Full Report
A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting Apple silicon that could be exploited to leak sensitive information from web browsers like Safari and Google Chrome. The attacks have been codenamed Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP) and Breaking the
Analysis Summary
# Vulnerability: Data Speculation Attacks (SLAP and FLOP) on Apple Silicon
## CVE Details
- CVE ID: Not explicitly mentioned in the text (Attacks were disclosed privately in May/Sept 2024).
- CVSS Score: Not provided.
- CWE: Related to weaknesses in speculative execution and branch/data prediction (e.g., CWE-200, CWE-203).
## Affected Systems
- Products: Apple Silicon CPUs (M-series chips, A-series chips).
- Versions:
- **SLAP**: M2, A15, and newer Apple chips.
- **FLOP**: M3, M4, and A17 chips.
- Configurations: Affects web browsers like Safari and Google Chrome running on these devices.
## Vulnerability Description
These are new side-channel attacks building upon Spectre concepts, stemming from flaws in how Apple CPUs handle speculative execution during data access:
1. **SLAP (Data Speculation Attacks via Load Address Prediction)**: Exploits the Load Address Predictor (LAP), which guesses the next memory address based on access patterns. A misprediction causes the processor to speculatively execute instructions on potentially out-of-bounds data, leaking information.
2. **FLOP (Breaking the Apple M3 CPU via False Load Output Predictions)**: Exploits the Load Value Predictor (LVP), which guesses the data value to be returned from memory. This causes the CPU to bypass critical program logic checks for memory safety during speculative execution, enabling arbitrary memory read primitives.
## Exploitation
- Status: *No explicit mention of exploitation in the wild*, however, the research team demonstrated the attacks successfully.
- Complexity: Implied to be complex, requiring deep microarchitectural knowledge, but the findings suggest practical exploitation against browsers is possible.
- Attack Vector: Likely Local or Network (via malicious web content processed by the browser).
## Impact
- Confidentiality: **High**. Could lead to the leakage of sensitive information such as email content, browsing history, location history, and credit card information from the user's session.
- Integrity: **Medium/High**. Bypassing safety checks (FLOP) allows for unauthorized actions based on leaked secrets.
- Availability: **Low**. The primary goal is information leakage, not system denial.
## Remediation
### Patches
- Apple was notified in May and September 2024. Specific patch versions corresponding to these disclosures are **not provided** in the text. Updates addressing these vulnerabilities are expected in future OS/firmware releases.
### Workarounds
- No specific workarounds detailed in the text, other than minimizing usage of targeted browsers or being cautious of malicious websites.
## Detection
- Detection methods are not detailed, but these attacks rely on observing microarchitectural side-effects (cache state changes) resulting from transient execution.
- **Indicators of Compromise (IoCs)**: Not explicitly listed, but monitoring for high unexpected cache activity or unusual memory access patterns during performance-intensive operations might be relevant.
## References
- [SLAP Artifacts Repository](https://github.com/slap-flop/slap-artifacts) (Defanged)
- [FLOP Zenodo Record](https://zenodo.org/records/14680908) (Defanged)
- [Associated Research Paper Link for SysBumps](https://dl.acm.org/doi/10.1145/3658644.3690189) (Defanged)
- [VUSec TagBleed Research](https://research.vu.nl/en/publications/uncovering-new-classes-of-kernel-vulnerabilities) (Defanged)