|
|
|
|
|
|
by FrantaH
3082 days ago
|
|
|
https://meltdownattack.com/meltdown.pdf https://eprint.iacr.org/2013/448.pdf TLDR: Userland process' read access to Ring 0 memory will throw an exception (n.b.: kernel mode memory is actually mapped into process' address space), but before that the instruction reading the memory is actually executed and data are cached. The process can use value of data as an address in userland for another read instruction. Now the process just needs to check range of possible addresses where the data was read from and see how long it takes (using rdtsc) to access them - if it's quick, then we have a match. Is that correct, or am I missing something? e: write changed to 2nd read |
|
|