A team of researchers from the Georgia Institute of Technology and Ruhr University Bochum has uncovered two groundbreaking speculative execution attacks SLAP (Speculation via Load Address Prediction) and FLOP (False Load Output Prediction) that exploit vulnerabilities in Apple Silicon CPUs.
These attacks, targeting devices equipped with Apple’s M2, M3, and corresponding A-series chips, reveal speculative execution weaknesses that could lead to the leakage of sensitive user data.
Both SLAP and FLOP underline the risks associated with performance optimizations in modern processors.
Exploiting Load Address Prediction
SLAP highlights a vulnerability in Apple CPUs starting with the M2 and A15, involving the Load Address Predictor (LAP).
LAP is an optimization mechanism designed to improve performance by speculating the next memory address the CPU will access, based on previous memory usage patterns.
However, when the LAP speculatively guesses an incorrect address, this allows the CPU to perform computations on leaked, out-of-bounds data during speculative execution.
The researchers demonstrated the real-world implications of SLAP with an end-to-end attack on the Safari web browser.
This proof-of-concept showcases how an unprivileged attacker, operating remotely, can recover private information, such as email content and browsing behavior.
By exploiting speculative memory access, the researchers highlight how LAP’s prediction errors create a significant attack surface.
Breaking Memory Safety with Load Value Prediction
The FLOP attack targets newer Apple Silicon generations, beginning with the M3 and A17 CPUs, which feature a Load Value Predictor (LVP).
The LVP predicts what value will be returned by the memory subsystem for a future data dependency before the actual value is available.
If the predicted value is incorrect, speculative execution may bypass critical memory safety checks, enabling malicious actors to access sensitive information.
The research team executed FLOP-based attacks on the Safari and Chrome browsers, crafting arbitrary memory read primitives to demonstrate data leakage scenarios.
In these experiments, they successfully extracted private user information such as location history, calendar details, and even credit card data.
These findings emphasize the security risks posed by speculative execution errors induced by LVP.
As part of their research, the team conducted striking demonstrations of the attack methods.
In one example, the SLAP attack on an M2 processor recovered secret text specifically, the first paragraph of The Great Gatsby that the CPU never accessed architecturally.
Similarly, the FLOP attack on an M3 processor allowed the recovery of text from Harry Potter and the Sorcerer’s Stone by corrupting speculative predictions to dereference targeted memory.
The researchers’ findings highlight speculative execution’s double-edged nature as both a performance enhancer and a security risk.
The vulnerabilities identified in SLAP and FLOP are particularly concerning due to their ability to bypass security boundaries, such as web browser sandboxes, on Apple devices released since 2021.
The researchers have disclosed their findings to Apple, which is expected to implement mitigations in upcoming updates.
The work was funded by multiple organizations, including the Air Force Office of Scientific Research, DARPA, and the German Research Foundation (DFG).
While the research underscores the need for robust defenses against speculative execution attacks, it also raises awareness of the trade-offs inherent in processor optimization.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Warning for WordPress Admins – Fake SEO Plugins Hijacking Websites")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Apache APISIX Flaw Enables Unauthorized Cross-Issuer Access Due to Misconfigurations")
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Instagram Adopts Daily TLS Certificate Rotation with One-Week Validity")
