During reverse engineering for the Linux port, Asahi Linux developer Hector Martin has found a design flaw in the Apple Silicon M1 chip that can be exploited to allow different applications to communicate discreetly with each other.
Martin calls the anomaly resides in the ARM, M1RACLES (M1ssing Register Access Controls Leak EL0 State), and obviously wants to make fun of the trend in which less relevant security holes should get more public through clever branding.
Martin writes as a summary — “A flaw in the design of the Apple Silicon “M1” chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange.”
Martin describes in detail that he found a register during reverse engineering of the CPU that can be read and written with one bit, i.e., 0 or 1. The register also allows access from all computing cores in the same cluster. If two applications are running in the same cluster, they can exchange data directly with one another using a simple clock-and-data protocol by using this register. Martin demonstrates this with his own code at a transfer rate of around 1 Mbyte/s.
According to Martin, the only way to effectively prevent this is to virtualize the operating system so that applications no longer have access to the described register. Martin advises against this on the one hand because of the associated speed losses. On the other hand, Martin considers practical attacks with the help of the loopholes described to be very unlikely. After all, no private data can be diverted with it, and the computer cannot be taken over with it.
In addition, according to Martin, the only “real danger” is that malware could use the vulnerability to communicate with other malware undetected.
However, malware is likely to find other ways to communicate as well. Likewise, the use of hidden channels is “completely useless” unless the computer itself has already been compromised. That is probably the bigger problem than the CPU gap itself.
Martin also points out that all CPUs actually have hardware errors that the manufacturers call errata. Usually, however, users do not find out about this. However, that Martin found the hardware gap through systematic reverse engineering and documented it publicly is still unusual.
The M1 design flaw affects macOS Big Sur, Linux v5.13+, and iOS, iPadOS, via the A14 chip, which according to Martin, shares the same vulnerability.
