Asahi Linux hacker finds bug in M1 CPU

During reverse engineering for the Linux port, a developer noticed a bug in the M1 CPU. However, this can hardly be used in practice. The initiator of the Asahi Linux project, Hector Martin, found a hardware gap (CVE-2021-30747) in the processor in the course of his work on the port of Linux on Apple’s M1 CPU, which can only be achieved by changing the design of the CPU can fix it yourself. Martin calls the hole M1racles and obviously wants to make fun of the trend in which less relevant security holes should get more public through clever branding.

Of course, that doesn’t change anything about the error itself. Martin writes as a summary: 

“An error in the design of the Apple Silicon M1 chip makes it possible for any two applications that run under one operating system to exchange data with one another in a covert way, without memory, sockets Use files or other normal operating system functions. This works between processes running as different users and with different authorization levels, creating a covert channel for covert data exchange”.

Martin describes in details that he found a register during reverse engineering of the CPU that can be read and written with one bit, i.e. 0 or 1. The register also allows access from all computing cores in the same cluster. If two applications are running in the same cluster, they can exchange data directly with one another using a simple clock-and-data protocol by using this register. This then happens without the operating system, for example, being able to notice. Martin demonstrates this with his own code at a transfer rate of around 1 Mbyte / s.

Little practical relevance

According to Martin, the only way to effectively prevent this is to virtualize the operating system so that applications no longer have access to the described register. Martin advises against this on the one hand because of the associated speed losses. On the other hand, Martin considers practical attacks with the help of the loopholes described to be very unlikely. After all, no private data can be diverted with it and the computer cannot be taken over with it.

In addition, according to Martin, the only “real danger” is that malware could use the vulnerability to communicate with other malware undetected. However, malware is likely to find other ways to communicate as well. Likewise, the use of hidden channels is “completely useless” unless the computer itself has already been compromised. That is probably the bigger problem than the CPU gap itself.

Martin also points out that actually all CPUs have hardware errors that the manufacturers call errata. Usually, however, users do not find out about this. However, that Martin found the hardware gap through systematic reverse engineering and documented it publicly is still unusual.

News Source