New Apple SLAP & FLOP Side-Channel Attacks Let Attackers Steal Login Details From Browser

Researchers from the Georgia Institute of Technology and Ruhr University Bochum have uncovered two novel speculative execution attacks, named SLAP (Speculative Data Attacks via Load Address Prediction) and FLOP (Breaking the Apple M3 CPU via False Load Output Predictions).

These vulnerabilities impact Apple Silicon chips, exposing critical security risks in devices built on the M2/A15 and later architectures.

Both exploits leverage microarchitectural optimizations in Apple processors, enabling attackers to extract sensitive data, such as email content, location information, and browsing history, from affected systems.

Exploiting Load Address Prediction

The SLAP attack targets the Load Address Predictor (LAP) embedded in Apple CPUs, starting with the M2 and A15 chips.

LAP is designed to enhance performance by predicting the memory addresses most likely to be accessed next, based on past usage patterns.

However, when the LAP makes an incorrect prediction, it opens the door for speculative execution to access out-of-bounds memory.

This introduces potential vulnerabilities where a malicious actor can orchestrate attacks to leak sensitive data.

To demonstrate SLAP’s impact, researchers executed a proof-of-concept attack targeting Safari.

By manipulating the LAP through JavaScript code, they retrieved sensitive information, such as email content and browsing behavior, from Apple’s Proton Mail interface.

This highlights the practical dangers posed by speculative execution when combined with improper memory access during data prediction.

Leveraging Load Value Prediction

The FLOP vulnerability expands on these issues by exploiting the Load Value Predictor (LVP) found in Apple’s latest M3 and A17 chips.

The LVP speculatively predicts the data value expected to be returned during memory access before its actual computation.

If the LVP mispredicts the value, speculative execution can proceed on incorrect assumptions, bypassing critical boundary checks.

Researchers demonstrated the FLOP attack on both Safari and Chrome browsers, successfully crafting arbitrary memory read primitives.

This allowed them to extract highly sensitive data, including location history, calendar events, and stored payment information.

FLOP’s ability to bypass typical memory safety mechanisms through speculative execution underscores the potential severity of this flaw.

The researchers showcased SLAP and FLOP’s capabilities through striking demonstrations.

SLAP allowed them to reconstruct the first paragraph of The Great Gatsby by training the LAP to speculatively access hidden memory addresses on an Apple M2 CPU.

Similarly, FLOP was used on the M3 CPU to retrieve the opening paragraph of Harry Potter and the Sorcerer’s Stone by manipulating the LVP to mispredict memory indices, granting access to unintended data regions.

SLAP and FLOP underline the risks associated with speculative execution optimizations in modern CPUs, particularly as performance enhancements inadvertently create new attack surfaces.

Apple has yet to publicly address these vulnerabilities, but patches will likely be rolled out to mitigate these risks.

This research was supported by various institutions, including the Air Force Office of Scientific Research (AFOSR), DARPA, the DFG’s Excellence Strategy, and contributions from industry partners like Qualcomm and Cisco.

Researchers emphasize that their findings highlight systemic challenges in processor design, urging a rethinking of speculative execution mechanisms in secure computing environments.

Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free