- Bug: Speculative execution not subject to page permission checks
- Attack: User code can read kernel data.
Kernel is mapped inaccessible at higher addresses. The entire physical memory is directly mapped in the kernel at a certain offset. A physical address which is mapped accessible to the user space is also mapped in the kernel space through the Cache Direct Mapping.
User code can read the entire physical memory on Linux, Android and OSX through Meltdown Attack.
How top reproduce
- The content of an attacker-chosen memory location, which is inaccessible to the attacker, is loaded into a register.
- A transient instruction accesses a cache line based on the secret content of the register.
- The attacker uses FLUSH+RELOAD to determine the accessed cache line and hence the secret stored at the chosen memory location.
Concise implementation without loop
Separate program
Meltdown Mitigation
Separate application and OS page tables (Page Table Isolation)
- Does not map any kernel memory in the user space, except for some parts required by the x86 architecture such as interrupt handlers
- User-level programs can no longer directly use kernel memory addresses, as such addresses cannot be resolved
