Analysis Summary

Security researchers have disclosed two new side-channel attacks—SLAP (Data Speculation Attacks via Load Address Prediction) and FLOP (False Load Output Predictions)—that exploit vulnerabilities in Apple Silicon. These attacks manipulate speculative execution, a performance optimization in modern CPUs, to leak sensitive data from web browsers like Safari and Chrome. SLAP and FLOP follow similar principles to Spectre, where speculative execution leaves traces of mispredictions in the CPU's microarchitectural state, allowing attackers to infer secret data even after the CPU discards incorrect executions. Apple was informed of these issues in May and September 2024, respectively.

SLAP specifically impacts Apple’s M2, A15, and newer chips by targeting the Load Address Predictor (LAP), which predicts memory addresses based on previous access patterns. If the LAP mispredicts, it can cause the processor to compute out-of-bounds data, potentially enabling attackers to extract private information such as email content and browsing history from Safari. FLOP, on the other hand, affects the latest M3, M4, and A17 chips by exploiting the Load Value Predictor (LVP), which estimates the value to be returned from memory access. FLOP manipulates this feature to bypass critical memory safety checks, creating attack surfaces that could expose sensitive data like location history, calendar events, and even credit card details from Safari and Chrome.

These attacks build on prior research, such as the iLeakage attack, and coincide with other recent discoveries targeting Apple Silicon. Researchers previously demonstrated SysBumps, an attack that breaks Kernel Address Space Layout Randomization (KASLR) in macOS by leveraging Spectre-style system call manipulations. By forcing kernel address translations, an attacker can bypass kernel isolation protections, increasing the risk of privilege escalation and further system compromise. Additionally, researchers have developed new techniques combining multiple side-channels to attack the kernel, including TagBleed, which exploits tagged translation lookaside buffers (TLBs) to break KASLR, even against modern security mitigations.

The implications of these findings highlight the growing concerns over microarchitectural attacks, particularly as Apple Silicon becomes more widely adopted. While Apple has been notified, no immediate mitigations have been detailed, leaving macOS and iOS devices potentially vulnerable. These attacks demonstrate that speculative execution vulnerabilities remain a significant security challenge, requiring continuous research and innovative defense mechanisms to prevent exploitation. As these attacks evolve, users and organizations relying on Apple hardware must stay vigilant, applying security updates and adopting best practices to mitigate exposure to such threats.

Impact

• Sensitive Information Theft
• Unauthorized Access

Affected Vendors

Apple

Remediation

• Ensure that all devices are running the latest firmware and microcode updates from Apple, which may include patches for speculative execution vulnerabilities.
• Regularly update macOS and iOS software to apply any security patches that address these specific vulnerabilities.
• Enable or improve memory safety features such as Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR) to protect against speculative execution flaws.
• Monitor and limit speculative execution behavior on affected devices, especially for critical processes and memory access operations.
• Keep web browsers (Safari and Chrome) up to date, as these attacks target browsing activity. Consider using additional security plugins or extensions that block potentially harmful scripts.
• For users, avoid logging into sensitive accounts on shared or public devices and limit exposure to private information while browsing or using applications that may be vulnerable.
• Isolate sensitive tasks (such as banking or accessing personal accounts) within a secure virtual machine or sandbox environment to limit potential damage.
• Use endpoint security software to monitor unusual or suspicious CPU behavior that could indicate an attack exploiting speculative execution vulnerabilities.
• Implement a robust patch management strategy to ensure that all devices are up to date with the latest security patches, especially those affecting Apple Silicon devices.