Reverse Engineering the Apple M1 Conditional Branch Predictor for Out-of-Place Spectre Mistraining

TL;DR

This work probes whether Apple’s M1 processors remain vulnerable to practical out-of-place Spectre v1 mistraining. It shows brute-force aliasing is costly on M1 due to a TAGE-like BPU, then introduces the Last Provider Component (LPC) primitive to deterministically force mistraining into the longest history component, reducing required attempts by up to $32\times$. The authors reverse engineer the M1 Conditional BPU to expose the BHR structure, update policies, and history lengths, enabling targeted mistraining and enabling tests of hardware mitigations. They find partial userspace/kernel BPU isolation on Icestorm but not Firestorm, and no cross-process isolation on either core, underscoring gaps in hardware defenses and informing mitigation design for Spectre v1. The results illuminate practical attack surfaces while offering a concrete technique (LPC) to study BPU aliasing, contributing to hardware-aware security assessments and policy decisions for Apple silicon.

Abstract

Spectre v1 information disclosure attacks, which exploit CPU conditional branch misprediction, remain unsolved in deployed software. Certain Spectre v1 gadgets can be exploited only by out-of-place mistraining, in which the attacker controls a victim branch's prediction, possibly from another address space, by training a branch that aliases with the victim in the branch predictor unit (BPU) structure. However, constructing a BPU-alias for a victim branch is hard. Consequently, practical out-of-place mistraining attacks use brute-force searches to randomly achieve aliasing. To date, such attacks have been demonstrated only on Intel x86 CPUs. This paper explores the vulnerability of Apple M-Series CPUs to practical out-of-place Spectre v1 mistraining. We show that brute-force out-of-place mistraining fails on the M1. We analytically explain the failure is due to the search space size, assuming (based on Apple patents) that the M1 CPU uses a variant of the TAGE conditional branch predictor. Based on our analysis, we design a new BPU-alias search technique with reduced search space. Our technique requires knowledge of certain M1 BPU parameters and mechanisms, which we reverse engineer. We also use our newfound ability to perform out-of-place Spectre v1 mistraining to test if the M1 CPU implements hardware mitigations against cross-address space out-of-place mistraining -- and find evidence for partial mitigations.

Figures (24)

• Figure 1: Abstract representation of the TAGE predictor.
• Figure 2: Experiment template.
• Figure 3: Effect of conditional branch PC address bits on the BHR on the Firestorm cores (results for $H=0$). For bits that have effect, the spy branch's misprediction rate is $\approx 0$%.
• Figure 4: Effect of indirect branch PC address bits on the BHR on the Firestorm microarchitecture (results for $H=0$). For bits that have effect, the spy branch's misprediction rate is $\approx 0$%.
• Figure 5: Effect of indirect branch target address bits on the BHR on the Firestorm cores (results for $H=0$). For bits that have effect, the spy branch's misprediction rate is $\approx 0$%.