Researchers at the Artificial Intelligence Laboratory (CSAIL) of the Massachusetts Institute of Technology (MIT) have discovered a type of attack called PACMAN, which exploits a hardware vulnerability in Apple’s M1 series chips. The new attack could theoretically allow attackers to gain full access to the core of the main operating system, according to the Tom’s Hardware portal.
With the help of the discovered method, hackers can gain full control over the system through a combination of software and hardware attacks, leaving no traces. Unlike the previous flaws found in the M1 chip software, this one uses a hardware mechanism.
Due to the physical vulnerability, no software patch will be able to fix the breach in the system. In addition, the problem may be relevant for other ARM processors, including the new M2 chip, which has not yet been tested by MIT.
CSAIL specialists notified Apple about the discovered vulnerability. More detailed information will be available at the International Symposium on Computer Architecture on June 18.
researcher Hector Martin spoke about an open channel vulnerability he found in the architecture of the Apple M1 chip, which cannot be fixed. He named it M1racles (CVE-2021-30747). With this hardware bug, it is possible to transfer data with such a fast hidden data transfer between two applications of different users in the system that it is enough for a video stream. This happens at the level of one of the channels in the computing core of the M1 chip. The “open channel vulnerability” does not work with virtual machines.
M1RACLES is short for M1ssing Register Access Controls Leak EL0 State (leakage of access control to the status register in EL0 mode).
The ARM architecture system register code s3_5_c15_c10_1 is accessible from EL0 mode and contains two bits that can be read or written (bits 0 and 1). This register is available for each cluster, which can be accessed simultaneously by all cluster cores, which makes it a two-bit hidden channel that any arbitrary process can use to exchange data with another interacting process. Martin published a demo application on GitHub to access this register.
A pair of interacting processes can build a stable channel from this two-bit state using a synchronization and data protocol (for example, one side writes 1x to send data, the other side writes 00 to request the next bit). This allows two processes (applications) to exchange an arbitrary amount of data, limited only by CPU overhead. Martin managed to achieve a transfer rate of more than 1 MB/s without much optimization.
Martin clarified that the original purpose of this register is unknown. It suggests that it wasn’t specifically made available from EL0 mode, making the incident a hardware bug that Apple won’t be able to fix with software updates. The company is aware of the M1 vulnerability. They believe that attackers will not be able to use it, since the data transfer process works exclusively within one PC and only when a special sending command is initiated, and transmission to the external environment is impossible without the user’s permission.
It is noteworthy that the vulnerability of M1racles allows you to create a hidden channel for imperceptible (during normal operation of the system) data exchange between two processes running on behalf of different users and with different privilege levels. In fact, any two applications running under the macOS or Linux operating system can exchange data over a high-speed channel without using memory, sockets, files or other “normal” OS capabilities.
Martin believes that in the worst case scenario, this vulnerability can be used, for example, by advertising companies to track user actions between their applications.