The new M1 from Apple One developer found that the CPU had a flaw that creates a secret channel that two or more malicious apps — already installed — can use to transmit information to each other.
Stealth communication can occur without using the computer’s memory, sockets, files, or any other feature of the operating system or developer Hector Martin He said. A channel can connect processes running as different users and under different privilege levels. These properties allow applications to exchange data in a way that cannot be detected – or at least without specialized equipment.
Martin said the bug is essentially harmless because it can’t be used to injure a Mac It cannot be used by exploits or malware to steal or tamper with data stored on the device. Instead, the flaw can only be abused by two or more malicious apps that are already installed on your Mac by means unrelated to the M1 flaw.
However, the bug, which Martin calls M1racles, meets the technical definition of vulnerability. As such, it came with its own vulnerability label: CVE-2021-30747.
“It violates the security model of the operating system,” Martin explained at A Last post Wednesday. “You’re not supposed to be able to secretly send data from one process to another. And even if it’s harmless in this case, you’re not supposed to be able to write to random CPU system registers from users’ space either.”
Other researchers with experience in CPU and silicon-based security agreed with this assessment.
“The detected error cannot be used to infer information about any application on the system,” said Michael Schwartz, one of the researchers who helped discover the most serious bug. Breakdown and Specter Vulnerabilities in Intel, AMD, and ARM CPUs. It can only be used as a communication channel between two complicit (malicious) apps.
He went on to explain:
The vulnerability is similar to an anonymous “mailbox”, it allows the two applications to send messages to each other. This is somewhat invisible to other apps, and there is no effective way to prevent it. However, since no other app uses this ‘mailbox’, there is no data or metadata for other apps to leak. So there is a limitation, that it can only be used as a communication channel between two apps running on macOS. However, there are already so many ways to communicate between applications (coils, pipes, sockets, …), that the other channel does not adversely affect security. However, it’s a bug that could be abused as an unintended communication channel, so I think it’s fair to call it a vulnerability.
Martin said the secret channel could have a greater impact on iPhones, because it could be used to bypass the sandbox built into iOS apps. Under normal circumstances, a malicious keyboard app has no way to leak your keystrokes because these apps cannot access the internet. The secret channel can circumvent this protection by passing the keystrokes to another malicious application, which in turn will send it over the Internet.
Even then, the chances of two apps going through Apple’s review process and then installing them on the target’s device are out of reach.
The flaw stems from registering a system for each group in ARM CPUs that can be accessed by EL0, which is a mode reserved for user applications and therefore has limited system privileges. The register contains two bits that can be read or written to. This creates a secret channel, where the history can be accessed simultaneously by all cores in the group.
A malicious pair of cooperating processes might build a strong channel out of this two-bit state, using the clock and data protocol (eg one side writes 1x to send data, the other side writes 00 to request the next bit). This allows processes to exchange an arbitrary amount of data, associated only with CPU overload. CPU core affinity APIs can be used to ensure that both processes are scheduled on the same CPU core cluster. PoC demonstrating this approach is available to achieve robust, high-speed data transmission Here. This approach, without much optimization, can achieve transfer rates in excess of 1 MB/sec (less with data redundancy).