Yuval Yarom wurde auf dem renommierten IEEE Symposium on Security and Privacy 2025 (IEEE S&P) mit einem Distinguished Paper Award ausgezeichnet. Die Konferenz fand vom 12. bis 15. Mai in San Francisco, USA, statt.
Ausgezeichnet wurde das Paper „SLAP: Data Speculation Attacks via Load Address Prediction on Apple Silicon“, das Yarom gemeinsam mit Jason Kim und Daniel Genkin vom Georgia Institute of Technology verfasst hat. Die Arbeit beschreibt eine neuartige Sicherheitslücke in Apple-Prozessoren der M2- und A15-Serie und leistet damit einen bedeutenden Beitrag zur Erforschung spekulativer Seitenkanalangriffe.
Abstract zum Paper:
Since Spectre’s initial disclosure in 2018, the difficulty of mitigating speculative execution attacks completely in hardware has led to the proliferation of several new variants and attack surfaces in the past six years. Most of the progeny build on top of the original Spectre attack’s key insight, namely that CPUs can execute the wrong control flow transiently and disclose secrets through side-channel traces when attempting to alleviate control hazards, such as conditional or indirect branches and return statements.
In this paper we go beyond (speculatively) affecting control flow, and present a new data speculation primitive that stems from microarchitectural optimizations designed to alleviate data hazards. More specifically, we show that Apple CPUs are equipped with a Load Address Predictor (LAP). The LAP monitors past addresses from the same load instruction to speculatively load a predicted address, which may incorrectly point to secrets at rest (i.e., never architecturally read by the CPU). Once the secret is retrieved, the LAP allows for a large speculation window that suffices for an adversary to compute on the secret, such as leaking it over a covert channel. We demonstrate the LAP’s presence on recent Apple CPUs, such as the M2, A15, and newer models. We then evaluate the LAP’s implications on security by showing its capabilities to read out-of-bounds, speculatively invoke rogue functions, break ASLR, and compromise the Safari web browser. Here, we leverage the LAP to disclose sensitive cross-site data (such as inbox content from Gmail) to a remote web-based adversary.
Allgemeiner Hinweis: Mit einer möglichen Nennung von geschlechtszuweisenden Attributen implizieren wir alle, die sich diesem Geschlecht zugehörig fühlen, unabhängig vom biologischen Geschlecht.
