Researchers Reveal Two New Vulnerabilities in Apple Processors

Security researchers from Georgia Institute of Technology and Ruhr University Bochum have uncovered two new side-channel attacks that target Apple Silicon processors. These attacks could be used to steal sensitive data from web browsers like Safari and Google Chrome.

You might be interested in: Apple Delivers Urgent Security Patches

The two attacks, named SLAP (Data Speculation Attacks via Load Address Prediction) and FLOP (Breaking the Apple M3 CPU via False Load Output Predictions), were reported to Apple in mid-2024. Both attacks are based on weaknesses in the speculative execution technique used in modern processors, which can leave behind traces in the CPU’s microarchitecture.

How Speculative Execution Works

Speculative execution is a method that modern processors use to guess which instructions to run next, even before the processor is sure about the path it needs to take. This technique helps speed up performance by running code that might be needed, but if the prediction is wrong, the changes are discarded, and no harm is done.

However, the issue arises because speculative execution can sometimes leave behind unintended traces in the CPU, even if the wrong instructions are ultimately undone. These leftover traces can sometimes be exploited through side-channel attacks, allowing attackers to extract sensitive data.

SLAP: Exploiting Load Address Prediction

The first of these new attacks, SLAP, takes advantage of a feature in Apple chips called Load Address Prediction (LAP). This feature helps the CPU guess which memory address it will need next, based on past access patterns. If the LAP makes an incorrect prediction, it can lead the CPU to perform operations on the wrong memory address.

This flaw can be exploited to extract private information, such as email content and browsing history, even from logged-in users. The attack affects several Apple processors, including the M2, A15, and later chips.

FLOP: Targeting Load Value Prediction

The second attack, FLOP, focuses on a different feature called Load Value Prediction (LVP). This technology is designed to predict the data that will be returned by the memory subsystem, again based on previous patterns. The problem occurs when the prediction is wrong, causing the CPU to perform operations using incorrect data.

FLOP can be used to bypass important memory safety checks, opening up the potential for attackers to leak secrets stored in memory. It is particularly concerning for users of web browsers like Safari and Chrome, as it can be used to read sensitive data such as credit card information, location history, and calendar events. This vulnerability affects newer Apple chips, including the M3, M4, and A17.

Previous Vulnerabilities and Current Threats

In addition to SLAP and FLOP, researchers at Korea University reported a separate attack called SysBumps, which targets Apple’s Kernel Address Space Layout Randomization (KASLR). This technique is meant to make it harder for attackers to guess the location of important kernel data in memory. However, SysBumps can break KASLR protections by using speculative execution gadgets in system calls.

Moreover, recent studies have found that new features in Apple’s processors, such as address space tagging, could open up additional attack vectors, allowing attackers to bypass even the most advanced security measures. This includes a technique known as TagBleed, which combines multiple side-channel attacks to break KASLR and gain access to sensitive kernel data.

Conclusion

These new findings highlight ongoing vulnerabilities in Apple’s silicon chips and processors, pointing out potential risks even in the most recent models. As speculative execution continues to be a critical feature of modern processors, it is clear that researchers are discovering new ways these vulnerabilities can be exploited. It’s important for both Apple and users to stay vigilant and continue improving security to protect sensitive data.