M1racles, the first architectural bug of the new Apple M1 chips

With the arrival of the new Apple processors, now also arrived on the desktop side with the introduction of the new iMacs equipped with M1 chips, the first malware, such as Silver Sparrow , malicious software that acted by exploiting flaws and plugs, did not take long to arrive. -in inside the Java Virtual Machine (JVM). But it doesn't stop there: the first architectural bug of Apple's new M1 chips, called M1racles , has been identified .

The new Apple processor and in particular its new architecture, or logical design, seems to be affected by a hardware and therefore architectural bug. The name of the new flaw is M1racles, a vulnerability from which Apple's SoC suffers, caused by a flaw in the design of the chip that allows a "ghost" transmission of data between 2 processes .

Discovered by the programmer and designer Hector Martin, while working on a version of Linux on the M1 chip, it allows the transmission of data in a completely transparent way for the user between 2 processes running, and linked to different users. In this way, a hidden channel is created with which the 2 processes communicate , as if it were a river that passes under a bridge that allows, in fact, the passage of boats under the passage of cars, without the cars seeing what is passing underneath. their.

The first architectural bug of Apple M1

The bug, already communicated to Apple, was probably caused by the error (human of course) of an engineer from the Cupertino company during the design of the new processor. The engineer broke the ARM specifications, allowing the bug to violate the security model of macOS , since transmitting data without the user's knowledge is one of the many prerogatives of Apple systems.

The biggest problem, as noted by analyst Pierluigi Paganini, founder of Cybaze, a company in the CyberSecurity sector, is that:

normally vulnerabilities deriving from the logical design of the chip are extremely dangerous because they are difficult to identify, complex and sometimes impossible to solve, and finally because they can allow the execution of malicious codes at the chip level and therefore completely transparent to the operating system and to the main systems of defence.

The technical explanation behind this vulnerability

Among the various system registers made available by ARM, we find the so-called s3_5_c15_c10_1. It contains in particular two bits that can be read or written (bits in position 0 and 1). This is a per-cluster registry that can be accessed simultaneously by all cores in the same cluster.

This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process.

Apple M1

A pair of processes can create a communication channel through a protocol defined ad hoc , for example one process writes "00" to request data and the other process writes "1- [data, 0-1]" following a " 00 ”to send a new data. This allows processes to exchange an arbitrary amount of data, limited only by CPU overhead. Some CPU-made APIs can be used to ensure that both processes are running on the same cluster. It is possible to obtain, without too many optimizations, a transfer speed higher than 1 MB / s (even less if some data redundancy is used).

The original purpose of this registry is unknown, thus effectively making it an architectural bug.

Who is affected?

Bugs of this magnitude are very dangerous because they act at an architectural level, potentially having the ability to sneak into the CPU user registers, one of the most delicate parts of a computer since they are connected with the most delicate user information at the level of human-machine interaction. .

However, we are talking about proprietary chips in this case from Apple, a company always very attentive to the safety of its users, therefore, Hector Martin himself reassures users by stating that to reach such low architectural levels a considerable IT dexterity is required and that despite to solve the problem, a circuit update is necessary, users can rest assured as Apple will surely find a way to solve the problem.

Users momentarily at risk are those who use the following OS:

  • macOS 11.0 and later
  • Linux 5.13 and later
  • OpenBSD
  • AmigaOS
  • Newton

There is no iOS in the list since all the Apps on the App Store are scanned during the pre-publication check phase by Apple and all developers are denied the possibility of implementing in the apps the possibility of creating code from the app itself both during the execution, background and session ended.

Curated by Giulio Montanaro.

Article M1racles, the first architectural bug of the new Apple M1 chips comes from Tech CuE | Close-up Engineering .