Meltdown
Meltdown is a 2018 attack that lets a user-mode process read kernel memory by abusing out-of-order execution together with a cache side-channel. It was disclosed January 2018 alongside Spectre. From ECE459 L07.
Why?
The CPU does the permission check for a load in parallel with the load itself. Before the check fires the fault, the out-of-order engine has already used the loaded byte, and that use leaves a footprint in the cache. The fault squashes the instructions but not the cache state, so the secret leaks.
Mechanism. The attacker issues a load of a kernel address and uses the byte to index into a user-accessible probe array. The load faults, so no value is ever architecturally visible, but the probe array line corresponding to the secret byte has been pulled into the cache. Timing each line of the probe array reveals which line is fast, which reveals the byte.
Fix. Meltdown is closed by Kernel Page Table Isolation (KPTI): the kernel no longer maps its pages into user-mode page tables, so the speculative load has nothing to read. The patch costs performance on every syscall because page tables now get swapped on kernel entry.
Meltdown affects mostly Intel CPUs; AMD was largely unaffected because its permission check happens earlier in the pipeline.