meltdown

1. First:
2.  
3. ...it is possible for a rogue process to determine whether data from a specific address is held within the CPU cache, even if it cannot itself read the actual data from that address. If data from some address has been cached by the CPU then a second instruction to read that address will use the CPU cache for the purpose (fast), if not then the CPU would have to request the data to be read from memory (slower). The rogue process can use this difference in timing to detect which of these took place, and whether the address was already in the CPU cache.
4.  
5. Second:
6.  
7. ...if address 2000 contains 1, then the CPU will try to return the value of memory at address 5001; if address 2000 contains 2 it will try to return the value of memory at address 5002, and so on. If we then execute a timing attack, and it shows that the CPU was slower to read from addresses 5001, 5002, 5003 and 5005, but faster for address 5004, then we can conclude that the reason is that it has cached data from address 5004, and that this is because it has recently accessed that address. So we can deduce that address 2000 contained the value "4".
8.  
9. Finally:
10.  
11. But the problem – as shown by Meltdown – is that, in order to be efficient, the CPU has already started to prepare itself by accessing the memory locations that may be needed, in parallel with the privilege check. That means, when the privilege check fails and the execution unit (correctly) discards the data and abandons the read instruction, address 2000 has already been read and its contents already used to read address 5004, even if the read was abandoned and the in-progress data was discarded by the CPU's execution unit.