A recent analysis from a team at Georgia Institute of Technology and Ruhr University Bochum has unveiled two significant side-channel attacks specifically targeting Apple silicon chips, notably affecting popular web browsers such as Safari and Google Chrome. The attacks have been aptly codenamed Data Speculation Attacks via Load Address Prediction (SLAP) and Breaking the Apple M3 CPU via False Load Output Predictions (FLOP).
Researchers reported these vulnerabilities to Apple in May and September 2024. Both attacks leverage fundamental weaknesses tied to speculative execution—a common optimization technique in modern processors, which anticipates and executes instructions ahead of their actual need. While speculative execution aims to enhance performance, it can inadvertently introduce risks when mispredictions occur, leading to residual traces that can be exploited.
Similar to the previously documented iLeakage attack, the SLAP and FLOP techniques exploit the Spectre vulnerabilities when speculative execution yields incorrect control flow predictions. When these mispredictions happen, traces of the transient instructions can remain in the CPU’s microarchitectural state and cache, allowing adversaries to extract sensitive information.
In the case of SLAP, which affects Apple’s M2, A15, and newer chips, the attack specifically targets the Load Address Predictor (LAP). This component is responsible for anticipating the next memory address from which the CPU will retrieve data, based on prior access patterns. Should the LAP deliver an incorrect prediction, it can prompt the processor to perform arbitrary computations on invalid data, presenting an opportunity to extract confidential information such as user email content and browsing behaviors.
Conversely, FLOP, impacting M3, M4, and A17 chips, focuses on the Load Value Predictor (LVP). This feature aims to enhance performance by predicting returning data values from memory. The FLOP attack can allow adversaries to bypass essential memory safety checks, creating vulnerabilities that could lead to the unauthorized extraction of sensitive data, including location history, calendar entries, and payment details from web browsers.
The ethical ramifications of these discoveries arrive shortly after emerging reports of other significant vulnerabilities affecting Apple’s macOS, including a kernel address space layout randomization (KASLR) break detailed by researchers from Korea University. These developments highlight ongoing concerns regarding the robustness of security protocols surrounding Apple silicon.
In terms of possible tactics applied in these exploits, they may align with several techniques listed in the MITRE ATT&CK framework, particularly those focused on initial access and privilege escalation. The attacks demonstrate a potential for adversaries to navigate around security mechanisms, granting access to sensitive data through indirect methods.
As organizations increasingly rely on Apple hardware and software for both personal and business operations, this research underscores the critical need for vigilance in cybersecurity practices. It is imperative for business owners to stay informed about potential threats and to adopt robust defensive measures to protect their data from these evolving attack vectors.
