Apple’s M1 Chip has a fascinating flaw
[ad_1]
Apple’s new M1 The CPU has a bug that creates a hidden channel that two or more malicious applications — already installed — can use to transmit information to each other, a developer has found.
Hidden communication can occur without using computer memory, sockets, files, or any other feature of the operating system developer Hector Martin he said. The channel can bridge processes that are in different user modes and under different privilege levels. These features allow applications to exchange data in a way that cannot be detected or at least without specialized equipment.
Martin said the mistake is mostly harmless because it cannot be used to contaminate a Mac and may not use exploits or malware to steal or manipulate data stored on a machine. In contrast, the bug can only be used by two or more malicious applications installed on a Mac through means unrelated to the M1 bug.
However, the error that Martin calls M1racles meets the technical definition of a vulnerability. Thus, it has come up with its vulnerability designation: CVE-2021-30747.
“It violates the OS security model,” Martin explained published on Wednesday. “You wouldn’t be able to secretly send data from one process to another. And even if it’s harmless in this case, it won’t be able to write from random user space to random CPU system logs.”
Other researchers who are experts in CPU and other silicon-based safety agreed with this assessment.
“The error found cannot be used to infer information about any application in the system,” said Michael Schwartz, one of the researchers who helped determine the most serious. Meltdown and Specter weaknesses in Intel, AMD and ARM CPUs. “Can only be used as a communication channel between two (malicious) applications that are together.”
He worked on the following:
The vulnerability is similar to that of an anonymous “mailbox” that allows both applications to send messages to each other. This is roughly invisible to other applications, and there is no effective way to prevent this. However, since this “postal application” does not use any other application, no data or metadata from other applications is leaked. So there is a limitation that it can only be used as a communication channel between two applications running on macOS. However, there are already many ways to communicate applications (files, pipes, sockets, …), because another channel does not negatively affect security. However, it is a mistake that can be abused as an unwanted communication channel, so I think it is reasonable to call it a vulnerability.
Martin said a hidden channel could have a greater impact on iPhones because it can be used to prevent sandboxing built into iOS apps. Under normal circumstances, a malicious application of the keyboard has no means of pressing the keys, as such applications do not have access to the Internet. The hidden channel can prevent this protection by giving it to another malicious application that presses the keys, which would send it over the Internet.
Even then, there is a very wide range of options for both apps to pass Apple’s review process and then be installed on a target device.
The error comes from a system registry of ARM CPUs in each cluster EL0, a mode that is saved for user applications and therefore has limited system privileges. There are two bits that can be read or written to the register. This creates a hidden channel so that all cores in the cluster can access the record at the same time.
Martin wrote:
A malicious pair of collaborative processes can build a strong channel from this two-bit state using the clock and data protocol (e.g., one side writes 1x to send data, the other side writes 00 to request the next bit). This allows processes to exchange an arbitrary amount of data, tied only to the heads of the CPU. CPU core affinity APIs can be used to ensure that both processes are programmed in the same CPU core cluster. A PoC is available that demonstrates this approach for high-speed and robust data transfer here. This approach, without much optimization, can achieve transfer rates of more than 1 MB / s (less with data redundancy).
[ad_2]
Source link