MoinQ:

Meltdown-Spectre/Meltdownについて、ここに記述してください。

https://meltdownattack.com/meltdown.pdf

1. Address Space

Screenshot from 2018-01-14 14-40-12.png

the entire physical memory is typically mapped in the kernel.

On Linux and OS X, this is done via a direct-physical map, i.e., the entire physi-cal memory is directly mapped to a pre-defined virtual address (cf. Figure 2).

Instead of a direct-physical map, Windows maintains a multiple so-calledpaged pools, non-paged pools, and the system cache. These pools are virtual memory regions in the kernel address space mapping physical pages to virtual addresses which are either required to remain in the memory (non-paged pool) or can be removed from the memory because a copy is already stored on the disk (paged pool).

The system cache further contains mappings of all file-backed pages. Combined, these memory pools will typically map a large fraction of the physical memory into the kernel address space of every process.

2. cache attacks

Flush+Reload attacks work on
a single cache line granularity. These attacks exploit the
shared, inclusive last-level cache. An attacker frequently
flushes a targeted memory location using the
clflush
instruction.  By measuring the time it takes to reload the
data,  the  attacker  determines  whether  data  was  loaded
into the cache by another process in the meantime.  The
Flush+Reload attack has been used for attacks on various
computations, e.g., cryptographic algorithms [35, 16, 1],
web server function calls [37],  user input [11, 23, 31],
and kernel addressing information [9].

3. uilding Blocks of the Attack