wiredog June 1, 2021 8:04 AM

Yeah, that FAQ is a lot of fun. Cool vulnerability, which will have no actual effect on security.

“So what’s the real danger?
If you already have malware on your computer, that malware can communicate with other malware on your computer in an unexpected way.

Chances are it could communicate in plenty of expected ways anyway.”

Jeremy Pyne June 1, 2021 11:21 AM

Maybe there’s a non trivial vector here where two seemingly safe apps have 1/2 an exploit each and this don’t get detected in scanning/analysis but then if both are run at once they talk, rebuild exploit? Hard to detect the source then?

Clive Robinson June 1, 2021 11:54 AM

@ Bruce, ALL,

From the article,

“Besides, there are already a million side channels you can use for cooperative cross-process communication (e.g. cache stuff), on every system. Covert channels can’t leak data from uncooperative apps or systems.

Actually, that one’s worth repeating: Covert channels are completely useless unless your system is already compromised.”

Is one of those ambiguous things. That is “Side Channels”[1] and “Covert Channels”[2] are not just related there is cross over because they have common theoretical foundations.

As for “already compromised” this is a hindsight view point. Both Covert and Side channels exist as a function of communications, they are unavoidable and whilst they can be mitigated, not perfectly so. All you can realy do is reduce the energy and bandwidth of a channel and clock the data such that timing attacks become difficult at best.

This attack in the M1 CPU falls in the “cross over” as most “low down the computing stack” potential attack vectors do. And as with all such channels, we tend to over estimate the difficulty of exploiting them, untill somebody does so and goes public with a proof of concept or an exploit they have found in use by others.

The real question people should ask is “What did Apple do to the ARM design that made this channel available?” Then they should look carefully around it, for other channels, because “Where there is one roach there is usually a family of roaches”.

[1] Side channels are usually considered to be artifacts of the system hardware, but they can also be artifacts of RTL, Microcode, and the general architecture and some such as RowHammer can be artifacts of layers below the logic gate level. Some such ad those to do with power subsystems within a chip do not need any co-operation to get “off chip” (PSU noise modulating WiFi or similar envelope). Others might require external signals to be injected and carry data out via cross modulation of the illumination signal. As you work your way up the computing stack, you eventually reach the CPU level, which is where “software security” starts and traditional malware compromise becomes possible. However there are “reach around” attacks, where user level software whilst staying well within the bounds of software security can inject signals at a lower level, RowHammer being just one of several. For instance the AES cache timing attack worked quite happily across not just a LAN but also across a WAN. Likewise the detecting of CPU XTAL clock drift due to power factors via TCP Time Stamps worked across the Internet.

[2] Covert Channels originated from the work of Butler Lampson and became public way back in 1973. Originally defined as Shannon channels that existed that were “not intended for information transfer at all, such as the service program’s effect on system load”. Obviously such Shannon Channels are an integral side effect of any active,

1, Communications
2, Storage
3, Processing

Of information, much as we would expect of “inefficiency” in any “work” process releases energy.

A further qualification to distinguish Covert Channels from legitimate channels, was that their ability to communicate are not subject to the access controls available by the system security processes. Now into six decades later the term has been subject to further changes.

[3] Subliminal Channels are a subset of Covert Channels[2] They were found by Gustavus Simmons just over a decade later than covert channels in mathmatical crypto systems such as digital signitures in 1984. He realised that not only can subliminal channels can exist but that they can be used to communicate secretly in normal looking communication over an other Shannon Channel.

[4] The Shannon Channel arises from work by Claude Shannon back before 1948 into what is often called the noisy-channel coding theorem or Shannon’s limit theorm which forms one of the fundemental axioms of information theory and communications science and engineering. Whilst based in part on earlier work and ideas of Harry Nyquist and Ralph Hartley, it provided a significant step forward. Shannon came up with an idealised communications channel that provides a fundemental model for communications in a medium susceptible to Additive White Gaussian Noise (AWGN) in amplitude, phase, frequency, sequency etc, with a data source encoding transmitter at one end of the medium and decoding receiver at the data sink end of the medium. Like the other channels described here it hase been augmented in various ways over the years, but still remains a fundemental building block.

SpaceLifeForm June 1, 2021 3:05 PM

@ Jeremy Pyne

Silicon Turtles

Think lower in the computing stack.

Most people do not have source code for microcode.

Leaking a bit at a time or importing a bit at a time, whichever direction you look at, it can happen without any userland app involved.

Let that sink in. No userland code required.

Just 2 bits is all that is required to exfiltrate or infiltrate one bit at a time.

This is why robust encryption must be separated from the communication platform.

The SecretKeys must not be leakable thru a 2-bit channel.

echo June 1, 2021 4:23 PM

I am gloriously ignorant and indifferent to the details of this problem area. What I do find interesting is how the principles can be used and abused in the policy and legal arena. While electronics and similar may have security issues which give rise to human rights and other abuses in their use they the policy and legal level is in a lot of senses below this and this is where I suspect the majority of security issues are. Subvert policy and the law and it’s a licence to try it on at the hardware level.

me June 4, 2021 2:33 AM

It’s not exploitable as far we know. I wouldn’t panic, but it’s a good idea to fix it in next generation product. Many exploits were considered not an issue for a long time before they became an issue.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.