Reply to post: Re: How does knowing where imply knowing what?

Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs

stephanh Silver badge

Re: How does knowing where imply knowing what?

Meltdown works like this:

Instruction 1 accesses a byte on a protected page and attempts to load it into a register.

Instruction 2 uses the value loaded into the register to access some memory on one out of 256 pages (depending on the value of the register filled by instruction 1).

Now, instruction 1 does an illegal access, so it causes a segfault. However, by that time instruction 2 has already been speculatively executed. Now, all the "normal" processor state (register values, etc.) are rolled back to before instruction 2, but, crucially, on Intel CPUs, NOT the fact that a particular one of these 256 pages was brought into cache.

The attacker can now determine which of these pages was brought into cache by carefully timing how long it takes to access each of them. The fast one is the one brought into cache. Presto, one byte read from kernel space.

Note that the 256 pages are NOT in kernel memory, they are just plain accessible memory in the attacker's process.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019