New Side-Channel Attacks SLAP and FLOP Affect Apple M-Series Processors

A team of academic researchers have developed a pair of new speculative execution attacks on Apple processors that can result in Safari, and in some cases Google Chrome, leaking secrets and recovering sensitive data such as browsing behavior or email contents. The attacks are known as SLAP and FLOP and they affect a wide range of Apple devices, including most modern laptops and desktops, as well as iPads and iPhones.

Speculative execution attacks are a variety of side-channel attacks that take advantage of features in most modern CPUs where  the processor  essentially guesses the outcome of an operation, for instance if a conditional branch is taken, or where an indirect branch jumps.
Attackers target these features by having the CPU guess incorrectly, and then abusing the incorrect guesses to leak data.

Speculative execution attacks and the associated vulnerabilities have been around for many years, with Spectre and Meltdown being the most prominent examples. Other varieties have followed as researchers have dug more deeply into the way that CPUs deal with speculative execution errors. 

The new attacks developed by researchers from Georgia Tech and Ruhr University Bochum in Germany only affect Apple devices that run M2 or M3 processors. There are two separate attacks: Speculation Attacks via Load Address Prediction (SLAP) and False Load Output Predictions (FLOP). Both attacks target features on Apple silicon that are designed to optimize performance, though the attacks and potential outcomes are different. SLAP targets the load access predictor functionality in Apple CPUs, a feature that uses previous memory access patterns in order to predict what memory address the CPU will retrieve data from. 

“To orchestrate SLAP, we begin by reverse engineering Apple's implementation of Load Address Prediction (LAP). We discover that if we train the LAP on striding memory addresses, the LAP will access the next sequence in the striding pattern and compute using the data in that address, even if the program never actually accesses it. Here, we note that this is different from hardware prefetching. While prefetchers may bring the data inside the predicted addresses, they do not speculatively execute downstream instructions based on the prediction,” the researchers said. 

The attack enables an adversary to leak the contents of memory that is in the same process as the adversary’s own page. Lack of complete site isolation in Safari allows the attacker to put the target page in the same process as the adversaries page. The adversary can then use FLOP and SLAP to leak the contents of the target page using a covert channel.

Meanwhile, FLOP targets the load value predictor, which guesses the data value that will be returned by the memory subsystem on the next access by the CPU core, before the value is actually available. 

“We found that if the LVP sees the same data value being repeatedly returned from the memory subsystem for the same load instruction, the LVP will attempt to guess the load's outcome the next time that load instruction executes, even if the memory accessed by the load now contains a completely different value! Therefore, using the LVP, we can trick the CPU into computing on incorrect data values,” the researchers said. 

The FLOP attack works on both Safari and Chrome, while SLAP only affects Safari. 

Since the disclosure of the Spectre and Meltdown vulnerabilities, there has been more of a focus on security practices for embedded developers, and some browser vendors have made changes to the way the browser handles processes in order to protect against attacks such as these. Both Mozilla Firefox and Chrome have added a feature called site isolation that separates pages from different websites and prevents them from being handled by one process. 

The research team that developed the SLAP and FLOP attacks disclosed them to Apple in May and September, respectively. The team comprises Jason Kim and Daniel Genkin from Georgia Tech and Yuval Yarom of Ruhr University Bochum.

“We demonstrate that, despite their benefits to performance, LAPs open new attack surfaces that are exploitable in the real world by an adversary. That is, they allow broad out-of-bounds reads, disrupt control flow under speculation, disclose the ASLR slide, and even compromise the security of Safari. In the landscape of the decline of Moore’s Law birthing more exotic microarchitectural optimizations, we believe that LAPs may not be an Apple exclusive, either now or soon. As such, we emphasize the need for novel hardware and software countermeasures against LAPs in future work,” the paper says. 

Given that speculative side-channel attacks like this are practical, why haven’t we seen them in the wild?  Do we even know how to look for them? Unlike memory corruption issues, side-channel attacks that fail, fail quietly.  Memory corruption exploits that fail risk crashes that give them away.