M1RACLES: Apple M1 Exposed To Covert Channel Vulnerability

Apple's shiny new in-house M1 Arm chip is the latest processor challenged by a security vulnerability. The "M1RACLES" vulnerability was made public today as a covert channel vulnerability by where a mysterious register could leak EL0 state.

The M1RACLES vulnerability is assigned as CVE-2021-30747. This vulnerability is summed up as, "A flaw in the design of the Apple Silicon “M1” chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange...The ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process."

As with most CPU vulnerabilities these days, there is a demo video and shiny website at m1racles.com outlining this find plus proof-of-concept demo code.

As this deals with a CPU register, the vulnerability is there regardless of using Apple macOS or the new M1 support in the Linux kernel or other operating systems.

For the moment the only workaround/mitigation is running your software within a virtual machine where hypervisors currently disable access by the VM to the s3_5_c15_c10_1 register.

This vulnerability was discovered by the Asahi Linux crew as part of the bring-up of Linux on the Apple Silicon hardware.