timing to get more info, when it checks each letter in a loop. 👍
The article says the malicious code needs to run locally on the machine. Why are you saying that the attacked needs to be physically sat at the computer?
Well, I'd say the second attacker has a process running on the system itself, physically, all bets are off. That's a total failure of security in that point and it's obvious that it'll fall outside of SSL threat model. The same as if someone has physical access to a switch, then the network security has been breached and all bets are off.
There's an important detail missing from the paint example when doing DH key exchange. Although the common paint colour is known to an attacker, it must also be a colour that must not be able to be manipulated by an attacker too.
@@nathanbaggs Very true, but it is a such a crucial detail. Failure to do this, completely destroys the entire security of the algorithm. How you ensure the agreed common 'colour', that's where I think it goes beyond the scope of a simple explanation.
Would you or someone be willing to make a M Chip vulnerability for dummies video? Explaining it to your granddad if he was interested in buying a new MacBook this month. This granddad has not yet found a video or article yet dumbed down enough.
I'm only 15 minutes in, but as someone stuck on Windows 10 because of Spectre, I'm not happy knowing my M1 was the computer I bought to replace it... as soon as you started getting into side channel attacks on the CPU cache my heart sank.
Your explanation was really great ... Then you did was a lot of apple fan did ... You said "someone needs to be sat 2.5 hours at your machine" ... It is wrong ... Totally wrong and you know it: any application and/or service on the machine, that would have a RCE (remote code execution) flaw, would permit to run the code... And that app / service flaw does NOT even need to have specific permissions on the system: could be your browser, your download app... The answer from openssl is totally normal: since IT NOT there concern ! It is Apple concern and openssl cannot patch it !
My focus was more on the runtime of the exploit rather than the access vector. I was trying something new with this video, doing it more raw and unscripted, as such there is a few errata. Eagle eyed watchers are always quick to point it out through and I've enjoyed going through the comments
You know what you are 100% right I did mean contiguously. I was trying out something different for this video (it being unscripted), so there’s a couple of errata. Thanks!
I do not really understand why I would need to be at your computer in order to break these, because all I need is that you are running my program while at your computer - like you can put this in an application or a game silently. I see nothing about this not being able to do remotely - pretty much the opposite.
Is just M1 affected or the entire architecture aka A14 (Icestorm/Firestorm)? What about M2 and A15(Blizzard/Avalanche)? A16(Sawtooth/Everest)? A17 Pro?
@@nholmes86 Other comments mentioned that starting with the M3, there's a flag that can be set in code to (temporarily?) disable the DMP, so cypto libraries can work around this on newer machines. Note that: a) this would technically not be a patch as the vulnerability would still be there. Crypto libraries would just be working around the vulnerability. b) this is just hearsay from other comments. I'm not knowledgeable enough about Apple's ARM chips to judge the veracity of this claim.
It’s a good video, but the number of adverts is way over the top. For a 30-min video there were approximately 7 ad breaks. It comes across as greedy, unfortunately.
I just mark points in the video I think would be ok for an ad, it's really up to UA-cam how many ads to serve. Sorry you had a bad experience with it though
There were some similar exploits called Spectre and Meltdown that affected Intel CPUs several years ago that were kind of similar in nature to this, so it's not an Apple specific phenomenon
@@tomysshadow Yes and no. Timing-Based side-channel attacks have been known for a while now and do affect Intel and AMD chips as well. But ways to mitigate those, such as constant-time functions have since been implemented. This attack exploits a behavior exclusive to Apple's ARM chips to in turn break those mitigations, potentially rendering code vulnerable to timing-based side-channel attacks again. That behavior being (to the best of my knowledge) exclusive to Apple's ARM chips is why Intel and AMD chips aren't affected.
People are hyperventilating about this because they are worried about their private keys being stolen and then they lose or their crypto. And say things like don’t connect to a public WiFi under any circumstances. And giving every M1 user the impression that they should never buy an Apple computer because the are now fu___ed. However, having watched your great video, it seems that the attack vector is pretty low. How a person might choose to hack somebodies computer to steal private keys is probably more simple. Such as observing the keys entered into the keyboard either visually or remotely. And then just logging in and exporting the private keys. Would you agree that UA-camrs are being way to scare mongering ? And also, is it really impossible to fix ?
I think UA-cam is highly competitive so I understand people using sensationalism to try and stand out. In terms of unfixable, this is not something they can change with a software patch as it’s part of the silicone, however I believe it is possible to disable the DMP with some flags
So what, practically, can this be used to do by an attacker? Break Filevault? Reveal passwords? I think maybe I'm not smart enough to fully understand it entirely. Ha.
Does this add to the attack surface of the setup app so it can be bypassed? I've a legitimately purchased activation locked M1 Macbook Pro that Apple simply refuses to unlock even though I provided them with the motherfucking receipt. (It was a company device that was on loan to someone and they RMA'd it & never removed the device from their icloud)
On it's own, yes, however in the real world attackers chain multiple exploits together so maybe use another remotely executable exploit and then use this one. Likely if someones going through the trouble it's be high value targets and not your average Joe.
it's not as bad as Spectre, but it's still a pretty significant side channel attack. you can do a lot of damage with that, especially if you pair it with other methods. this also assumes it stops here, and the exploit doesn't evolve. OpenSSL saying it's "outside of their threat model" doesn't necessarily mean it doesn't matter, it just means there's nothing they, in particular, can do about it, through software, and is arguably a reckless thing to toss out there.
Want early access to new videos and some behind the scenes content? Consider becoming a channel member ua-cam.com/channels/QvW_89l7f-hCMP1pzGm4xw.htmljoin
Really like the off-the-cuff, unrehearsed style! Came from your more scripted full-length videos and still definitely enjoy those, but this feels like a lecture with someone who is really in their element, and that scratches an entirely different itch.
Thanks for the feedback! I’m experimenting with other types of content at the moment, I love doing the big project style videos but they take so long to make, script, film and edit. This was really fun to just switch on the camera and start talking
@@nathanbaggsplease do more! I enjoyed this very much!
After watching your video I checked out some of the articles online regarding this. It's funny to read 1) Their different attempts to reword the paper into simpler terms for people to understand, and 2) the level of scaremongering used from article to article - some are very upfront about the fact that this isn't something to worry about right now, while others are very happy to leave you in the dark about if you're safe or not.
Great video.
It’s good to have a variety of interpretations pitched at different levels, I just felt there was a gap for something more in depth
"local": unless i'm mistaken, local access doesn't mean physical access, it means a process running on the machine. (this is in contrast to remote attack, e.g. by sending malformed network packets).
local: so an attacker still somehow needs to get code to execute on your machine.
* that could be code executed by another user on the same machine. generally a situation In server environments, e.g. on a shared host.
* on a client device, that could be another process, e.g. a website, because a browser executes the JavaScript.
JavaScript just being an example here. To my knowledge, browsers now all slightly abstract the clock as javascript sees it, so that javascript can no longer do timing attacks. it could also be an app from the app store, that despite having restricted access executes on the same cpu you could say.
summary: "local": should not need physical access, but will still need some way to get a user or machine to execute your code.
Really been enjoying your content lately, thanks for doing what you do. You answer a lot of questions I had as a kid playing games and never bothered to find out now as an adult in software engineering.
A comment on your presentation where you illustrate by hand, this is something I’ve been dabbling with in my team at work and I’ve found that using different colours makes it not only more interesting, and thus more likely for people to follow along, but also easier to separate things or group common ideas, which makes it easier to follow along.
I quite like this format, I'd definitely enjoy seeing more technical deep-dives into vulnerabilities like this. Also yes lattice cryptography is still a big thing in post-quantum cryptography (27:31). In 2022 NIST released 4 quantum-resistant crypto algorithms and three of them were based on lattice cryptography
Glad to know my knowledge isn’t too out of date then
You are the GOAT. Been watching your videos when u had a few hundred subs and good to see how the channel is growing
Great video. It's nice for someone to go a bit more into the finer details of the attack rather than just harping on "It's in hardware! It's unfixable! Ohmygod ohmygodohmygod, P A N I C!!!111!!eleven!!" part. (Yes, I am late to the party. Been figuratively literally living under a rock for the past few months and am currently catching up on tech news ;)
One minor correction though: Being a "local attack" does not mean "requiring physical access". No one needs to sit at your machine for this exploit. They'd only need to be able to run code on your machine, which sets the bar far lower as that could be done remotely, especially if your machine is already compromised (say by being infected with a virus). Hell, there are even ways to run code on your machine without compromising it (JavaScript, anyone?), though those are most likely unsuited for such highly timing-sensitive attacks at this, so I'd assume your machine would need to be already compromised for this attack to be realistically feasible.
Still, whether you should be concerned about this attack with your threat model isn't something any article or UA-cam video can tell you. Sorry to say, that'd be something you'd have to decide for yourself.
Thanks! Yeah I realise my mistake after I filmed it, that’s the problem with just sitting down and talking with no script (:
Another killer video Nathan, fast becoming the best (and most entertaining) engineering content on YT.
I work in applied crypto. Funny that OpenSSL don’t care as local exploit out of scope, I mean they care enough to implement constant time functions for crypto in the first place and this only protects against local side channel anyway.
Also with M3 and above you can use chicken bits to disable the DMP during critical path.
Yes, I'm a pretty big fan of how Nathan always delivers his jokes deadpan in-between all of the technical information 😂
Not like OpenSSL can fix Apple chips
@@alexanderborsch5978well yes that’s the point, they can fix it by disabling the DMP.
i dont work in applied crypto (or any compsci field for that matter), and I easily understand why opensssl would say its outside their scope
Half the time i have no idea what your talking about. Sounds like gibberish yet i keep coming back. 😂 Keep up the great work. I like this on the fly kind of video. 🤙
Love the hands on explanation. Definitely helps me cut trhough the high level stuff which I always have trouble understanding.
I think you mentioned it right at the end that it could be part of a payload/remote exploit - but what part of the process needs local access to the computer? It seems like you're just running some very unique code for sure, but still just code nonetheless. Regarding the multi hour part, surely you're also fine to scale that back, run it at 10% speed to not be noticed and accept you're going to get a result in a day or two rather than a trip to the movies.
I would guess timing would be the most tricky, but I would guess that should just fall down to counting CPU cycles, not hooking up a multi-GHz oscilloscope.
I don't know a huge amount about crypto, so excuse my ignorance :)
yeah, I didn't understand why this can't be the payload of some virus-like thingy, but I'm not exactly an expert, as one might guess : p
Maybe the point is that if you can do that, than there are other, much more dangerous things you'd rather be doing with this access, so who cares about this specific threat?
Seems like it could probably even be done by a web page.
Great video Nate , the details and drawings really help me understand what's going on with he M1 chip
😳 Excellent review Nathan, thank you for explaining this so well! 👍👍👍
I remember a while back PHP hd an exploit similar to this, new functions were added and patched to make them time safe, I have no idea how to phrase that, anyway, thats my personal experience of this type of attack and it's super interesting to see it on a hardware level even though I have zero understanding of whats going on I can follow along, another great vid cheers man.
From my understanding, the M3 chips have the ability to turn off DMP for a performance hit unlike the M1/M2 which do not have this ability. Has anyone heard anything about Apple pushing out a patch to allow users to disable the prefetching just in case?
15:50 Wow nice explanation of how can run a function at constant time. It's interesting at the beginning of video, how can use timing to get more info, when it checks each letter in a loop. 👍
As a dev I really appreciate your videos, thank you so much!
Thanks!
The article says the malicious code needs to run locally on the machine. Why are you saying that the attacked needs to be physically sat at the computer?
A few people have pointed this out. I was a bit brusque in my explanation, it just needs code to be running locally on the machine
Your explanations and knowledge distillation are exquisite. Thank you very much for sharing!
Well, I'd say the second attacker has a process running on the system itself, physically, all bets are off.
That's a total failure of security in that point and it's obvious that it'll fall outside of SSL threat model.
The same as if someone has physical access to a switch, then the network security has been breached and all bets are off.
thats so insanely not the same lol
There's an important detail missing from the paint example when doing DH key exchange. Although the common paint colour is known to an attacker, it must also be a colour that must not be able to be manipulated by an attacker too.
By necessity some details will be lost in a high level explanation, I still think it’s one of the best ways of explaining the underlying concept
@@nathanbaggs Very true, but it is a such a crucial detail. Failure to do this, completely destroys the entire security of the algorithm. How you ensure the agreed common 'colour', that's where I think it goes beyond the scope of a simple explanation.
I was just wondering if you would look into this. Thanks for the great explanation
Excellent explainer! I'd love to see more unscripted videos that 'breakdown' whitepapers or like you said, go a little more in depth.
Is game hacking even a challenge to you at that point?
Outstanding video! Love all your stuff!
Dude you really know your stuff!
Thanks! Although I’m by no means a crypto expert
Would you or someone be willing to make a M Chip vulnerability for dummies video? Explaining it to your granddad if he was interested in buying a new MacBook this month. This granddad has not yet found a video or article yet dumbed down enough.
I'm only 15 minutes in, but as someone stuck on Windows 10 because of Spectre, I'm not happy knowing my M1 was the computer I bought to replace it... as soon as you started getting into side channel attacks on the CPU cache my heart sank.
Great intro and deeper dive!
BTW: i think you meant Contiguous instead of congruent.
Yes I did! I tried doing this video unscripted so there’s a few errata
Interesting Video. I like this format as well.
impressive way to quickly take advantage of recent news
props
Your explanation was really great ...
Then you did was a lot of apple fan did ... You said "someone needs to be sat 2.5 hours at your machine" ... It is wrong ... Totally wrong and you know it: any application and/or service on the machine, that would have a RCE (remote code execution) flaw, would permit to run the code... And that app / service flaw does NOT even need to have specific permissions on the system: could be your browser, your download app...
The answer from openssl is totally normal: since IT NOT there concern ! It is Apple concern and openssl cannot patch it !
My focus was more on the runtime of the exploit rather than the access vector. I was trying something new with this video, doing it more raw and unscripted, as such there is a few errata. Eagle eyed watchers are always quick to point it out through and I've enjoyed going through the comments
Super interesting! (and well explained)
Did you mean arrays are stored contiguously? I hadn't heard it referred to it as congruantly. Just wondering
You know what you are 100% right I did mean contiguously. I was trying out something different for this video (it being unscripted), so there’s a couple of errata. Thanks!
@@nathanbaggs I really enjoyed the video and didn't even notice that it was unscripted. Love the content!
your videos are gold!
I do not really understand why I would need to be at your computer in order to break these, because all I need is that you are running my program while at your computer - like you can put this in an application or a game silently. I see nothing about this not being able to do remotely - pretty much the opposite.
Yes I think this might be an erratum. It just requires the attacker to be able to run a process on the same machine
How this could be unpatchable on M1, M2 and M3 since there is a special bit on M3 to disable DMP ?
Can you test that on your Mac?
Apple be like "let's invent the next Spectre bug"
Is it OK if I call you the Froddo Baggens of Reverse Engineering?
I’ve been called worse (:
@@nathanbaggs 😅👍
don't wanna use an unsafe prime .. what my old man always told me ..
Is just M1 affected or the entire architecture aka A14 (Icestorm/Firestorm)? What about M2 and A15(Blizzard/Avalanche)? A16(Sawtooth/Everest)? A17 Pro?
Entire..m1,m2and m3
@@nholmes86 Other comments mentioned that starting with the M3, there's a flag that can be set in code to (temporarily?) disable the DMP, so cypto libraries can work around this on newer machines. Note that:
a) this would technically not be a patch as the vulnerability would still be there. Crypto libraries would just be working around the vulnerability.
b) this is just hearsay from other comments. I'm not knowledgeable enough about Apple's ARM chips to judge the veracity of this claim.
Say the attacker could crack it in say a minute, what would that give them the ability to do? Don't they already need local access to the PC?
It’s a good video, but the number of adverts is way over the top. For a 30-min video there were approximately 7 ad breaks. It comes across as greedy, unfortunately.
I just mark points in the video I think would be ok for an ad, it's really up to UA-cam how many ads to serve. Sorry you had a bad experience with it though
Sleep a random number of ms each iteration of char[I] == char. Just to mess with the brute force hackers 😂
LGTM
How do Intel and AMD processors differ from that? Why don't other processors leak or do they?
There were some similar exploits called Spectre and Meltdown that affected Intel CPUs several years ago that were kind of similar in nature to this, so it's not an Apple specific phenomenon
@@tomysshadow Yes and no. Timing-Based side-channel attacks have been known for a while now and do affect Intel and AMD chips as well. But ways to mitigate those, such as constant-time functions have since been implemented.
This attack exploits a behavior exclusive to Apple's ARM chips to in turn break those mitigations, potentially rendering code vulnerable to timing-based side-channel attacks again. That behavior being (to the best of my knowledge) exclusive to Apple's ARM chips is why Intel and AMD chips aren't affected.
but this poses a real threat for stolen devices, no?
That’s what I think too
So, one has to be talented enough to pull
this off and it’s more difficult remotely?
Sounds like this would be a bad time to get your m1-m2 stolen lol
whoah sir!
People are hyperventilating about this because they are worried about their private keys being stolen and then they lose or their crypto. And say things like don’t connect to a public WiFi under any circumstances. And giving every M1 user the impression that they should never buy an Apple computer because the are now fu___ed. However, having watched your great video, it seems that the attack vector is pretty low. How a person might choose to hack somebodies computer to steal private keys is probably more simple. Such as observing the keys entered into the keyboard either visually or remotely. And then just logging in and exporting the private keys. Would you agree that UA-camrs are being way to scare mongering ? And also, is it really impossible to fix ?
I think UA-cam is highly competitive so I understand people using sensationalism to try and stand out. In terms of unfixable, this is not something they can change with a software patch as it’s part of the silicone, however I believe it is possible to disable the DMP with some flags
So what, practically, can this be used to do by an attacker? Break Filevault? Reveal passwords? I think maybe I'm not smart enough to fully understand it entirely. Ha.
Does this add to the attack surface of the setup app so it can be bypassed? I've a legitimately purchased activation locked M1 Macbook Pro that Apple simply refuses to unlock even though I provided them with the motherfucking receipt. (It was a company device that was on loan to someone and they RMA'd it & never removed the device from their icloud)
In my understanding it was not a mistake…because only programmers can do this.
Are t'authors from Yorkshire? (ey up)
Wipe tha bloody feet
Hello Great Sirs :D
so this exploit is realistically unusable.
Well done watching the video 👍
On it's own, yes, however in the real world attackers chain multiple exploits together so maybe use another remotely executable exploit and then use this one. Likely if someones going through the trouble it's be high value targets and not your average Joe.
it's not as bad as Spectre, but it's still a pretty significant side channel attack. you can do a lot of damage with that, especially if you pair it with other methods. this also assumes it stops here, and the exploit doesn't evolve.
OpenSSL saying it's "outside of their threat model" doesn't necessarily mean it doesn't matter, it just means there's nothing they, in particular, can do about it, through software, and is arguably a reckless thing to toss out there.
:3
Was the thumbnail AI generated?
Yup, thought I’d try something different as this is a different style of video for me anyway
@@nathanbaggsGross (good video, though)
Crash different, total garbage!