Re: How does knowing where imply knowing what?
Sadly, the attack is not limited to this case. Specifically, OSes typically terminate processes that attempt to access memory they should not. Remember, "Illegal memory access, process has been terminated" from Winblows 95?
To avoid this fate, the attack code needs to ensure that the speculative fetch of protected memory never gets checked. They either need to branch around it, but in such a way that the branch prediction logic incorrectly predicts that the fetch will occur; or by deliberately triggering an exception. The former strikes me a REALLY tough to do reliably. Of course, you need to play some sort of game with the OS to get the return from the exception to be other than the code that will shut you down--I think that is doable.