Apple M1 has an M1RACLES vulnerability that cannot be fixed by software

A vulnerability was found in the brand new SoC Apple M1. It was discovered by Asahi Linux developer Hector Martin while working on his project to port Linux to a PC with an M1.

The author named the vulnerability M1RACLES (M1ssing Register Access Controls Leak EL0 State). The essence of the vulnerability is that the system register ARM with the code s3_5_c15_c10_1 is accessible from the EL0 mode and contains two implemented bits that can be read or written (bits 0 and 1). It is a register for each cluster that can be accessed by all cluster cores at the same time. This makes it a two-bit covert channel that any arbitrary process can use to communicate with another process.

A pair of interacting processes can build a stable channel from this two-bit state using the synchronization protocol. This allows processes to exchange arbitrary amounts of data, limited only by the CPU overhead.

Simply put, two applications can secretly exchange data directly, bypassing memory, files, and any other normal OS functions. However, by default this channel is only 2 bits wide. And while it can be expanded to 1MB / s, overall, the author says that Mac users on the M1 should not worry.

Matin notes that any applications that could take advantage of these data transfer methods are much more likely to use other channels. Moreover, Martin directly says that he simply decided to troll the media, which inflate this or that data about new vulnerabilities in processors. The vulnerability, of course, does exist, but it does not pose a threat, so it might not have been reported.

Another fact is more interesting. The developer suspects that this vulnerability is a consequence of Apple’s deliberate actions to change the Arm specifications. The Cupertino giant simply removed one feature, probably because it thought it would never come in handy on macOS.

It is impossible to fix the vulnerability programmatically.