Apple silicon is vulnerable to side-channel speculative execution attacks "FLOP" and "SLAP"

Apple M3 SoC
(Image credit: Apple)

Earlier this week, a team of security researchers from the Georgia Institute of Technology and Ruhr University Bochum presented a pair of papers on two side-channel speculative execution attacks targeted at Apple silicon, dubbed SLAP and FLOP [h/t Bleeping Computer]. A dedicated web page for the attacks, showing some examples, documentation, and links to the original two papers, is also available at the aptly-named URL Predictors.Fail.

So, what are these attacks? To understand either, you first need a working understanding of what speculative execution attacks are. In March of last year, I covered a speculative execution attack called GhostRace, and back in 2016, the one-two punch of the Meltdown and Spectre attacks helped introduce the concept into the wider public consciousness. "Speculative execution" isn't a bad thing in and of itself— you can think of it as a performance optimization that lets a CPU "speculate" what it needs to execute next— but unless it's tightly controlled, it is prone to security exploits that are near-impossible to fix without performance degradation.

TOPICS
Christopher Harper
Contributing Writer

Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.

  • Dementoss
    Is the problem only with Safari or, are other browsers affected? As far as I am aware, all web browsers have to use the Webkit kernal, to be permitted in the Apple App Store.
    Reply
  • JamesJones44
    Dementoss said:
    Is the problem only with Safari or, are other browsers affected? As far as I am aware, all web browsers have to use the Webkit kernal, to be permitted in the Apple App Store.

    The article is a little confusing on that point. However, reading the source, it explicitly calls out both Safari and Chrome:

    the source said: said:
    We demonstrate the LVP's dangers by orchestrating these attacks on both the Safari and Chrome web browsers in the form of arbitrary memory read primitives, recovering location history, calendar events, and credit card information


    Based on the data provided in the paper it's likely that any browser or bad acting application could possibly exploit this bug since it's a prefetch issue at the CPU level.

    https://predictors.fail/
    Reply
  • hwertz
    A) Generally these are timing attacks, turning off javascript really only protects from browser-based exploitation (and they're relying on macs out of the box requiring you to do lots of clicking through boxes to be able to run binaries that weren't probed and vetted by Apple).

    B) I'm actually surprised any browser is still vulnerable, in Windows and Linux at least (in addition to firmware updates and all sorts of other fixes), in browser they simply removed nanosecond-accuracy time measurement from javascript, the side channel used in most of these attacks is based on measuring the tiny time difference from something being speculatively loaded in the cache or not. No accurate clock, no side channel.
    Reply