SLAP 和 FLOP - SegmentFault 思否

Demos:
- Leaking Proton Mail's Inbox Data: Trains M3 CPU's LVP via sandboxed JavaScript in WebKit. When mouse over demo webpage, opens Proton Mail inbox in new window using same process, bringing inbox content into address space and using LVP to recover sender and subject lines.
- Reading The Great Gatsby Using Load Address Prediction: Demonstrates LAP proof-of-concept on Apple M2 CPU to recover secret string (first paragraph of The Great Gatsby) by placing pointer at wrongly guessed memory address.
- Reading Harry Potter Using Load Value Prediction: Shows LVP proof-of-concept on Apple M3 CPU to recover first paragraph of Harry Potter and the Sorcerer's Stone by causing LVP to predict and access incorrect array index and placing pointer.
The People Behind SLAP and FLOP: Jason Kim, Jalen Chuang, Daniel Genkin (Georgia Institute of Technology), Yuval Yarom (Ruhr University Bochum).
Frequently Asked Questions:
- SLAP and FLOP Basics: Affected Apple devices include various 2022-present Mac laptops, 2023-present Mac desktops, 2021-present iPad Pro/Air/Mini, and 2021-present iPhones. SLAP and FLOP break webpages' isolation, allowing attacker pages to read sensitive data. FLOP has an actionable mitigation requiring software patches. We haven't observed load address/prediction in other processors. We only tested on Apple CPUs and not other browsers. SLAP and FLOP leave no traces in system log files and we haven't seen them used in the wild. Disclosed SLAP on May 24, 2024, and FLOP on September 3, 2024.
- Technical Questions: Computer bugs often arise from programming mistakes. Side-channel attacks exploit hardware implementation. Virtually all modern CPUs use performance optimization with speculative execution. Spectre is a hardware vulnerability. SLAP and FLOP demonstrate Apple CPUs predict data flow. SLAP uses Load Address Prediction and FLOP uses Load Value Prediction, with different internal structures and training requirements. JavaScript and WebAssembly are sandboxed but side-channel attacks are more difficult but impactful. SLAP exploits Safari's string allocation, while FLOP causes speculative type confusion. Safari lacks Site Isolation increasing attack surface. Chrome's Site Isolation has corner cases leading to attacks.
- Miscellaneous: Research is licensed under CC0. Logos can be saved by right-clicking.
SLAP and FLOP in the News: Articles from various sources reporting on Apple chips being hacked to leak secrets from Gmail, iCloud, etc., and Apple's plans to patch web browser vulnerabilities.
Acknowledgments: Supported by Air Force Office of Scientific Research, Alfred P Sloan Research Fellowship, ARC Discovery Project, Defense Advanced Research Projects Agency, Deutsche Forschungsgemeinschaft, and gifts from Qualcomm, Cisco (SLAP), and Zama (FLOP). The views in the document are those of the authors and not the U.S. Government.