June 6, 2023

A vulnerability in the new Apple M1 chips, tracked as CVE-2021-30747, that was named M1RACLES. Can be fixed only if circuit is redesigned but the severity is pretty low

The M1RACLES vulnerability allows two apps running on the same device to exchange data through a covert channel at the CPU’s level, without using memory, sockets, files, or any other normal operating system features

The flaw stems from the fact that the Arm system register encoded as s3_5_c15_c10_1 contains two bits that can be read and written at EL0 (Exception Level 0, application level privilege) from all cores simultaneously.

The ARM system register encoded as
s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0&1).This is a per cluster register that can be accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process.

A malicious pair of cooperating processes may build a robust channel out of this two-bit state, by using a clock-and-data protocol. This allows the processes to exchange an arbitrary amount of data, bound only by CPU overhead.

The expert doesn’t understand the purpose of this register, but he believes that it hasn’t been made accessible to EL0 intentionally.

The expert explained that fears possible exploitation of the bug by shady advertising companies, which could abuse an app they already had installed on a device for cross-app tracking.

Leave a Reply

%d bloggers like this: