The authors of the Meltdown vulnerability discovered that they could exploit this speculative execution feature in Intel CPUs to create a side-channel attack capable of reading arbitrary memory locations used by other processes and even the system kernel itself. The researchers found that even though the CPU correctly discards the result of instructions that logically take place after an exception (which were executed in parallel with the instruction that caused the exception), the CPU still caches the result. An attacker could then use a side channel attack, such as FLUSH+RELOAD, to read the cached result.

The attack method described in the Meltdown white paper is novel, and can be exploited using high-level programming languages like C or potentially even JavaScript. In the paper’s example, the attacker first allocates a “probe” array of 256 x 4096 bytes (assuming a typical 4KB page size). This array size equates to the 256 different possible values of a single byte of memory. The attacker then attempts to read a single byte of privileged memory, multiply the memory’s value by 4096, and then use the result to index the probe array. Because of speculative execution, the memory read, multiplication, and array index instructions all likely finish before the exception is generated for the privileged memory access. Even though the results are wound back, the array index is still cached by the CPU. A separate process can then use a FLUSH+RELOAD attack to iterate over the full probe array and identify which index was accessed by comparing return times. The cached index should return significantly quicker than the rest of the uncached array. The attacker can repeat this process to read the entirety of the system’s memory (or almost all of it depending on the operating system) at a rate of about 502 KB/s.