惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
AI
AI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
U
Unit 42
Vercel News
Vercel News
Stack Overflow Blog
Stack Overflow Blog
P
Proofpoint News Feed
Microsoft Security Blog
Microsoft Security Blog
The GitHub Blog
The GitHub Blog
WordPress大学
WordPress大学
Martin Fowler
Martin Fowler
博客园 - 【当耐特】
B
Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
Apple Machine Learning Research
Apple Machine Learning Research
博客园_首页
F
Full Disclosure
Google DeepMind News
Google DeepMind News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
H
Help Net Security
Recorded Future
Recorded Future
N
News and Events Feed by Topic
雷峰网
雷峰网
V
Vulnerabilities – Threatpost
Schneier on Security
Schneier on Security
aimingoo的专栏
aimingoo的专栏
S
Schneier on Security
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
O
OpenAI News
Project Zero
Project Zero
罗磊的独立博客
G
GRAHAM CLULEY
腾讯CDC
P
Privacy International News Feed
V
V2EX
Application and Cybersecurity Blog
Application and Cybersecurity Blog
Hugging Face - Blog
Hugging Face - Blog
爱范儿
爱范儿
H
Heimdal Security Blog
L
LINUX DO - 热门话题
Forbes - Security
Forbes - Security
美团技术团队
MongoDB | Blog
MongoDB | Blog
Security Latest
Security Latest
M
MIT News - Artificial intelligence
T
Tor Project blog
Cisco Talos Blog
Cisco Talos Blog
宝玉的分享
宝玉的分享
T
Threat Research - Cisco Blogs
TaoSecurity Blog
TaoSecurity Blog

Open Web Advocacy RSS Feed

28% Faster: The Blink Prototype That Shows Why Apple 28%高速化: AppleのiOSブラウザエンジン禁止措置を終わらせるべき理由を示すBlinkプロトタイプ - Open Web Advocacy 28% Faster: The Blink Prototype That Shows Why Apple Open Letter: Why the CMA Must Enforce the DMCCA - Open Web Advocacy Open Letter: Why the CMA Must Enforce the DMCCA - Open Web Advocacy Open Letter: Why the CMA Must Enforce the DMCCA - Open Web Advocacy The Digital Markets Act Is Delivering Real Wins, But Not Yet for Browser Engines - Open Web Advocacy The Digital Markets Act Is Delivering Real Wins, But Not Yet for Browser Engines - Open Web Advocacy The Digital Markets Act Is Delivering Real Wins, But Not Yet for Browser Engines - Open Web Advocacy Our Submission to the CMA on Apple’s iOS Interoperability Commitments - Open Web Advocacy Our Submission to the CMA on Apple’s iOS Interoperability Commitments - Open Web Advocacy Our Submission to the CMA on Apple’s iOS Interoperability Commitments - Open Web Advocacy Q&A with Simonetta Vezzoso: The Open Web, Apple, and the DMA - Open Web Advocacy Q&A with Simonetta Vezzoso: The Open Web, Apple, and the DMA - Open Web Advocacy Q&A with Simonetta Vezzoso: The Open Web, Apple, and the DMA - Open Web Advocacy Google Backs Down: Will Grant Hotseat in EU Browser Choice Screen - Open Web Advocacy Google Backs Down: Will Grant Hotseat in EU Browser Choice Screen - Open Web Advocacy Google Backs Down: Will Grant Hotseat in EU Browser Choice Screen - Open Web Advocacy OWA on RedMonk: Why the Mobile Web Still Can’t Compete with Native Apps, and How to Fix It! - Open Web Advocacy OWA on RedMonk: Why the Mobile Web Still Can’t Compete with Native Apps, and How to Fix It! - Open Web Advocacy OWA on RedMonk: Why the Mobile Web Still Can’t Compete with Native Apps, and How to Fix It! - Open Web Advocacy Apple’s Interoperability Commitments to the UK’s CMA Promise Nothing - Open Web Advocacy Apple’s Interoperability Commitments to the UK’s CMA Promise Nothing - Open Web Advocacy Apple’s Interoperability Commitments to the UK’s CMA Promise Nothing - Open Web Advocacy How Apple’s Key Tactic Could Prevent Japan’s Smartphone Act from Improving Browser Competition - Open Web Advocacy Appleの主要な戦術が、日本のスマホ法によるブラウザ競争の改善を阻む可能性について - Open Web Advocacy How Apple’s Key Tactic Could Prevent Japan’s Smartphone Act from Improving Browser Competition - Open Web Advocacy Open Web Advocacy 2025 in Review - Open Web Advocacy Open Web Advocacy 2025 in Review - Open Web Advocacy Open Web Advocacy 2025 in Review - Open Web Advocacy Tim Berners-Lee On Apple’s Browser Engine Ban and Web Apps - Open Web Advocacy Tim Berners-Lee On Apple’s Browser Engine Ban and Web Apps - Open Web Advocacy Tim Berners-Lee On Apple’s Browser Engine Ban and Web Apps - Open Web Advocacy What Apple’s UK Strategic Market Status Designation means for Browsers and Web Apps - Open Web Advocacy What Apple’s UK Strategic Market Status Designation means for Browsers and Web Apps - Open Web Advocacy What Apple’s UK Strategic Market Status Designation means for Browsers and Web Apps - Open Web Advocacy OWA at the EU Parliament DMA Working Group - Open Web Advocacy OWA at the EU Parliament DMA Working Group - Open Web Advocacy OWA at the EU Parliament DMA Working Group - Open Web Advocacy Can Perplexity Afford to Fund the Web? The $34.5 Billion-Dollar Question - Open Web Advocacy Can Perplexity Afford to Fund the Web? The $34.5 Billion-Dollar Question - Open Web Advocacy Can Perplexity Afford to Fund the Web? The $34.5 Billion-Dollar Question - Open Web Advocacy Japan: Apple Must Lift Browser Engine Ban by December - Open Web Advocacy Japan: Apple Must Lift Engine Ban by December - Open Web Advocacy Japan: Apple Must Lift Engine Ban by December - Open Web Advocacy UK Regulator Flags Apple’s iOS Browser Engine Ban in Draft SMS Designation - Open Web Advocacy UK Regulator Flags Apple’s iOS Browser Engine Ban in Draft SMS Designation - Open Web Advocacy UK Regulator Flags Apple’s iOS Browser Engine Ban in Draft SMS Designation - Open Web Advocacy Apple Apple Apple Google Google Google Balancing Security and Fair Competition - Open Web Advocacy Balancing Security and Fair Competition - Open Web Advocacy Balancing Security and Fair Competition - Open Web Advocacy Industry Voices Caution Against DOJ’s Plan to Force Sale Of Chrome - Open Web Advocacy Industry Voices Caution Against DOJ’s Plan to Force Sale Of Chrome - Open Web Advocacy Industry Voices Caution Against DOJ’s Plan to Force Sale Of Chrome - Open Web Advocacy Is It Worth Killing Mozilla to Shave Off Less Than 1% From Google’s Market Share? - Open Web Advocacy Is It Worth Killing Mozilla to Shave Off Less Than 1% From Google’s Market Share? - Open Web Advocacy Is It Worth Killing Mozilla to Shave Off Less Than 1% From Google’s Market Share? - Open Web Advocacy Break Google’s Search Monopoly without Breaking the Web - Open Web Advocacy Break Google’s Search Monopoly without Breaking the Web - Open Web Advocacy Break Google’s Search Monopoly without Breaking the Web - Open Web Advocacy UK Regulator UK Regulator UK Regulator SLAP and FLOP: Apple SLAP and FLOP: Apple Digital Markets Act: Europe’s Digital Competitiveness at Stake - Open Web Advocacy Digital Markets Act: Europe’s Digital Competitiveness at Stake - Open Web Advocacy Digital Markets Act: Europe’s Digital Competitiveness at Stake - Open Web Advocacy UK Launches Investigation into Apple and Google under the DMCC - Open Web Advocacy UK Launches Investigation into Apple and Google under the DMCC - Open Web Advocacy UK Launches Investigation into Apple and Google under the DMCC - Open Web Advocacy Open Web Advocacy 2024 in Review - Open Web Advocacy Open Web Advocacy 2024 in Review - Open Web Advocacy Open Web Advocacy 2024 in Review - Open Web Advocacy iOS age restriction blocks all browsers except Safari, breaks choice screen - Open Web Advocacy iOS age restriction blocks all browsers except Safari, breaks choice screen - Open Web Advocacy iOS age restriction blocks all browsers except Safari, breaks choice screen - Open Web Advocacy Apple implements six of OWA Apple implements six of OWA Apple implements six of OWA It It It Interop 2025 must drop secret vetos - Open Web Advocacy Interop 2025 must drop secret vetos - Open Web Advocacy Interop 2025 must drop secret vetos - Open Web Advocacy Stuart Langridge: The Mazy Web - Open Web Advocacy Stuart Langridge: The Mazy Web - Open Web Advocacy Stuart Langridge: The Mazy Web - Open Web Advocacy Webventures: An Abridged History of Safari Showstoppers - Open Web Advocacy Webventures: An Abridged History of Safari Showstoppers - Open Web Advocacy Webventures: An Abridged History of Safari Showstoppers - Open Web Advocacy Google must share the ability to install Web Apps in Android - Open Web Advocacy Google must share the ability to install Web Apps in Android - Open Web Advocacy
SLAP and FLOP: Apple
2025-02-04 · via Open Web Advocacy RSS Feed

TL:DR; Yet again Apple’s ban on third-party browser engines weakens security rather than strengthens it.

Researchers from the Georgia Institute of Technology and Ruhr University Bochum have published papers describing two attacks dubbed SLAP and FLOP that impact Apple’s latest chipsets.

These attacks share conceptual similarities with the Spectre exploits, which affected most pre-2019 processors by exploiting speculative execution. While Spectre targeted branch prediction, SLAP and FLOP exploit load address and value prediction in Apple's latest chips.

For SLAP, Apple requested an extended embargo beyond the typical 90-day window, and the researchers ultimately waited 250 days before publishing. For FLOP, the researchers notified Apple 148 days prior to publication. In both cases, Apple has not provided any timeline for implementing mitigations to the researchers or the public.

SLAP

The SLAP attack targets Apple-designed processors, such as the M2, A15, and newer models that have a Load Address Predictor (LAP), which predicts the memory addresses of subsequent load instructions to optimize performance.

According to the paper, visiting a malicious website could potentially allow an attacker to access data from another arbitrary page on a different domain.

In their example in the paper, confidential email subject lines from Gmail can be accessed through a third-party website.

"We assume the target is authenticated to Gmail, and visits the attacker webpage. The attacker webpage allocates 1.7 MB of filler and training strings, and then calls window.open on Gmail’s inbox page when the mouse cursor is placed over itself. As Gmail loads, JavaScript in the page starts rendering the inbox, whose content is personalized to the target. Over repeated trials, we show that the subject line and the sender’s identity can land in the reachable out-of-bounds region of the LAP, allowing for recovery by the adversary in Figure 17." SLAP: Data Speculation Attacks via Load Address Prediction on Apple Silicon

Example of extracting GMAIL email titles.
SLAP: Data Speculation Attacks via Load Address Prediction on Apple Silicon - Figure 17

This attack only works in Safari (and all browsers on iOS due to Apple's browser engine ban) running on devices with newer Apple-designed processors, such as the M2 and A15.

This attack does not work on other major browsers such as Chrome, Firefox, Edge, Opera, and Vivaldi on platforms where they can use their own browser engines.

This is due to a feature called site isolation which separates each domain into its own process, preventing malicious websites from accessing or stealing information from other sites.

"We emphasize the importance of site isolation [55], a mechanism preventing webpages of different domains from sharing rendering processes. Site isolation is already present in Chrome and Firefox [42, 55], preventing sensitive information from other webpages from being allocated in the attacker’s address space. While its implementation is an ongoing effort by Apple [3, 4], site isolation is not currently on production releases of Safari." SLAP: Data Speculation Attacks via Load Address Prediction on Apple Silicon

The researchers indicated that they disclosed the vulnerability to Apple on 24th of May 2024 (250 days prior to publication) under responsible disclosure:

“The researchers disclosed their findings to Apple on May 24, 2024. Apple’s Product Security Team acknowledged the report and proof-of-concept code, requesting an extended embargo beyond the typical 90-day window. At the time of writing, Apple has not shared a schedule regarding mitigation plans concerning the results presented in this paper.” SLAP: Data Speculation Attacks via Load Address Prediction on Apple Silicon

All browsers on iOS devices are affected by this exploit due to Apple's policy requiring all browsers to use the WebKit engine, effectively making them Safari under the hood. This means iOS users cannot switch to alternative browsers that might not be affected by SLAP.

FLOP

The FLOP (False Load Output Prediction) attack exploits a different aspect of speculative execution in Apple's M3+ processors. Specifically, it targets the Load Value Predictor (LVP), which predicts the outcome of data dependencies to improve performance. If the LVP predicts incorrectly, it can lead to the execution of instructions using incorrect data, potentially allowing an attacker to access sensitive information.

Unlike SLAP, FLOP affects all browsers. However, due to site isolation in browsers like Chrome and Firefox, the attack is limited to working between subdomains of the same site, rather than between completely unrelated websites. This does not entirely defeat the exploit but it does make FLOP significantly less concerning than SLAP on browsers other than Safari.

In Safari, an attacker could potentially gain access to data from any arbitrary website through a malicious site on an affected device. For example, data could potentially be accessed from gmail.com via exploit code running on attacker.com. On other browsers (using either Gecko or Blink) it would only be able to potentially gain access to data on other subdomains for example from attacker.example.com to target.example.com. This greatly limits the attack's scope.

Again, all browsers on iOS are impacted by this exploit, as users cannot take advantage of other browser engines' superior protections due to Apple’s browser engine ban.

Responsible Disclosure. We disclosed our results to Apple’s Product Security Team on September 3, 2024 upon completing the initial version of the writeup. Apple has acknowledged our writeup, and after an internal investigation, communicated that they plan to address this in an upcoming security update without sharing further details. FLOP: Breaking the Apple M3 CPU via False Load Output Predictions

The researchers disclosed this vulnerability to Apple on September 3, 2024 (148 days before publication) but did not notify Google or other browser vendors, possibly viewing the threat as minor due to existing mitigations in those browsers, meaning such notification was not necessary or warranted.

Site Isolation

Site isolation was introduced in Blink (Chrome, Opera, Vivaldi, Brave) in July 2018 as a security feature to mitigate Spectre-style attacks, and Edge since 2020. It was added to Gecko (Firefox) in December 2021 with Project Fission. It is still being implemented for Firefox Android.

Full site isolation requires additional memory to keep different domains in separate processes. As a result, all browsers make trade-offs and do not enforce full site isolation in every scenario. For example, Chrome disables site isolation on devices with less than 2GB of RAM and, on Android devices, primarily applies it to sites where it can detect that the user is logged in.

While Safari has some level of process isolation, it lacks full site isolation and does not as aggressively keep processes separate between different domains as other browsers. As a result Apple lags several years behind in this important protection and has prevented any rival from bringing this security feature to iOS via its browser engine ban.

Impacted Chips

Chart of chips impacted by SLAP. In the chart M1 is not affected but M2 and M3 are. In the second part of the chart iPhone 11, 12 and 13 are not affected but iPhone 13 Mini, iPhone 14, iPhone 15 and iPad Pro 7th Gen are.
Chips impacted by SLAP
Chart of chips impacted by FLOP. In the chart M2 is not affected by M3 and M4 are. In the second part of the chart A15 Bionic and A16 Bionic are not affected but A17 is.
Chips impacted by FLOP

What's the Takeaway?

On affected devices, Safari users should be aware that malicious websites could potentially steal data from other domains. On macOS, users can switch to alternative browsers while waiting for Apple to implement site isolation or similar protections.

Apple has repeatedly claimed that allowing other browser engines onto iOS will weaken security for iOS users. Apple claims that its unilateral control over the only browser engine on iOS allows it to minimize the patch gap for all browsers on iOS and thus improve security.

Apple recalls that the WebKit requirement provides a high base level of stability, security, and privacy that is more effective than Android for a variety of reasons, including because it does not result in a ‘patch gap’ which in turn gives rise to 'significant security risks'. Apple’s response to CMA provisional decision report

In this case, not only has Apple failed to patch SLAP on iOS, despite having 250 days advanced notice, but they have also blocked all other vendors from doing so.

On iOS, changing browsers offers no protection from this exploit since all browsers must use the same WebKit engine. At the same time, this shields Apple from losing market share, as no tech professional or tech website will recommend switching browsers on iOS in this case, given that all browsers on iOS are essentially Safari under the hood. As a result, competitive pressure to quickly address vulnerabilities is eliminated. Competition and the fear of losing market share are powerful forces for improving security, but for browsers on iOS, they have been entirely nullified.

This highlights yet again how Apple’s ban on third-party browser engines weakens security rather than strengthens it.