A team of security researchers from Georgia Institute of Technology and Ruhr University Bochum has demonstrated two new side-channel attacks targeting Apple silicon that could be exploited to leak sensitive information from web browsers like Safari and Google Chrome.
The attacks have been codenamed Data Speculation Attacks via Load Address Prediction on Apple Silicon (SLAP) and Breaking the Apple M3 CPU via False Load Output Predictions (FLOP). Apple was notified of the issues in May and September 2024, respectively.
The vulnerabilities, like the previously disclosed iLeakage attack, build on Spectre, arising when speculative execution “backfires,” leaving traces of mispredictions in the CPU’s microarchitectural state and the cache.
Speculative execution refers to a performance optimization mechanism in modern processors that are aimed at predicting the control flow the CPU should take and execute instructions along the branch beforehand.
In the event of a misprediction, the results of the transient instructions are discarded and revert all changes made to the state following the prediction.
These attacks leverage the fact that speculative execution leaves traces to force a CPU to make a misprediction and execute a series of transient instructions, whose value could then be inferred through a side-channel even after the CPU rolls back all the changes to the state due to the misprediction.
“In SLAP and FLOP, we demonstrate that recent Apple CPUs go beyond this, not only predicting the control flow the CPU should take, but also the data flow the CPU should operate on if data are not readily available from the memory subsystem,” the researchers said.
“Unlike Spectre, mispredictions on data flow do not directly result in the CPU speculatively executing the wrong instructions. Instead, they result in the CPU executing arbitrary instructions on the wrong data. However, we show this can be combined with indirection techniques to execute wrong instructions.”
SLAP, which affects M2, A15, and newer chips, targets what’s called a Load Address Predictor (LAP) that Apple chips use to guess the next memory address the CPU will retrieve data from based on prior memory access patterns.
However, if the LAP predicts a wrong memory address, it can cause the processor to perform arbitrary computations on out-of-bounds data under speculative execution, thereby opening the door to an attack scenario where an adversary can recover email content from a logged-in user and browsing behavior from the Safari browser.
On the other hand, FLOP impacts M3, M4, and A17 chips, and takes aim at another feature called Load Value Predictor (LVP) that’s designed to improve data dependency performance by “guessing the data value that will be returned by the memory subsystem on the next access by the CPU core.”
FLOP causes “critical checks in program logic for memory safety to be bypassed, opening attack surfaces for leaking secrets stored in memory,” the researchers noted, adding it could be weaponized against both Safari and Chrome browsers to pull off various arbitrary memory read primitives, such as recovering location history, calendar events, and credit card information.
The disclosure comes nearly two months after researchers from Korea University detailed SysBumps, which they described as the first kernel address space layout randomization (KASLR) break attack on macOS for Apple silicon.
“By using Spectre-type gadgets in system calls, an unprivileged attacker can cause translations of the attacker’s chosen kernel addresses, causing the TLB to change according to the validity of the address,” Hyerean Jang, Taehun Kim, and Youngjoo Shin said. “This allows the construction of an attack primitive that breaks KASLR bypassing kernel isolation.”
Separately, new academic research has also uncovered an approach to “combine multiple side-channels to overcome limitations when attacking the kernel,” finding that address space tagging, “the very same feature that makes mitigation of side-channels efficient, opens up a new attack surface.”
This includes a practical attack dubbed TagBleed, which abuses tagged translation lookaside buffers (TLBs), which makes separating kernel and user address spaces efficient, and residual translation information to break KASLR even in the face of state-of-the-art mitigations” on modern architectures.
“This leakage is enough to fully derandomize KASLR when used in combination with a secondary side-channel attack that uses the kernel as a confused deputy to leak additional information about its address space,” VUSec researcher Jakob Koschel said.
