SLAP and FLOP: Apple Silicon Security Risks

In the ever-evolving world of cybersecurity, new threats emerge as quickly as old ones are mitigated. The latest buzz in the security community revolves around two newly uncovered side-channel attacks targeting Apple Silicon processorsSLAP (Speculation via Load Address Prediction) and FLOP (False Load Output Predictions). These vulnerabilities exploit speculative execution—a performance optimisation feature in modern CPUs—to leak sensitive data from devices running on Apple’s M-series processors. Discovered by researchers from the Georgia Institute of Technology and Ruhr University Bochum, these attacks have drawn comparisons to the infamous Spectre vulnerability of 2018. But SLAP and FLOP specifically target Apple’s proprietary silicon architecture. With Apple’s M-series chips powering millions of devices worldwide, these vulnerabilities represent a significant security challenge for both individual users and enterprises.

This guide will provide an in-depth exploration of SLAP and FLOP, including how they work, why they matter, and what steps you can take to protect yourself. Along the way, we’ll also examine the broader implications of these attacks for the tech industry and cybersecurity at large.

What Are SLAP and FLOP?

At their core, SLAP and FLOP are side-channel attacks that exploit speculative execution, a feature in modern CPUs designed to improve performance by predicting future instructions. Apple’s M-series chips, which power MacBooks, iPads, iPhones, and other devices released since 2021, are vulnerable because of their unique architecture.

What Is Speculative Execution?

Before diving into SLAP and FLOP specifically, it’s important to understand speculative execution. This is a performance optimisation technique where a CPU guesses which instructions might be needed next and executes them ahead of time. If the guess is correct, performance improves because the CPU doesn’t have to wait for instructions. However, if the guess is wrong, the CPU discards the speculative results.

While this approach boosts efficiency in most scenarios, it also introduces security risks. Speculative execution can inadvertently expose sensitive data stored in memory and thus expose data that attackers can access through carefully crafted exploits.

SLAP: Speculation via Load Address Prediction

SLAP exploits a feature called the Load Address Predictor (LAP) in Apple’s M2 and A15 processors (and newer models). LAP is responsible for predicting where data will be stored in memory during speculative execution. By manipulating LAP predictions, attackers can bypass memory isolation protections and extract sensitive information.

How SLAP Works

  1. Setup: The attacker sets up a malicious webpage containing JavaScript or WebAssembly code designed to interact with the victim’s browser.
  2. Exploitation: The malicious code manipulates LAP predictions by forcing speculative execution paths that access protected memory regions.
  3. Data Extraction: Once LAP mis-predicts memory addresses, the attacker retrieves leaked data using side-channel techniques like timing analysis.
  4. Payload Delivery: The stolen data, such as emails, browsing history, or even credentials, are sent back to the attacker.

SLAP is very dangerous because it operates entirely within user-mode processes (e.g., web browsers), making it difficult to detect or mitigate without hardware-level changes.

FLOP: False Load Output Predictions

FLOP targets another speculative execution feature called the Load Value Predictor (LVP) found in Apple’s M3 and A17 processors (and later models). LVP predicts the value of data retrieved from memory during speculative execution. By forcing LVP mispredictions, attackers can bypass critical safety checks and access sensitive information.

How FLOP Works

  1. Preparation: Similar to SLAP, FLOP begins with a malicious webpage containing specially crafted code.
  2. Triggering LVP mispredictions: The attacker manipulates speculative execution paths to induce incorrect value predictions.
  3. Memory Access: These mispredictions allow attackers to bypass memory isolation mechanisms.
  4. Data Exfiltration: Attackers extract sensitive information, such as location history or credit card details, using timing-based side-channels.

FLOP represents an evolution of side-channel attacks by targeting value prediction rather than address prediction, this is a subtle but significant distinction that makes it harder to detect using traditional defences.

A Brief History of Side-Channel Attacks

SLAP and FLOP are not isolated incidents but part of a broader category of vulnerabilities known as side-channel attacks. These exploits take advantage of unintended information leaks from hardware or software systems—such as timing variations or electromagnetic emissions—to extract sensitive data.

The Spectre Legacy

The discovery of Spectre in 2018 marked a turning point in cybersecurity. Spectre exploited branch prediction mechanisms in CPUs to leak data across process boundaries. This was a flaw that affected virtually every modern processor from Intel, AMD, and ARM.

Spectre forced hardware manufacturers to rethink their approach to CPU design. It also highlighted how performance optimizations like speculative execution could introduce unforeseen security risks.

Why Are These Attacks So Dangerous?

Several factors amplify the severity of SLAP and FLOP:

  1. Wide Device Impact: Nearly all Apple devices released since 2021 are affected, including MacBooks, iPhones, iPads, and Macs.
  2. Remote Exploitation: Both attacks POCs operate via web browsers like Safari or Chrome, making them easy to deploy remotely.
  3. High-Value Data Targeted: The stolen information, such as emails, credit card details, has significant monetary and privacy implications.
  4. Hardware-Level Exploitation: Unlike software bugs that can be patched easily, hardware flaws require extensive redesigns or mitigations that may degrade performance.

Mitigation Strategies

While Apple works on long-term fixes for SLAP and FLOP vulnerabilities, users can take several steps to minimise their risk:

For Individual Users:

  1. Keep Devices Updated: Regularly install iOS/macOS updates to ensure you receive any available mitigations.
  2. Use Secure Browsers: Switch to browsers with robust site isolation features.
  3. Disable JavaScript Temporarily: Disabling JavaScript can reduce exposure but may affect usability.
  4. Avoid Suspicious Links: Be cautious about visiting unknown websites or clicking on unverified links.

For Enterprises:

  1. Implement Network Filtering: Block known malicious domains at the network level using DNS filtering tools.
  2. Educate Employees: Conduct training sessions on phishing prevention and social engineering tactics.
  3. Monitor Browser Activity: Use intrusion detection systems (IDS) or endpoint protection tools to identify unusual browser activity.
  4. Adopt Virtualisation-Based Security (VBS): Isolate critical workloads using virtualisation technologies.

What Is Apple Doing About It?

Apple has acknowledged these issues but has not yet released comprehensive fixes as of February 2025. Potential mitigations include:

  • Disabling speculative execution features like LAP/LVP (at a potential cost to performance).
  • Enhancing browser sandboxing mechanisms in Safari.
  • Releasing firmware updates for affected devices.

Apple’s response will probably set a precedent for how other vendors address similar vulnerabilities in proprietary architectures.

The Broader Implications

SLAP and FLOP highlight several key trends shaping cybersecurity today:

  1. The Rise of Hardware Exploits
    As software defences improve, attackers are increasingly targeting hardware vulnerabilities. A trend exemplified by Spectre/Meltdown and now SLAP/FLOP.
  2. The Trade-Off Between Performance and Security
    Modern CPUs prioritise speed through features like speculative execution, but these optimisations sometimes come at a cost to security.
  3. The Need for Transparency in Hardware Design
    Proprietary architectures like Apple Silicon may offer competitive advantages but also limit external scrutiny, potentially increasing vulnerability risks.
  4. The Role of Security Research
    Academic teams play a crucial role in uncovering vulnerabilities like SLAP/FLOP before they can be exploited in real-world attacks.

Final Thoughts

The discovery of SLAP and FLOP serves as a stark reminder that no technology is immune to exploitation, not even Apple Silicon, often lauded for its security-first design philosophy. For now, users must stay informed and proactive while awaiting patches from Apple and organisations must adopt layered defences against increasingly sophisticated threats.

For more insightful and engaging write-ups, visit kosokoking.com and stay ahead in the world of cybersecurity!

Leave a Reply

Your email address will not be published. Required fields are marked *

RELATED

raiseChild.py: Active Directory Security Risks

Learn how raiseChild.py exploits Active Directory trust flaws for forest-wide attacks. Discover its risks and effective strategies to protect your…

More

Cross-Forest Trust Abuse: Kerberos Attack Guide

Learn how attackers exploit cross-forest trusts in Active Directory using Kerberoasting, password reuse, and SID history abuse. Defend your network…

More

Child-Parent AD Exploitation via Golden Tickets

Step-by-step guide to exploiting child-parent Active Directory (AD) trusts from Linux using Impacket tools. Learn cross-domain privilege escalation.

More

Understanding ExtraSIDs Attack in Cybersecurity

Discover the mechanics and implications of the ExtraSIDs Attack, a cybersecurity threat exploiting Windows SIDs. Learn detection and defence strategies.

More