A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has revealed two side-channel security issues affecting Apple’s Silicon processors. The attacks, which could potentially expose sensitive data from popular web browsers such as Safari and Google Chrome, are named SLAP (Data Speculation Attacks via Load Address Prediction) and FLOP (Breaking the Apple M3 CPU via False Load Output Predictions).
The vulnerabilities exploit weaknesses in speculative execution, an optimization technique that modern processors, including Apple’s, use to predict and execute instructions ahead of time, based on expected control flows. However, when these predictions go wrong, the CPU may leave traces of the erroneous execution in its cache, which could then be exploited by an attacker to leak sensitive information, even after the processor rolls back the incorrect operations.
The researchers disclosed that Apple was informed about the issues in May and September 2024, respectively. The findings are a continuation of previous research into speculative execution flaws, such as the widely known Spectre and iLeakage attacks. In both SLAP and FLOP, attackers can use side-channel techniques to infer data about the CPU's internal state, bypassing memory protections and security measures.
The first attack, SLAP, affects Apple chips starting with the M2, A15, and newer models. It focuses on the Load Address Predictor (LAP), a component that anticipates the next memory address the CPU will access based on past patterns. If the LAP makes an incorrect prediction, it may trigger the processor to perform speculative operations on erroneous memory addresses. This opens the door for adversaries to recover sensitive information, such as email content from a logged-in user or browsing behavior from Safari.
The researchers said that these mispredictions do not directly cause the CPU to execute incorrect instructions but rather allow the CPU to operate on out-of-bounds data. This creates a pathway for attackers to gather data through indirect methods.
The second attack, FLOP, targets Apple’s newer chips, including the M3, M4, and A17 models, and exploits the Load Value Predictor (LVP). This mechanism is designed to predict the data values that will be fetched from memory in the future. By forcing the CPU to make incorrect data predictions, FLOP can bypass critical memory safety checks. This can lead to a variety of potential attacks, such as leaking private information from memory, including location history, calendar events, and even sensitive financial data, such as credit card information.