Categories
News

Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

[ad_1]

An unpatchable vulnerability has been discovered in Apple’s M-series chips that allows attackers to extract secret encryption keys from Macs under certain conditions, according to a newly published academic research paper.

m1 vs m2 air feature toned down
Named “GoFetch,” the type of cyber attack described involves Data Memory-Dependent Prefetchers (DMPs), which try to predict what data the computer will need next and retrieve it in advance. This is meant to make processing faster, but it can unintentionally reveal information about what the computer is doing.

The paper finds that DMPs, especially the ones in Apple’s processors, pose a significant threat to the security provided by constant-time programming models, which are used to write programs so that they take the same amount of time to run, no matter what data they’re dealing with.

The constant-time programming model is meant to protect against side-channel attacks, or types of attacks where someone can gain sensitive information from a computer system without directly accessing it (by observing certain patterns, for example). The idea is that if all operations take the same amount of time, there’s less for an attacker to observe and exploit.

However, the paper finds that DMPs, particularly in Apple silicon, can leak information even if the program is designed not to reveal any patterns in how it accesses memory. The new research finds that the DMPs can sometimes confuse memory content, which causes it to treat the data as an address to perform memory access, which goes against the constant-time model.

The authors present GoFetch as a new type of attack that can exploit this vulnerability in DMPs to extract encryption keys from secure software. The attack works against some popular encryption algorithms that are thought to be resistant to side-channel attacks, including both traditional (e.g. OpenSSL Diffie-Hellman Key Exchange, Go RSA decryption) and post-quantum (e.g. CRYSTALS-Kyber and CRYSTALS-Dilithium) cryptographic methods.

In an email to ArsTechnica, the authors explained:

Prefetchers usually look at addresses of accessed data (ignoring values of accessed data) and try to guess future addresses that might be useful. The DMP is different in this sense as in addition to addresses it also uses the data values in order to make predictions (predict addresses to go to and prefetch). In particular, if a data value “looks like” a pointer, it will be treated as an “address” (where in fact it’s actually not!) and the data from this “address” will be brought to the cache. The arrival of this address into the cache is visible, leaking over cache side channels.

Our attack exploits this fact. We cannot leak encryption keys directly, but what we can do is manipulate intermediate data inside the encryption algorithm to look like a pointer via a chosen input attack. The DMP then sees that the data value “looks like” an address, and brings the data from this “address” into the cache, which leaks the “address.” We don’t care about the data value being prefetched, but the fact that the intermediate data looked like an address is visible via a cache channel and is sufficient to reveal the secret key over time.

In summary, the paper shows that the DMP feature in Apple silicon CPUs could be used to bypass security measures in cryptography software that were thought to protect against such leaks, potentially allowing attackers to access sensitive information, such as a 2048-bit RSA key, in some cases in less than an hour.

According to the authors, the flaw in Apple’s chips cannot be patched directly. Instead, the attack vector can only be reduced by building defenses into third-party cryptographic software that could result in an extreme performance degradation when executing the cryptographic operations, particularly on the earlier M1 and M2 chips. The DMP on the M3, Apple’s latest chip, has a special bit that developers can invoke to disable it, but the researchers aren’t yet sure what kind of penalty will occur when this performance optimization is turned off.

As ArsTechnica notes, this isn’t the first time researchers have identified threats in Apple DMPs. Research documented in 2022 discovered one such threat in both the ‌M1‌ and Apple’s A14 Bionic chip for iPhones, which resulted in the “Augury” attack. However, this attack was ultimately unable to extract the sensitive data when constant-time practices were used.

“GoFetch shows that the DMP is significantly more aggressive than previously thought and thus poses a much greater security risk,” the researchers claim on their website. “Specifically, we find that any value loaded from memory is a candidate for being dereferenced (literally!). This allows us to sidestep many of Augury’s limitations and demonstrate end-to-end attacks on real constant-time code.”

Users concerned about the vulnerability are advised to check for GoFetch mitigation updates that become available in future macOS updates for any of the encryption protocols known to be vulnerable. Apple representatives declined to comment on the record when ArsTechnica asked about the research.

[ad_2]

Source Article Link

Categories
News

Using ChatGPT to analyze and extract data from PDFs

Using ChatGPT to analyze and extract data from PDFs

If you need to extract data and process hundreds of PDFs you might be interested to know that you can easily use the power of artificial intelligence in the form of ChatGPT together with automation systems such as Zapier. This is especially useful for tasks such as automating invoice processing, a traditionally time-consuming aspect of both personal and business finance management.

If you have PDFs you would like to process, analyze and extract data from you will be pleased to know that Corbin AI has created a useful tutorial. Explaining how you can automate PDF data extraction straight into Google sheets using Zapier and OpenAI’s ChatGPT service or API.

Traditional methods of data extraction often involve manual effort, but also prone to human errors. AI can automate this process, significantly reducing the time needed to sort, read, and interpret documents. This is particularly impactful in business settings, where large volumes of data often need to be processed in formats like invoices, contracts, or reports.

Automate PDFs analysis and data extraction using ChatGPT

In a typical setup, a Google Drive folder all similar could be used as a storage point for incoming PDF invoices. Zapier can monitor this folder for new additions, triggering a ‘Zap’ when a new PDF is uploaded. This trigger initiates a sequence of actions, such as perhaps converting the PDF into a Google Doc format or extracting data depending on your needs and workflow. This conversion is essential because it enables easier access to the underlying textual data within the document, a prerequisite for ChatGPT to perform any sort of analysis or data extraction.

Other articles we have written that you may find of interest on the subject of AI automation, ChatGPT and systems such as Zapier.

Once the document is in a Google Doc format, a code block can be employed to extract the necessary data. This is where ChatGPT comes into play. The extracted data is passed on to ChatGPT for formatting, ensuring that the invoice details conform to a specified format. One could, for example, have the AI model identify and categorize different line items, sum totals, or even apply specific formatting rules that make the data easier to interpret or analyze.

Breaking the data into smaller chunks

The next step involves breaking down the formatted data into its constituent elements, usually done through a formatter block in Zapier. This prepares the data to be fed into a Google Sheets spreadsheet, essentially automating what would otherwise be a manual data entry task. A new row in the spreadsheet can be automatically created, and the broken-down data populated into the respective fields.

Time-saving automation

Time-saving is one of the most evident advantages. For instance, a financial analyst who would otherwise spend hours manually extracting data from quarterly reports can instead focus on higher-level tasks like data analysis and interpretation, thereby contributing more value to their organization. The automated process also ensures that the data is consistently formatted, thereby reducing the chance of errors that might occur during manual extraction. This level of accuracy is crucial in many settings, such as healthcare or legal affairs, where a small error can have significant implications.

Improved accuracy

Improved workflow is another major benefit. Automating the extraction process means that data can seamlessly move from one stage of a workflow to another without requiring human intervention. For example, invoice details can be automatically extracted and populated into an accounting software, triggering subsequent automated actions like payments or notifications. This streamlined workflow reduces bottlenecks and ensures that tasks are completed in a timely manner.

Personal workflows

In personal settings, this automation can help with tasks like budgeting or tax preparation, taking away the tediousness associated with sorting through various financial documents. By freeing up time and mental energy, individuals and businesses can focus more on strategic activities, fostering innovation, and driving growth. Thus, the incorporation of AI in reading and extracting data from PDFs stands as a powerful tool for enhancing productivity and optimizing workflows.

The real power in this approach lies in its scalability and potential for further automation. By integrating invoice software or other applications directly with Zapier or utilizing API documentation, the entire workflow—from invoice receipt to data entry—can be fully automated, sparing humans the tedium and minimizing error. Given that the process is part of a broader series on leveraging ChatGPT, Zapier, and automation for PDF manipulation, it provides a robust solution for automating tasks that require data extraction and intelligent formatting.

Filed Under: Guides, Top News





Latest timeswonderful Deals

Disclosure: Some of our articles include affiliate links. If you buy something through one of these links, timeswonderful may earn an affiliate commission. Learn about our Disclosure Policy.