Unfixable Apple M1 chip bug enables cross-process chatter, breaking OS security model

Apple's Arm-based M1 chip, much ballyhooed for its performance, contains a design flaw that can be exploited to allow different processes to communicate with one another, in violation of operating system security principles.

M1RACLES, as the bug has been called, doesn't pose a major security risk because information leakage is already possible through a variety of other side channels. It does, however, add another way for existing malware on affected hardware to conduct covert communication.

The flaw arises from the fact that the ARM system register encoded as s3_5_c15_c10_1 contains two bits that can be read and written at EL0 (Exception Level 0, application level privilege) from all cores simultaneously. In a secure system, cross-process chatter is restricted to keep secrets from being revealed.

"A malicious pair of cooperating processes may build a robust channel out of this two-bit state, by using a clock-and-data protocol (e.g. one side writes 1x to send data, the other side writes 00 to request the next bit)," explains Hector Martin, founder and project lead of Ashai Linux, in his vulnerability disclosure. "This allows the processes to exchange an arbitrary amount of data, bound only by CPU overhead."

Leave a Comment