Meltdown vulnerability explained in 5 simple steps:
- Try to read a byte from protected memory. It will fail, but the CPU will still get that value, just will not return it to us.
- Try to use that byte value as an index in our own array of 256 elements. This operation will fail as well, but as the CPU "knows" the inaccessible value, it will actually use it, will read the corresponding array element and put it into the internal cache.
- Go through all 256 elements of our array in a loop trying to read them, and measure how long each reading operation takes.
- The element, which was already accessed based on the "mystery" value, is already in the CPU cache, so it will be read dozens times faster, than the others.
- The index of that "fast" element is the value, which we tried, but were not allowed to read from protected memory. Now we know it!