A flaw in the design of the Apple Silicon “M1” chip allows any two applications running under an OS to covertly exchange data between them, without using memory, sockets, files, or any other normal operating system features. This works between processes running as different users and under different privilege levels, creating a covert channel for surreptitious data exchange.

The vulnerability is baked into Apple Silicon chips, and cannot be fixed without a new silicon revision.

...

The ARM system register encoded as s3_5_c15_c10_1 is accessible from EL0, and contains two implemented bits that can be read or written (bits 0 and 1). This is a per-cluster register that can be simultaneously accessed by all cores in a cluster. This makes it a two-bit covert channel that any arbitrary process can use to exchange data with another cooperating process. A demo app to access this register is available here.

... This approach, without much optimization, can achieve transfer rates of over 1MB/s (less with data redundancy).

The original purpose of this register is unknown, but it is not believed to have been made accessible to EL0 intentionally, thus making this a silicon erratum.

 
I love stuff like illegal opcodes. As the page's author says, "Someone in Apple's silicon design team made a boo-boo. It happens. Engineers are human." Every chip has mistakes. As long as it's not damaging, and this one doesn't seem to be, what's most interesting to me is how skillfully humans are able to find them. Easter egg hunting redux.

Labels: ,