This work uncovers a critical security vulnerability in the system-level cache (SLC) of Apple’s M-series SoCs, enabling the first cross-CPU–GPU cluster SLC occupancy-based side-channel attack. Through reverse engineering of the M1 SLC’s physical layout and cache-sharing policies, we develop a cache occupancy timing measurement model to infer GPU memory access patterns. Our methodology yields three novel attacks: (1) coarse-grained website fingerprinting (accuracy >94%); (2) fine-grained single-pixel rendering monitoring; and (3) a lightweight, full-screen reconstruction attack capable of real-time recovery at 1600×57 resolution. This is the first demonstration of high temporal and spatial precision SLC side-channel exploitation across heterogeneous compute units on M-series chips. The study establishes a new methodological paradigm and provides empirical foundations for cache security research on ARM-based architectures.

Cache occupancy attacks exploit the shared nature of cache hierarchies to infer a victim's activities by monitoring overall cache usage, unlike access-driven cache attacks that focus on specific cache lines or sets. There exists some prior work that target the last-level cache (LLC) of Intel processors, which is inclusive of higher-level caches, and L2 caches of ARM systems. In this paper, we target the System-Level Cache (SLC) of Apple M-series SoCs, which is exclusive to higher-level CPU caches. We address the challenges of the exclusiveness and propose a suite of SLC-cache occupancy attacks, the first of its kind, where an adversary can monitor GPU and other CPU cluster activities from their own CPU cluster. We first discover the structure of SLC in Apple M1 SOC and various policies pertaining to access and sharing through reverse engineering. We propose two attacks against websites. One is a coarse-grained fingerprinting attack, recognizing which website is accessed based on their different GPU memory access patterns monitored through the SLC occupancy channel. The other attack is a fine-grained pixel stealing attack, which precisely monitors the GPU memory usage for rendering different pixels, through the SLC occupancy channel. Third, we introduce a novel screen capturing attack which works beyond webpages, with the monitoring granularity of 57 rows of pixels (there are 1600 rows for the screen). This significantly expands the attack surface, allowing the adversary to retrieve any screen display, posing a substantial new threat to system security. Our findings reveal critical vulnerabilities in Apple's M-series SoCs and emphasize the urgent need for effective countermeasures against cache occupancy attacks in heterogeneous computing environments.