There are two new speculative execution attacks that impact recent Apple chips, according to data shared today by Georgia Tech students that discovered the vulnerabilities — as noted by MacRumors.
They’re dubbed SLAP and FLOP. Here’s how they’re described by the Georgia Tech students:
SLAP: We present SLAP, a new speculative execution attack that arises from optimizing data dependencies, as opposed to control flow dependencies. More specifically, we show that Apple CPUs starting with the M2/A15 are equipped with a Load Address Predictor (LAP), which improves performance by guessing the next memory address the CPU will retrieve data from based on prior memory access patterns.
However, if the LAP guesses wrong, it causes the CPU to perform arbitrary computations on out-of-bounds data, which should never have been accessed to begin with, under speculative execution. Building on this observation, we demonstrate the real-world security risks of the LAP via an end-to-end attack on the Safari web browser where an unprivileged remote adversary can recover email content and browsing behavior.
FLOP: We present FLOP, another speculative execution attack that results from recent Apple CPUs predicting the outcome of data dependencies. Here, we demonstrate that Apple’s M3/A17 generation and newer CPUs are equipped with a Load Value Predictor (LVP). The LVP improves performance on data dependencies by guessing the data value that will be returned by the memory subsystem on the next access by the CPU core, before the value is actually available.
If the LVP guesses wrong, the CPU can perform arbitrary computations on incorrect data under speculative execution. This can cause critical checks in program logic for memory safety to be bypassed, opening attack surfaces for leaking secrets stored in memory. We demonstrate the LVP’s dangers by orchestrating these attacks on both the Safari and Chrome web browsers in the form of arbitrary memory read primitives, recovering location history, calendar events, and credit card information.
SLAP and FLOP were disclosed to Apple in May 2024 and September 2024, respectively, and while the attacks have not yet been patched, the researchers who reported the issue were told that Apple plans to address the vulnerabilities in an upcoming security update, according to MacRumors.
Apple told Bleeping Computer that it has not yet patched the flaws. “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats,” Apple said. “Based on our analysis, we do not believe this issue poses an immediate risk to our users.”
