Apple's M1 Chip Has An Unfixable Bug, Called The 'M1RACLES'

M1RACLES

Apple's M1 chip has been touted as the evolution of Apple computing. And that happens for many reasons.

First, the chip marked the time when Apple breaks up with Intel after their 15 years of partnership. Second, the chip is ARM-based, making Mac computers compatible with apps for iOS and iPadOS.

And third, the chip is blazingly fast, as was the first to have scored more than 1 million points on AnTuTu benchmarking tool.

But that does not mean that the chip is flawless.

Developer Hector Martin said that Apple's M1 chip allows the creation of covert channels, in which two or more malicious apps that are installed can use them to transmit information to each other.

The surreptitious communication can occur under different privilege levels, without using any computer memory, sockets, files, or any other operating system feature.

What this means, the process is invisible, and can only be detected with specialized equipment.

Martin calls this bug the 'M1RACLES'.

On a dedicated website, it is explained that:

The ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process.

The technical details then continue to explain that:

A malicious pair of cooperating processes may build a robust channel out of this two-bit state, by using a clock-and-data protocol [...] This allows the processes to exchange an arbitrary amount of data, bound only by CPU overhead. CPU core affinity APIs can be used to ensure that both processes are scheduled on the same CPU core cluster.

Martin went on to explain that the original purpose of the creation of this register is unknown. But it is not believed to have been made accessible to EL0 intentionally.

Because the bug is baked straight to the way M1 works, the bug is effectively unfixable.

Martin suggested that the vulnerability cannot be fixed without a silicon revision.

This is very unfortunate, considering that at this time, the chip is still new, and Apple must have spent lots of resources to launch this chip, even with the cost of breaking up with Intel.

Fortunately however, unless a system has been compromised by exploits or malware through other means, "covert channels are completely useless," Martin said.

The vulnerability is harmless on its own, according to the developer, as malware cannot use it to steal or interfere with data that's stored inside a Mac.

But the thing is, "it violates the OS security model," Martin said.

"You're not supposed to be able to send data from one process to another secretly. And even if harmless in this case, you're not supposed to be able to write to random CPU system registers from userspace either."

If there is a case where the M1 chip, or another chip that enables covert channels, is to be used in iPhones or iPads, this type of communication could be damaging.

Keyboard apps on iOS and iPadOS don't have internet access to ensure that the apps cannot transmit any of users' inputs. But if the creation of covert channels is possible, a malicious keyboard app can theoretically could send users' input on the keyboard to another app via the covert channel, so the data can be uploaded to the internet for the bad actors to see.

Read: This Malware Targeting Apple With The M1 Processors Has Claimed 30,000 Victims

Published: 
31/05/2021