<https://www.bleepingcomputer.com/news/security/new-apple-cpu-side-channel-attack-steals-data-from-browsers/>

A team of security researchers has disclosed new side-channel
vulnerabilities in modern Apple processors that could steal sensitive information from web browsers.

The Georgia Institute of Technology and Ruhr University Bochum
researchers, who presented another attack dubbed 'iLeakage' in October
2023, presented their new findings in two separate papers, namely FLOP
and SLAP, which show distinct flaws and ways to exploit them.

The flaws stem from faulty speculative execution implementation, the
underlying cause of notorious attacks like Spectre and Meltdown.

The FLOP and SLAP side-channel attacks target features aimed at speeding
up processing by guessing future instructions instead of waiting for
them can leave traces in memory to extract sensitive information.

"Starting with the M2/A15 generation, Apple CPUs attempt to predict the
next memory address that will be accessed by the core," explained the researchers to BleepingComputer.

"Moreover, starting with the M3/A17 generation, they attempt to predict
the data value that will be returned from memory. However,
mispredictions in these mechanisms can result in arbitrary computations
being performed on out-of-bounds data or wrong data values."

These mispredictions can have real-world security implications, such as escaping the web browser sandbox and reading cross-origin personally identifiable information on Safari and Chrome, as demonstrated in the
two papers.

The attacks are executed remotely through a web browser using a
malicious webpage containing JavaScript or WebAssembly code designed to
trigger them.

The researchers disclosed the flaws to Apple on March 24, 2024 (SLAP)
and September 3, 2024 (FLOP).

Apple acknowledged the shared proof-of-concept and stated it plans to
address the issues. However, at the time of writing, the flaws remain unmitigated.

"We want to thank the researchers for their collaboration as this proof
of concept advances our understanding of these types of threats," Apple
told BleepingComputer.

"Based on our analysis, we do not believe this issue poses an immediate
risk to our users."

FLOP
The first paper describes False Load Output Prediction (FLOP), a problem
with Apple's latest M3, M4, and A17 processors, which predict not just
the memory addresses they will access but even the actual values stored
in memory.

If those Load Value Prediction (LVP) guesses are wrong, incorrect data
is used for temporary computations, which attackers can exploit to leak sensitive information.

Apple CPUs vulnerable to FLOP attacks
Apple CPUs vulnerable to FLOP attacks
Source: flop.fail
The researchers demonstrated the FLOP attack by tricking Apple's M3 CPU
into making wrong guesses after training it via an execution loop that
loads a specific constant value and then triggers a misprediction.

While the CPU remains in this incorrect state, it leaks data through a
cache timing attack. This leak lasts long enough for the researchers to
measure memory access times and deduce the secret value before the CPU
corrects itself.

Overview of the attack
Overview of the attack
Source: flop.fail
Through FLOP, the researchers demonstrated escaping Safari's sandbox, retrieving sender and subject information from Proton Mail inbox,
stealing Google Maps location history, and recovering private events
from iCloud Calendar.

Leaking data via FLOP
Leaking data via FLOP
Source: flop.fail
SLAP
The second paper describes Speculative Load Address Prediction (SLAP),
which impacts Apple's M2 and A15 processors, and many of the later models.

Instead of FLOP, which is guessing what value a memory load will return,
SLAP concerns the prediction of the memory address that will be accessed
next, called Load Address Prediction (LAP).

Apple CPUs supporting LAP
Apple CPUs supporting LAP
Source: slap.fail
An attacker can "train" the CPU to anticipate a specific memory access
pattern, then manipulate it into accessing secret data by abruptly
altering the memory layout, causing the following prediction to point to
the secret.

The CPU, trusting its prediction, reads and processes the sensitive data
before realizing and correcting the mistake, allowing an attacker to
exploit cache timing or other side channels to infer the leaked data.

Overview of the SLAP attack
Overview of the SLAP attack
Source: slap.fail
By executing the SLAP attack repeatedly, the attacker can reconstruct
stolen information such as retrieving Gmail inbox data, Amazon orders
and browsing data, and Reddit user activity.

Data retrieved via SLAP
Secrets retrieved via SLAP
Source: slap.fail
Real-world implications
The FLOP and SLAP attacks are significant due to their impact on modern
and widely used hardware and because they can be executed remotely
without requiring physical access.

A victim would just need to visit a malicious website for the secrets to
leak, bypassing browser sandboxing, ASLR, and traditional memory
protections.

The scripts used in the demo websites execute a sequence of memory loads designed to manipulate Apple's FLOP and SLAP, so no malware infection is required. Modern browsers allow advanced computation, effectively
serving as attack tools in this case.

Until security updates from Apple are made available, a possible
mitigation would be to turn off JavaScript in Safari and Chrome, though
this will expectedly break many websites.



--
CrudeSausage
Gab: @CrudeSausage
Telegram: @CrudeSausage
Unapologetic paleoconservative

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)