Uncovering Software-Based Power Side-Channel Attacks on Apple M1/M2 Systems

• Main Authors: Chawla, Nikhil, Liu, Chen, Chakraborty, Abhishek, Chervatyuk, Igor, Sun, Ke, Hamasaki, Thais Moreira, Kawakami, Henrique
• Format: Journal Article
• Language: English
• Published: 28.06.2023
• Subjects: Computer Science - Cryptography and Security
• DOI: 10.48550/arxiv.2306.16391

Traditionally, power side-channel analysis requires physical access to the target device, as well as specialized devices to measure the power consumption with enough precision. Recently research has shown that on x86 platforms, on-chip power meter capabilities exposed to a software interface might be used for power side-channel attacks without physical access. In this paper, we show that such software-based power side-channel attack is also applicable on Apple silicon (e.g., M1/M2 platforms), exploiting the System Management Controller (SMC) and its power-related keys, which provides access to the on-chip power meters through a software interface to user space software. We observed data-dependent power consumption reporting from such SMC keys and analyzed the correlations between the power consumption and the processed data. Our work also demonstrated how an unprivileged user mode application successfully recovers bytes from an AES encryption key from a cryptographic service supported by a kernel mode driver in MacOS. We have also studied the feasibility of performing frequency throttling side-channel attack on Apple silicon. Furthermore, we discuss the impact of software-based power side-channels in the industry, possible countermeasures, and the overall implications of software interfaces for modern on-chip power management systems.