Apple’s new M1 Developers discovered that the CPU has a flaw that creates a secret channel through which two or more installed malicious applications can use this channel to transfer information to each other.
Secret communication is possible without using computer memory, sockets, files or any other operating system functions. Hector Martin Say. This channel can bridge processes running under different user identities and different privilege levels. These features allow applications to exchange data in ways that cannot be detected, or at least without dedicated equipment.
Martin said the defect is mainly harmless because it cannot be used to infect the virus. Mac Attacks or malware cannot use it to steal or tamper with data stored on the computer. Rather, the vulnerability can only be abused by two or more malicious applications that have been installed on the Mac by means unrelated to the M1 vulnerability.
However, the error (Martin calls it M1racles) meets the technical requirements Vulnerability. Therefore, it carries its own vulnerability title: CVE-2021-30747.
“This violates the security model of the operating system,” Martin explained in an article. Articles published on Wednesday. “You should not be able to secretly send data from one process to another. Even in this case, it is harmless, and you should not also be able to write random CPU system registers from user space.”
Other researchers with expertise in CPU and other silicon-based security also agree with this assessment.
Michael Schwartz, one of the researchers who helped uncover more serious problems, said: “The errors found cannot be used to infer information about any application on the system.” Crash and ghost Vulnerabilities in Intel, AMD and ARM CPUs. “It can only be used as a communication channel between two colluding (malicious) applications.”
He went on to elaborate:
The vulnerability is similar to an anonymous “post office box,” which allows two applications to send messages to each other. This is almost invisible to other applications, and there is no effective way to prevent it. However, since no other application is using this “post box”, the data or metadata of other applications will not be leaked. So there are limitations, it can only be used as a communication channel between two applications running on macOS. However, there are so many ways for applications to communicate (files, pipes, sockets, etc.), so that adding another channel will not have a negative impact on security. Still, it is an error that can be misused as an unexpected communication channel, so I think it is fair to call it a loophole.
Martin said that the secret channel may be more important on the iPhone because it can be used to bypass the sandbox built into the iOS app. Under normal circumstances, malicious keyboard applications cannot leak keystrokes because such applications cannot access the Internet. Secret channels can bypass this protection by passing the key to another malicious application, which in turn sends it over the Internet.
Even so, the possibility of two apps passing Apple’s review process and then installing on the target device is still out of reach.
The defect originates from the system registers of each cluster in the ARM CPU, which can be accessed in the following ways EL0, This is a mode reserved for user applications and therefore has limited system privileges. This register contains two bits that can be read or written. This creates a covert channel because all cores in the cluster can access the registers at the same time.
A pair of malicious collaborative processes may use clock and data protocols to build a robust channel outside of these two states (for example, write 1x on one side to send data, and write 00 on the other side to request the next bit). This allows processes to exchange any amount of data, limited only by CPU overhead. The CPU core affinity API can be used to ensure that both processes are scheduled on the same CPU core cluster. Provides proof of this method to achieve high-speed, powerful data transmission PoC Here. This method does not require much optimization, and can achieve a transmission rate of more than 1MB/s (less data redundancy).