Want more “speculative execution” bugs? “You’re gonna be in a great mood all  day.”

“Watch This”

What’s the craic? Andrew Orr reporrts: Two Apple Silicon chip flaws could expose your private data to thieves

“M2, M3, A15, or A17”
Apple Silicon … is designed to be some of the fastest in the world, powering iPads and Macs. Their strength is speculative execution, a feature that guesses what you’ll need next to keep things running smoothly.But new research shows this speed boost comes with a cost.
…
If your Mac, iPhone, or iPad uses an M2, M3, A15, or A17 chip, it’s vulnerable. That includes devices like the M2 MacBook Air, the iPhone 15 Pro, and the latest iPads. Older devices with M1 or earlier chips aren’t impacted.

So it’s Spectre for Apple Silicon? Kinda. Here’s Bill Toulas: New Apple CPU side-channel attacks steal data from browsers

“Flaws remain unmitigated”
Georgia Institute of Technology and Ruhr University Bochum researchers … presented their new findings in two separate papers, … which show [two] distinct flaws and ways to exploit them. The flaws stem from faulty speculative execution implementation, the underlying cause of notorious attacks like Spectre.
…
The FLOP and SLAP side-channel attacks target features aimed at speeding up processing by guessing future instructions instead of waiting for them can leave traces in memory to extract sensitive information. [They] can have real-world security implications, such as escaping the web browser sandbox and reading cross-origin personally identifiable information. … They can be executed remotely without requiring physical access: A victim would just need to visit a malicious website.
…
Apple … stated it plans to address the issues. However, at the time of writing, the flaws remain unmitigated. … The researchers disclosed the flaws to Apple on March 24 … and September 3.

Horse’s mouth? Jason Kim, Jalen Chuang, Daniel Genkin and Yuval Yarom: SLAP and FLOP

“Read sensitive login-protected data”
Data Speculation Attacks via Load Address Prediction: … Apple CPUs starting with the M2/A15 are equipped with a Load Address Predictor (LAP), which improves performance by guessing the next memory address the CPU will retrieve data from. … If we train the LAP on striding memory addresses, the LAP will access address the next sequence in the striding pattern and compute using the data in that address, even if the program never actually accesses it. … iLeakage demonstrated a corner case in Safari’s isolation scheme where an adversary’s webpage can coerce an arbitrary target webpage to be handled by the same process, [which] share internal memory allocation regions. … This allows the adversary to jump the LAP to the target webpage.
…
False Load Output Predictions: … Apple’s M3/A17 generation and newer CPUs are equipped with a Load Value Predictor (LVP), [which] improves performance on data dependencies by guessing the data value that will be returned by the memory subsystem on the next access. [But] if the LVP sees the same data value being repeatedly returned from the memory subsystem for the same load instruction, the LVP will attempt to guess the load’s outcome the next time that load instruction executes, even if the memory accessed by the load now contains a completely different value! … We can cause code that is only supposed to run for one data structure on another data structure, causing speculative type confusion, and obtaining a read primitive to arbitrary 64-bit addresses. [Or] run a function with the wrong arguments, … resulting in a type confusion based primitive for reading arbitrary memory addresses.
…
SLAP and FLOP [allow] attacker pages to read sensitive login-protected data from target webpages. In our work, we show that this data ranges from location history to credit card information. … Since SLAP and FLOP are microarchitecture-based attacks, they do not leave any traces in the system’s log files. … It is difficult to automatically detect malicious code patterns that exploit hardware vulnerabilities.

Isn’t this another theoretical vuln we’ll never see in the wild? No, says AdrianBc:

The researchers who have published this pair of vulnerabilities have also produced a proof-of-concept implementation, which exploits the CPU vulnerabilities in conjunction with the design flaws of Apple Safari. So it works perfectly fine on any of the affected … models when browsing a malicious site.
…
It is expected that Apple will introduce some mitigations, at least in the Safari browser. … But it is not clear whether this will have a visible impact on performance.

Oh no. Anyway, Chris “diodesign” Williams agrees:

Of all the Spectre exploitation examples I’ve seen, this one appears more real-world than most. But … the exfiltration rate is slow.

This sounds bad. It’s bad, isn’t it? locovaca can’t help but think it’s bad:

So we’re almost a decade out from Spectre and Meltdown and we’re still making the same mistakes in CPU design.

The first thing we do: Let’s kill all the speculation? Not so fast, Dick. SiberX has news for you:

The people suggesting all this speculative execution mumbo jumbo might not be worth the effort may not understand how absolutely central such techniques are to modern processor design, and how significant a performance impact they have. To avoid all the hardware side-channel vulnerabilities that have come out over the past few years, you’d need to turn off not just speculative execution, but multiple kinds of prefetching, various buffers, caches, out-of-order execution, some facets of instruction dispatch that allow you to run multiple tasks on idle execution units inside a core, etc., etc.
…
The performance penalty probably optimistically starts at 10x slower, and could be hundreds of times slower depending on the workload.

Don’t be so defeatist! DamnOregonian sounds defeated:

It’s really not that simple. Speculative side channels are a Pandora’s box. You aren’t closing it. Every CPU made going forward is going to be vulnerable to these things, and people will keep finding them, and we will keep fixing them.

Meanwhile, DeftwillP has the solution:

It’s OK guys, Siri’s got this:
“Hey Siri, load the patch from Apple for the newest exploit.”
“I couldn’t find that person in your contacts.”

And Finally:

Yikes, this first appeared in And Finally 15 years ago

Previously in And Finally

You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to  @RiCHi, @richij, @[email protected], @richi.bsky.social or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image sauce: Offer Shlomi a/k/a Vince Offer