Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Apple

Asahi Linux Dev Reveals 'M1RACLES' Flaw In Apple M1 (tomshardware.com) 47

AmiMoJo shares a report from Tom's Hardware: Asahi Linux developer Hector Martin has revealed a covert channel vulnerability in the Apple M1 chip that he dubbed M1RACLES, and in the process, he's gently criticized the way security flaws have started to be shared with the public. Martin's executive summary for M1RACLES sounds dire: "A flaw in the design of the Apple Silicon 'M1' chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange. [...] The vulnerability is baked into Apple Silicon chips, and cannot be fixed without a new silicon revision."

He also noted that this was the result of an intentional decision on Apple's part. "Basically, Apple decided to break the ARM spec by removing a mandatory feature, because they figured they'd never need to use that feature for macOS," he explained. "And then it turned out that removing that feature made it much harder for existing OSes to mitigate this vulnerability." The company would have to make a change on the silicon level with its followup to the M1 to mitigate this flaw. But he also made it clear in the FAQ that Mac owners shouldn't be particularly worried about M1RACLES because that covert channel affects two bits. It can be expanded, and Martin said that transfer rates over 1 MB/s are possible "without much optimization," but any malicious apps that might take advantage of such methods would be far more likely to share information via other channels. Calling this a two-bit vulnerability would be both technically and linguistically correct. It's a real security flaw, sure, but it's unlikely to pose a real threat to Apple's customers.

This discussion has been archived. No new comments can be posted.

Asahi Linux Dev Reveals 'M1RACLES' Flaw In Apple M1

Comments Filter:
  • by ceoyoyo ( 59147 ) on Wednesday May 26, 2021 @06:00PM (#61425790)

    Martin's executive summary for M1RACLES sounds dire

    No it doesn't. Why would anybody ever want to exploit this? It sounds like a minor issue identified by a security researcher who thinks it's a minor issue, and written up to whip Apple haters on Slashdot into a froth.

    • by Ostracus ( 1354233 ) on Wednesday May 26, 2021 @06:16PM (#61425810) Journal

      Maybe we should retitle this as M1RACLEWHIP if that is it's purpose.

    • It's sounds like a "it rather involved being on the other side of this airtight hatchway [microsoft.com]" type of "exploit".
    • It does matter, and it's not a critical flaw - yet.

      First, we should clarify what an information leak *is*, what kind of flaw we're concerned about. What we're looking for is if a malicious process can read data from a target process illegitimately. What does illegitimately mean? In infosec, it means "without the blessing of the reference monitor (kernel) - without permission. We're concerned about a process getting access to data that it doesn't have permission to access.

      To catch information leaks, ways tha

      • by ceoyoyo ( 59147 )

        Neither the summary nor the linked page describes anything of the kind. From the discoverer's own fingers:

        "A malicious pair of cooperating processes may build a robust channel out of this two-bit state"

        Oooh, scary. You know how you can get two malicious processes to exchange data without the OS snooping on them? Make them one malicious process. Easier to get it on your computer too.

        • You're right, the summary doesn't explain infosec to you.

          There are things that exist without being in this summary. :)

      • by tlhIngan ( 30335 ) <slashdot&worf,net> on Thursday May 27, 2021 @03:44AM (#61426894)

        It really doesn't matter.

        It's two bits in a register that Apple implemented poorly and macOS doesn't use properly that could fix it.

        Here's the important bit: it's useless against a non-cooperative process. You see, to do the actual communications, it requires two processes to actually write and read that register. A normal process won't do that - it's a special instruction to access a special register not needed by applications.

        So it's a register that can be read from and written to as a user mode process. But to use it, requires the processes in question to know about the register and to use it. If your application doesn't ever touch that register (why should it) then nothing happens. You can write an application that uses it as a data channel between instances of itself, but there's a chance another process can do the same and corrupt your data. And if you're really doing this, there are better methods to do IPC anyways.

        After all, if you're going to go through the trouble of using this method, you're going to have to have to inject code into your target process, and really at that point, there are easier ways to exfiltrate the information than use this covert channel.

        It's like saying if you want to leave a message for someone, to use the rock in my garden where you can hide a note and I wouldn't notice. It grants no access to my house - if you wanted to read an email on my computer, unless I have a good reason to use that rock, I probably wouldn't print out my email and hide it under the rock. If you wanted to read the email, you'd have to break into my house, read the email, and then communicate its contents. Sure, you could write it down and use the rock to hide the data, or you could just leave and tell whoever you need to the contents of the email directly rather than bother hiding it with the rock.

        If you want to leak the browser secret key, once you get it, you probably can use a socket or other mechanism of IPC to communicate it.

        It's basically a flaw that's present, but of no real significant value The author is basically using it to show you he can hype up a frenzy for what is effectively a nothingburger. Unlike Spectre and Meltdown attacks, which let you determine things with uncooperative processes, this flaw requires cooperation, and if you're trying to coerce it from an uncooperative process, once you've done it, there are better ways of exfiltration at that point.

        • > your application doesn't ever touch that register (why should it) then nothing happens.

          It's an undocumented register - you have no idea how the MacOS certificate handling, or Safari, or anything else, uses this register.

          > It's useless against a non-cooperative process.

          You've asserted that with no evidence whatsoever.
          What we *know* is that it allows a malicious process to read data from any process that uses that register, without permission from the OS. You assume, without evidence, that the registe

    • Martin's executive summary for M1RACLES sounds dire

      No it doesn't. Why would anybody ever want to exploit this? It sounds like a minor issue identified by a security researcher who thinks it's a minor issue, and written up to whip Apple haters on Slashdot into a froth.

      Extracting information from victim OSs in cloud VMs.
      The M1 isn't running many cloud VMs these days, so no, it's not a big deal today.

      • by tlhIngan ( 30335 )

        Extracting information from victim OSs in cloud VMs.
        The M1 isn't running many cloud VMs these days, so no, it's not a big deal today.

        Except the vulnerability isn't present in VM mode. A hypervisor is sufficient to negate the problem.

        It's a rather obscure M1 implementation issue with a register that has to be properly virtualized, so the issue is only present in macOS because it has nothing in EL1 (hypervisor). Linux is actually safe because it has code that runs in EL1 (kvm) and EL2 (kernel mode).

    • "it's unlikely to pose a real threat to Apple's customers" = "here's only a small percentage of affected users"
      Yeah, that is Apple spin right there. It's a lie.

    • by AmiMoJo ( 196126 )

      For example it can break process isolation in browsers. Isolation is one of the major security tools used to protect browsers.

      VMs are another common example. As ARM chips get more common in servers this kind of thing becomes more important.

    • If you actually bothered to read about the vulnerability you'd realise this has nothing to do with Apple haters, and rather its poking fun at the entire infosec community.

      The posting was clever, the naming was clever, the release of the webpage for the exploit was clever. Never before has an exploit been so effective at weeding out who does and who doesn't bother to read up about it.

      Congratulations on falling for the trap and showing to the world that you post about things you didn't even bother to read abo

  • Go read the page (Score:4, Interesting)

    by Dixie_Flatline ( 5077 ) <vincent.jan.goh@NoSPam.gmail.com> on Wednesday May 26, 2021 @07:43PM (#61426070) Homepage

    Apparently not only is this guy a talented hacker, he's pretty funny too.

    So what's the real danger?

    If you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way.

    Chances are it could communicate in plenty of expected ways anyway.
    That doesn't sound too bad.

    Honestly, I would expect advertising companies to try to abuse this kind of thing for cross-app tracking, more than criminals. Apple could catch them if they tried, though, for App Store apps (see below).

    Wait. Oh no. Some game developer somewhere is going to try to use this as a synchronization primitive, aren't they. Please don't. The world has enough cursed code already. Don't do it. Stop it. Noo-oooo-ooo-ooo

    (The 'noo' at the end is munged by me because pasting it in from his site flips Slashdot's absurd ascii-art trigger.)

    • Some game developer somewhere is going to try to use this as a synchronization primitive

      I like the sound of this hot illicit synchronization primitive, tell me more!

  • Wait, what? (Score:5, Insightful)

    by backslashdot ( 95548 ) on Wednesday May 26, 2021 @08:24PM (#61426182)

    I mean, literally, wait .. what? On any multitasking computer, you can communicate between processes by timing how long your threads wait to do computation. How do you protect against this? And it doesn't even make much sense. You just have to make one process eat up CPU in a specific pattern (for example, factorize some big ass numbers) and then the second process just has to time how long its own computation takes. If it takes 1 second to compute 2+2, maybe the first process was operating. You can set that as bit 1. If it takes half a second, you can consider than a 0 .. and so on. Of course it is not super reliable, so you have to build in some error checking code and baselining. The bit rate of transfer will be slow, but it's good enough.

    • This sounds like one of those often reported things where if you run a process as system, and another as user, then you can get the user process to manipulate the system process so long as the system process lets itself be manipulated. Sort of, if you have system level access then you can do things at system level. People who report these things make a big song and dance about it when they aren't taken seriously.
    • How do you protect against this?

      You don't. Read up on the vulnerability. The entire purpose of this vulnerability is to demonstrate who falls for panic outrage and who actually bothers to read the notification.

      You were trolled and you fell for it.

    • Mod up. Later an idea how flaws like these can be used to track browser activity and secret 'referrals' used for advertising revenue. Not bad - But IBM knew this in 1970 (Ref The first version, released in 1972, was VM/370, or officially Virtual Machine Facility/370), and a whole 50 years later Apple makes baby mistakes - if you change a reference design, you better know why. As I understand it, it is reading a control register. Also very important is reading interrupts and or making semaphores, and IBM ha
  • "Actually, that one's worth repeating: Covert channels are completely useless unless your system is already compromised." ...until the next webkit bug?
  • There's zero information about this. There's no information whether a process can gather information from another process without that processes knowledge, or whether they need to cooperate.

    And MacOS devices are mostly single user systems. So if a user downloads malware, nobody but the user is affected. Very different from say a server that could run VMs for 20 different users, if malware _intentionally installed by one user_ could spy on 19 others.
    • by tlhIngan ( 30335 )

      There's zero information about this. There's no information whether a process can gather information from another process without that processes knowledge, or whether they need to cooperate.

      There's plenty of information on it. It requires cooperative processes - the register isn't used by normal applications, but it provides two bits that can be tweaked by a user process.

      If a couple of processes wanted to talk "quietly" they could signal each other using those bits. No normal process will touch the bits as

    • by uncqual ( 836337 )

      Of course there's no information in the summary - it's a test to see if you will RTFA [m1racles.com] (although, that may result in a lifetime ban from /. as anyone who RTFA before commenting is not following the social norms and is subject to being cancelled).

      From what I can tell (yes, I RTFA, but hopefully I won't be banned), it allows two processes to "conspire" to communicate with each other covertly through two bits in a register shared by all processes even though they may be denied access to communicate through "tra

The sooner all the animals are extinct, the sooner we'll find their money. - Ed Bluestone

Working...