- A
secret
byte you want to read is stored at inaccessible memory locationpriv_mem
. - The sender triggers an access exception by attempting to access
priv_mem
. - Due to out-of-order execution, the load of
secret
and its access in step 4 may happen before the exception fires. - Calculate an
offset
into a known arrayprobe
by multiplyingsecret
by the width of a cache line. - This forces the cache to load
probe[offset]
, caching exactly one chunk of our array. - The exception fires, clearing the modified registers, but cached data is not excised.
- Iterate over all 256 offsets into
probe
to find out which one loads fast. You've determined the value ofsecret
.
- The
probe
array is flushed from cache before this process, so only thesecret
-based offset gets cached. - The access exception triggers a memory fault, terminating the application, so it is performed in another process (i.e. a fork).