Post by gareth evans
But how do these parasites actually gain access
to the memory cache, etc, when they themselves will be
subject to protections?
By measuring how much time a 'load' instruction takes, one can
determine whether or not the data was loaded from a cache (low
latency) or from DRAM (high-latency).
When a processor speculatively executes a load instruction, it
can evict a cache line; malicious software can arrange for the
speculative load, in some cases, to be executed by the kernel
(e.g. by passing a pointer to a kernel system call); while the
load was never successful, it did evict a line from the cache.
With knowledge of how the cache is structured and the eviction
algorithm(s), code can use the change in timing of a subsequent
load to determine the value of an arbitrary location in memory (one bit at
a time, generally).