1. 114

  2. 20

    I didn’t plan to read it (meh, M1) but it was the best thing I read this week.

    1. 9

      There was a lot of cute stuff in it:

      OpenBSD users: Hi Mark!

      Also what anime intro are they playing in the demo video? I swear I’ve seen it before. It’s a good demo of how fast the data exchange is; fast enough to send moderate bitrate video.

      1. 11

        The demo video is the notorious “Bad Apple!!” fan-made music video. The specific connotation is that the target channel would not normally be able to play video, but the extremely shallow bit depth and low framerate of this particular video yield a surprisingly small payload.

    2. 16

      Leaving aside the content (also good!) the style of technical writing here is brilliant. Deep, entertaining, and slightly irreverent.

      1. 15

        Lol: “Am I affected?” “OpenBSD users: Hi Mark!”

        1. 12

          Thanks for posting. That was a delightful read.

          1. 7

            Can’t we just inject noises into that register as mitigation? From my understanding, s3_5_c15_c10_1 is accessible to all applications, so it should be easy to overwrite.

            1. 9

              Towards the end there is a paragraph on the webpage with words to that effect saying it wouldn’t mitigate it, something about doing so would peg the CPU at 100% and still not make the register useless.

              Then again the whole point of the webpage is to poke fun at infosec and ultimately goes on to say this isn’t a big deal and people shouldn’t be worried.

              1. 3

                I think this would technically work, but need one process per cluster running to do it so there would be significant power use and CPU capacity costs.

                1. 5

                  Also, using forward error correction, you can still reliably transfer data at a lower rate, even when some noise is injected. How much lower the rate will be depends on how much noise is injected. I think with that, even if you would be willing to sacrifice a significant amount of power and CPU, this would not work as a practical mitigation.

              2. 3

                Great post, I just loved the detailed explanation and the humor.

                1. 4

                  I would expect advertising companies to try to abuse this kind of thing for cross-app tracking, more than criminals.

                  Aww, why are we still making a distinction here?

                  P.S. Even if I wouldn’t consider advertising company criminal by default, it’d be the correct designation for any that tries to use a covert tracking channel.

                  1. 2

                    If I remember correctly, macOS does run ‘in a VM’ by default: the hypervisor framework has a small component that runs at EL2, its just that it allows EL1 on the ‘host’ to do pretty-much everything. Would it not be possible to simply disable this register in EL2 (the page suggests that this is possible)?

                    1. 1

                      See the “Can you go into more details about the possible mitigations” paragraph on the website. Basically… all of macOS runs in EL2. Apple Silicon doesn’t even support the mode you’re thinking of. Which is actually mandatory by Arm specs but they didn’t care lol