[koolba]

> You can force any memory into the cache so yes it's is read any physical memory.

Is there a direct method for that or do you mean that you can repeatedly try reading memory addresses until the address that you want to access is actually in the cache prior to your access?

[K0nserv]

The exploit is based on reading values that you shouldn't be allowed to access in speculative execution and then using the returned values to create persistent changes in the cache(they persist even after the CPU detects your illegal access). Those persistent changes are then read via a side channel attack.

So you read any address you want speculatively and then use the result to prime the cache in such a way that you can determine what the value you read speculatively was. This works because modern operating systems map kernel space addresses into normal processes and to make syscalls faster.

I'd recommend reading the paper[0], it's fascinating stuff.

https://meltdownattack.com/meltdown.pdf

[ctrlrsf]

It doesn’t force memory into cache directly. It determines values of bytes in memory by using the byte as a multiplier to an offset in memory. To determine byte value you can check all the offset combinations to see which was cached. Details in the meltdown paper.

[tptacek]

The relationship between the attacker and cache is fundamental to the attack; the Meltdown paper does a really good job explaining this.