Earlier this week, a team of security researchers from the Georgia Institute of Technology and Ruhr University Bochum presented a pair of papers on two side-channel speculative execution attacks targeted at Apple silicon, dubbed SLAP and FLOP [h/t Bleeping Computer]. A dedicated web page for the attacks, showing some examples, documentation, and links to the original two papers, is also available at the aptly-named URL Predictors.Fail.
So, what are these attacks? To understand either, you first need a working understanding of what speculative execution attacks are. In March of last year, I covered a speculative execution attack called GhostRace, and back in 2016, the one-two punch of the Meltdown and Spectre attacks helped introduce the concept into the wider public consciousness. “Speculative execution” isn’t a bad thing in and of itself— you can think of it as a performance optimization that lets a CPU “speculate” what it needs to execute next— but unless it’s tightly controlled, it is prone to security exploits that are near-impossible to fix without performance degradation.
So, SLAP and FLOP may be new speculative execution attacks, but the fundamentals of how they work are well known.
SLAP, or Data Speculation Attacks via Load Address Prediction, functions by exploiting Apple Silicon’s Load Address Predictor, which guesses the next memory address the CPU will use. By exploiting this functionality and forcing it to guess wrong, information like emails and browsing history can effectively be stolen. This impacts Apple CPUs, starting with Apple M2 and A15.
Meanwhile, FLOP, or False Load Output Predictions, exploits Apple Silicon’s Load Value Predictor, which guesses data values to be returned by the memory on the next CPU cycle. If this is exploited and forced to guess wrong, memory safety can be bypassed entirely to leak things like credit card information and location history.
In a statement made to Bleeping Computer, Apple said: “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these types of threats, (but) based on our analysis, we do not believe this issue poses an immediate risk to our users.”
The researchers do note that attacks actually using these exploits have yet to be spotted in the wild after initially discovering and reporting them to Apple in March (SLAP) and September (FLOP) in 2024, but also that users hoping to avoid them entirely can still disable JavaScript in Safari (tested browser) on their Apple devices until further notice. Doing this will introduce lots of site compatibility issues, though, so hopefully Apple actually patches this sooner rather than later.
