Keyhan Vakil 1. Explain what are cache timing attacks. Cache timing attacks work by timing the difference between a cached memory access and an uncached memory access. If the contents of the cache ever depend on secret data, an attacker can use the cache timing to determine what the secret data was. Attackers can arrange for this scenario to occur reliably by e.g. ensuring the cache is flushed before the relevant code is called. 2. Summarize the Meltdown attack. The Meltdown attack occurs since the out-of-order processor does not have precise exceptions, but only raises exceptions once the speculative instruction is retired. By engineering it so that speculative execution occurs, the attacker can cause an out-of-bounds load without triggering an immediate exception. They can then use this secret out-of-bounds data as an index to a cache. This causes a load whose location is dependent on the secret data. While the execution is later stopped and an exception raised, the loaded data remains in the cache. The attacker can then use a cache timing attacks to discern the actual secret data. 3. Consider that a victim process has a secret in memory at a known location. The attacker wants to learn what is that secret using the Meltdown attack. Does the attacker need to wait for the victim process to start running, and attack the process while it is running? Explain. The attack could work even if the victim has stopped running. For example, the other process may have just stopped and the relevant physical pages might still contain sensitive data. By exploiting Meltdown, the attacker can read all physical memory, since this is mapped into kernel space. Hence, they might be able to read this secret data from a stopped program.