【CPU】Apple M1 に脆弱性 → 発見者が脆弱性を利用して「Bad Apple!!」動画を権限無視で転送
M1RACLES: Apple M1 Exposed To Covert Channel Vulnerability
Written by Michael Larabel in Linux Security on 26 May 2021 at 05:40 AM EDT. 23 Comments
LINUX SECURITY -- Apple's shiny new in-house M1 Arm chip is the latest processor challenged by a security vulnerability. The "M1RACLES" vulnerability was made public today as a covert channel vulnerability by where a mysterious register could leak EL0 state.
The M1RACLES vulnerability is assigned as CVE-2021-30747. This vulnerability is summed up as, "A flaw in the design of the Apple Silicon “M1” chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange...The ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process."
As with most CPU vulnerabilities these days, there is a demo video and shiny website at m1racles.com outlining this find plus proof-of-concept demo code.