The security researchers at Georgia Institute of Technology and the Rules have demonstrated two new side channel attacks targeting Apple silicon, which can leak confidential information from web browsers such as Safari and Google Chrome.
The attack was called data speculative attacks via Apple Silicon (SLAP) road address prediction, destroying the Apple M3 CPU via the False Load output prediction (flop). Apple was notified of the problem in May and September, 2024.
The vulnerability is when the speculative execution occurs when the tracked execution “backfires”, as in the previously disclosed recovery attack, and left the cache traces of incorrect forecasts. It occurs.
Speculative execution refers to the latest processor performance optimization mechanism aimed at the CPU that the CPU should obtain an order in advance and predict the control flow that should be executed.
In the event of a wrong prediction, the temporary instructions will be destroyed and all changes made after the forecast will be returned to the state.
These attacks take advantage of the fact that speculative execution enforces the CPU, performs incorrect processing, and executes a series of temporary instructions. To misunderstanding.
“With slaps and flops, recent Apple CPUs go beyond this, not only predicts the control flow that the CPU should take, but also predicts data flows that the CPU should operate if the data cannot be easily obtained from the memory subsystem. I showed a researcher.
“Unlike Spectrer, the misunderstanding of the data flow does not directly lead to executing the incorrect instructions. Instead, the CPU executes any instructions in the wrong data. The instructions that can be accidentally performed in combination with an indirect method.
The slap that affects the M2, A15, and new chips targets what Apple chips use to guess the next memorial dress (LAP). The CPU gets data based on the previous memory access pattern.
However, if the LAP predicts the wrong memory dress, the processor may execute any calculation in the executed executed data, which can recover email content from the recorded enemy. Open the door to the attack scenario. Users and browsing movements from Safari browsers.
On the other hand, Flop, on the other hand, has an impact on M3, M4, and A17 chips and “separate Load Value Predictor (LVP), designed to improve data dependence performance to estimate the data values returned by the memory subsystem. Aim for the next access with CPU.
The flop causes the “important check of the program logic to bypass the safety of memory and open a secret leaked surface stored in the memory”, and to weapon both Safari and Chrome browsers. I added it that I could do it. Location history, calendar event, recovery of credit card information, etc.
This disclosure will be done almost two months after a Korean university researcher explains Sysbumps in detail. This explained the first kernel address layout (KASLR) attack on Apple Silicon’s MacOS.
“By using a spectrum type gadget in the system call, an unpopular attacker may cause the translation of the kernel address selected by the attacker, and the possibility of changing the TLB according to the effectiveness of the address. “” This allows you to build an attack primitive attack that breaks Kaslr, which bypassing the kernel separation. “
Apart from that, new academic research has also revealed an approach to “combine multiple side channels to overcome restrictions to overcome the restrictions when attacking kernels.” Attack surface. “
This includes a practical attack called Tagbleed. This abuse the translation of Tag ROOKASIDE buffer (TLB). This allows you to efficiently separate the kernel and user address space. Modern architecture.
“This leak is enough to completely deren Kaslr in combination with the secondary side channel attack used as a confused agent to leak additional information about the address space.”
Source link
