3

In the Meltdown paper it mentions it can identify kernel memory address being accessed. The part I don't understand is how the FLUSH+RELOAD channel works to identify what the contents of the memory address in the L1 cache lines are. How does it identify the contents?

Dale
  • 133
  • 3

2 Answers2

4

The part of the document you are interested in is :

Based on the value of data in this toy example, a different part of the cache is accessed when executing the memory access out of order. As data is multiplied by 4096, data accesses to probe array are scattered over the array with a distance of 4 kB (assuming an 1 B data type for probe array). Thus, there is an injective mapping from the value of data to a memory page, i.e. , there are no two different values of data which result in an access to the same page. Consequently, if a cache line of a page is cached, we know the value of data . The spreading over different pages eliminates false positives due to the prefetcher, as the prefetcher cannot access data across page boundaries [14].

Also, 5.1 step 2.

In a nutshell, the value of the data you want to know is determined byte by byte. The unknown value is multiplied by the page size, hence each different possible byte value triggers the loading of a different page.

Then you can measure which page was loaded using the FLUSH+RELOAD method.

M'vy
  • 13,033
  • 3
  • 47
  • 69
3
  1. The attacker asks the CPU to do something that takes a long time, such as a complicated bit of math. Real execution gets stalled, so the next few hundred instructions get executed speculatively, with no changes to the user-visible CPU state until the complicated instruction is finished.
  2. Speculative execution is used to read a protected memory value into a CPU register. The data lands in cache and in a speculative-execution register, neither of which can be read by the attacker.
  3. Still executing code speculatively, the value read is then used to select an address in a part of memory the attacker is allowed to read, and read from that. The data again lands in cache and a speculative-execution register.
  4. The CPU-stalling instruction finishes running, and the CPU realizes it guessed wrong about which instructions would be run after the stall. All the speculative-execution results are thrown away, though the changes to what's stored in the cache aren't.
  5. Part of the attacker-accessible memory is now stored in the data cache. Reading from that location will be faster than reading from any other location, and the attacker can calculate backwards to figure out what the protected value must have been in order for speculative execution to have read that location.

Note that cache modification isn't the only possible side channel for Meltdown, it's just the one with the best signal-to-noise ratio.

Mark
  • 34,390
  • 9
  • 85
  • 134