Apple Silicon CPUs Face New Speculative Execution Attacks: SLAP and FLOP

2025-01-29

:
A recent breakthrough by researchers from the Georgia Institute of Technology and Ruhr University Bochum has uncovered two new speculative execution vulnerabilities targeting Apple Silicon CPUs. These vulnerabilities, known as SLAP (Speculation via Load Address Prediction) and FLOP (False Load Output Prediction), affect devices with Apple’s M2, M3, and A-series chips, potentially exposing sensitive user data. The researchers highlight the risks that come with the performance optimizations integrated into modern processors, which can sometimes create serious security concerns.

Summary:

SLAP and FLOP represent two major speculative execution attacks discovered in Apple Silicon chips. These attacks exploit flaws in performance features that are designed to optimize the speed of modern processors but may inadvertently leak private data.

– SLAP focuses on a vulnerability in the Load Address Predictor (LAP), which speculates the next memory address the CPU will access. When LAP guesses incorrectly, it can leak out-of-bounds data during speculative execution. Researchers showed how this flaw can be exploited in Safari, allowing attackers to retrieve sensitive user information like emails and browsing history.

– FLOP targets a flaw in the Load Value Predictor (LVP), which guesses the value of data before it is available. If LVP predicts wrong, speculative execution bypasses memory safety checks, potentially exposing critical user data. The team demonstrated how this vulnerability could lead to the leakage of private details, including credit card information, location history, and calendar entries, through attacks on Safari and Chrome.

The research team’s experiments included impressive demonstrations, such as recovering unseen text like the first paragraph of The Great Gatsby and parts of Harry Potter by exploiting these speculative execution vulnerabilities. These findings draw attention to the dual nature of performance-enhancing techniques in CPUs: they improve speed but create serious security risks. Apple has been informed of these vulnerabilities and is expected to issue fixes in upcoming updates. This research was funded by prestigious organizations, including DARPA and the Air Force Office of Scientific Research.

What Undercode Says:

The discovery of the SLAP and FLOP attacks underscores a critical issue in modern processor design: the fine line between performance optimization and security vulnerabilities. While hardware manufacturers continually push for faster processing speeds to meet the increasing demands of modern software, the complexity of speculative execution introduces new avenues for attackers. These attacks target two core features designed to enhance performance: the Load Address Predictor (LAP) and the Load Value Predictor (LVP). Both mechanisms rely on speculative guesses, which, when wrong, leave room for malicious exploitation.

In the case of SLAP, the Load Address Predictor guesses the next memory address that the CPU will access based on previous patterns. While this prediction boosts processing speed, it also creates an opening for data leakage when the guess is incorrect. This issue becomes even more concerning in the context of web browsers, which are commonly used for online activities involving sensitive information. Attackers exploiting SLAP could potentially access private information such as emails, browsing histories, and other user data—data that might not be directly accessible through traditional methods.

The FLOP attack reveals a similar vulnerability in newer Apple Silicon processors, such as the M3 and A17 chips, which rely on the Load Value Predictor. This component predicts the value of memory data before it is actually retrieved. While this improves efficiency by reducing wait times, an incorrect prediction can break memory safety, opening the door to further security breaches. The fact that these attacks have been demonstrated on two widely-used browsers—Safari and Chrome—demonstrates their real-world relevance. If attackers can read sensitive user information like credit card details, location data, or even calendar entries, it poses a significant threat to privacy and security.

The researchers’ proof-of-concept attacks, including recovering text from The Great Gatsby and Harry Potter, may seem like simple demonstrations, but they highlight a much deeper issue. Speculative execution is fundamentally a gamble—predicting the future state of memory and executing instructions based on that guess. While processors gain performance, they simultaneously open up new attack vectors. These speculative execution vulnerabilities illustrate the risks of prioritizing speed over security, a balancing act that many chip manufacturers are struggling with.

One particularly concerning aspect of these vulnerabilities is their ability to bypass established security boundaries. For instance, web browsers are typically isolated environments—sandboxed to prevent one website from affecting another or accessing critical system resources. However, SLAP and FLOP can break through these boundaries, compromising the integrity of the entire system. The combination of these attacks potentially exposes a wide range of sensitive information, making it essential for manufacturers like Apple to take swift action to mitigate these risks.

Apple has been made aware of these vulnerabilities and is expected to release fixes in future updates, addressing the flaws in their speculative execution mechanisms. This highlights the ongoing challenge faced by hardware manufacturers: they must innovate and push the boundaries of performance while also ensuring that their products remain secure from evolving threats. It’s a delicate balance that is becoming increasingly difficult as processors become faster, more complex, and more deeply integrated into our daily lives.

In conclusion, while SLAP and FLOP represent a major advancement in our understanding of speculative execution flaws, they also serve as a wake-up call. As we continue to demand more from our devices, it is essential that manufacturers prioritize security alongside performance. These discoveries remind us that the pursuit of speed can sometimes come at the cost of privacy and security, making it imperative for both researchers and manufacturers to work together to address these vulnerabilities and protect user data in the future.