A newly discovered flaw in the design of the Apple Silicon M1 chip could enable any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This could work between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange, the official M1RACLES advisory says.
CVE-2021-30747: Some Technical Details
According to Asahi Linux, “the ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process.”
Furthermore, a malicious pair of cooperating processes may create a powerful channel based on the two-bit state, via a clock-and-data protocol. This could then allow the processes to exchange an arbitrary amount of data, bound only by CPU overhead. “CPU core affinity APIs can be used to ensure that both processes are scheduled on the same CPU core cluster,” the advisory explains.
It should be noted that, as the described issue deals with a CPU register, the flaw is present regardless of using Apple macOS or the new M1 support in the Linux kernel or other operating systems, as pointed out by Michael Larabel from Phoronix.
The vulnerability affects All Apple M1 users, “running any operating system on bare metal.” More specifically, the list of impacted parties includes:
- macOS users: versions 11.0 and onwards;
- Linux users: versions 5.13 and onwards;
- OpenBSD users;
- AmigaOS users;
- Newton OS users;
- iOS users.
How Dangerous Is the M1RACLES Flaw?
Thankfully, malware can’t use the CVE-2021-30747 vulnerability to perform any malicious activities on your machine, such as stealing your personal information or destroying your data. However, the flaw can be threatening if malware is already present in the operating system. In this case, the malware can communicate with other malware on your computer. However, the flaw is more likely to be abused for cross-app tracking by app developers rather than in cybercriminal operations.
In a nutshell, the M1RACLES flaw appears to be an issue mostly because it violates the OS security model. “You’re not supposed to be able to send data from one process to another secretly. And even if harmless in this case, you’re not supposed to be able to write to random CPU system registers from userspace either,” the advisory concludes.
Previous CPU Vulnerabilities
In June 2020, security researchers published their findings about an attack that could hijack data from Intel CPUs. The technique illustrated a rather novel approach that could be deployed to hack into computers running Intel processors. The attack is called CrossTalk, as it could allow threat actors to execute code to leak sensitive data from one of the cores.
In September 2019, security researchers outlined another attack involving Intel server-grade processors since 2012. The attack was based on a vulnerability named NetCAT (Network Cache Attack).