Apple’s new M1 CPU has a bug that creates a covert tunnel that two or more malicious apps—pre-installed—can be used to send data to each other, developers have found.
Covert communication can occur without computer memory, sockets, files, or any other operating system feature, says developer Hector Martin. Channels can link processes running as different users. each and under different permission levels. These characteristics allow apps to exchange information in an undetectable manner. Or at least no special equipment.
Technically it̵7;s a loophole, but…
Martin said the flaws are mostly harmless because they can’t be used to infect a Mac, and they can’t be used by exploits or malware to steal or tamper with locally stored data. The bug can be misused by two or more malicious apps installed on the Mac through methods unrelated to the M1 bug.
However, the bug that Martin calls M1racles meets the technical specifications of the vulnerability and hence comes with its own vulnerability designation: CVE-2021-30747.
“It violates the operating system’s security model,” Martin explained in a post published Wednesday. “You should not secretly transmit data from one process to another. And although in this case it is not dangerous. You shouldn’t write to random CPU systems registered from the user space either.”
other researchers Specializing in CPU and other silicon security agree with the assessment
Michael Schwartz, one of the researchers who helped uncover the more serious Meltdown and Specter vulnerabilities in Intel, AMD and ARM CPUs, said: “The discovered bugs cannot be used to infer information about any application in the system. Yes, it can be used as a communication channel between two collusion applications. (dangerous)”
He went on to explain that
This vulnerability is similar to An anonymous “postbox” This allows both applications to send messages to each other. More or less this is not seen by other applications. And there is no effective way to prevent it. In this “postbox”, no other application’s data or metadata is leaked. Therefore, there is a limitation that it can only be used as a communication channel between two applications running on macOS. However, there are already several ways for applications to communicate (files, pipes, sockets … ), which the other channel doesn’t really have a negative impact on security. Still, it’s a bug that can be misused as an unintended communication channel. So I think it’s fair to call it a loophole.
Covert channels can be more effective on iPhones, Martin said, because they can be used to bypass sandboxes built into iOS apps under normal conditions. Malicious keyboard apps have no way to leak keystrokes. Because the app does not have access to the internet. Secret channels can circumvent this protection by sending keystrokes to other malicious apps. which will be sent over the internet
Even so, the chances of the two apps going through Apple’s verification process and then installing on the target’s device are far away.
Why is the registration accessible by EL0?
The fault is caused by system-to-cluster registration in the ARM CPU accessible to EL0, which is a mode reserved for user applications and hence has limited system permissions. The register consists of two bits that can be read or written. This creates a covert channel. This is because registers can be accessed simultaneously by all cores in the cluster.
A malicious cooperative process may create a strong channel from this two-bit state. by using clock and data protocols (e.g. one side writes 1x to transmit data the other side writes 00 to request the next bit) . This allows the process to exchange a set amount of data. It is tied to CPU overhead only. The CPU core affinity API can be used to ensure that both processes are scheduled on the same CPU core cluster. The PoC demonstrates this method to achieve fast and efficient data transfer. available here This approach does not require much optimization. Able to achieve transfer rates of more than 1MB/s (less when there is data redundancy).
Martin has provided a demo video here.
It’s not clear why the register was created, but Martin suspects that accessing EL0 was more of an error than intentional. There is no way to fix or fix a bug in the existing chip. Users who are concerned about the bug have no choice but to run the entire operating system as properly configured virtual machines, as the VM disables guest access in this register. So the secret channel was killed. Unfortunately, this option has serious performance penalties.
Martin found the bug while he was using a tool called m1n1 as the Principal Manager for Asahi Linux, a project that aims to port Linux to M1-based Macs. He initially thought this behavior was a proprietary feature. and hence He talks openly in the developer forums. He later learned that it was a bug that even Apple developers were unaware of.
Again, most Mac users—probably above 99 percent—have no reason to worry. People who have two or more malicious apps already installed on their device will be more concerned. This vulnerability is more prominent in that it shows a chip flaw. Technically known as errata, it’s in almost all CPUs. Even new bugs are useful to learn from past mistakes. that occurs in other architectures
Apple did not respond to a request for comment. So it’s unclear whether the company plans to fix or mitigate bugs in the next generation of CPUs. For those interested in more technical details, Martin’s website has some in-depth information.