|
|
|
|
|
|
by jandrese
3083 days ago
|
|
|
No it gets you the contents. The crux is: array[value_of_kernel_memory_byte] = 1; So it speculatively indexes into the array by the value stored at that memory address and writes the byte. Then to figure out what the value is you just have to see which element in the array is cached. |
|
|
array[value_of_kernel_memory_byte] = 1;
This assignment gets rolled back like it's supposed to. It's when reading the array after the rollback that the exploit measures that a read to array[value_of_kernel_memory_byte] is faster than the rest because that index is already in the cache.