T0@st
News Editor
- Joined
- Mar 7, 2023
- Messages
- 2,289 (3.29/day)
- Location
- South East, UK
An academic collaboration—between research departments at Georgia Institute of Technology and Ruhr University Bochum—has produced two white paper studies that disclose details regarding the vulnerable nature of certain generations of Apple Silicon. The documents were made available online earlier in the week; readily accessible through their Predictors.Fail webpage. The "SLAP" attack paper's moniker is derived/abbreviated from its long-form title: "Data Speculation Attacks via Load Address Prediction on Apple" Silicon. A similarly uncatchy acronymization has been generated by the second paper's full title: "Breaking the Apple M3 CPU via False Load Output Predictions"—aka "FLOP" attack. The North American and German security research teams have partnered up in the past—their "iLeakage" speculative execution side-channel attack was documented back in October 2023.
Spectre and Meltdown are the original, and likely most famous/notorious examples of speculative execution CPU vulnerability—owners of particular processor architectures were affected at the start of 2018. The Predictors.Fail bulletin proposes that the latest side-channel attacks affect Apple hardware of 2021 vintage and beyond. The teams introduced SLAP as: "a new speculative execution attack that arises from optimizing data dependencies, as opposed to control flow dependencies." They believe that Apple models: "starting with the M2 and A15 are equipped with a Load Address Predictor (LAP), which improves performance by guessing the next memory address the CPU will retrieve data from based on prior memory access patterns. However, if the LAP guesses wrong, it causes the CPU to perform arbitrary computations on out-of-bounds data, which should never have been accessed to begin with, under speculative execution. Building on this observation, we demonstrate the real-world security risks of the LAP via an end-to-end attack on the Safari web browser, where an unprivileged remote adversary can recover email content and browsing behavior."
Likewise, the security experts have outlined similar findings with FLOP—their paper demonstrates: "that Apple's M3 and A17 generation and newer CPUs are equipped with a Load Value Predictor (LVP). The LVP improves performance on data dependencies by guessing the data value that will be returned by the memory subsystem on the next access by the CPU core, before the value is actually available. If the LVP guesses wrong, the CPU can perform arbitrary computations on incorrect data under speculative execution. This can cause critical checks in program logic for memory safety to be bypassed, opening attack surfaces for leaking secrets stored in memory. We demonstrate the LVP's dangers by orchestrating these attacks on both the Safari and Chrome web browsers in the form of arbitrary memory read primitives, recovering location history, calendar events, and credit card information."
Bleeping Computer managed to extract an official response from Apple—following Georgia Tech and Ruhr U. Bochum staffers forwarding their findings to Santa Clara HQ. An anonymous Apple spokesperson stated: "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats. Based on our analysis, we do not believe this issue poses an immediate risk to our users."
Phoronix's Michael Larabel kindly summarized these findings into a simplified list of Apple products: "all Mac laptops since 2022, all Mac desktops since 2023, and all iPhones / iPad Pro / iPad Air / iPad Mini models since 2021 are affected by these new SLAP and FLOP attacks."
View at TechPowerUp Main Site | Source
Spectre and Meltdown are the original, and likely most famous/notorious examples of speculative execution CPU vulnerability—owners of particular processor architectures were affected at the start of 2018. The Predictors.Fail bulletin proposes that the latest side-channel attacks affect Apple hardware of 2021 vintage and beyond. The teams introduced SLAP as: "a new speculative execution attack that arises from optimizing data dependencies, as opposed to control flow dependencies." They believe that Apple models: "starting with the M2 and A15 are equipped with a Load Address Predictor (LAP), which improves performance by guessing the next memory address the CPU will retrieve data from based on prior memory access patterns. However, if the LAP guesses wrong, it causes the CPU to perform arbitrary computations on out-of-bounds data, which should never have been accessed to begin with, under speculative execution. Building on this observation, we demonstrate the real-world security risks of the LAP via an end-to-end attack on the Safari web browser, where an unprivileged remote adversary can recover email content and browsing behavior."
Likewise, the security experts have outlined similar findings with FLOP—their paper demonstrates: "that Apple's M3 and A17 generation and newer CPUs are equipped with a Load Value Predictor (LVP). The LVP improves performance on data dependencies by guessing the data value that will be returned by the memory subsystem on the next access by the CPU core, before the value is actually available. If the LVP guesses wrong, the CPU can perform arbitrary computations on incorrect data under speculative execution. This can cause critical checks in program logic for memory safety to be bypassed, opening attack surfaces for leaking secrets stored in memory. We demonstrate the LVP's dangers by orchestrating these attacks on both the Safari and Chrome web browsers in the form of arbitrary memory read primitives, recovering location history, calendar events, and credit card information."
Bleeping Computer managed to extract an official response from Apple—following Georgia Tech and Ruhr U. Bochum staffers forwarding their findings to Santa Clara HQ. An anonymous Apple spokesperson stated: "We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats. Based on our analysis, we do not believe this issue poses an immediate risk to our users."
Phoronix's Michael Larabel kindly summarized these findings into a simplified list of Apple products: "all Mac laptops since 2022, all Mac desktops since 2023, and all iPhones / iPad Pro / iPad Air / iPad Mini models since 2021 are affected by these new SLAP and FLOP attacks."
View at TechPowerUp Main Site | Source
