Meltdown - look closely

We have added one more test to the PoC from the authors of the meltdown-paper:

The secret.c from Demo #4, the program which gets attackt in the offical PoC, has code in it which leads to the illusion that this would work on any machine in any case. This works by reading the attacked memory endless in a loop, and running a call for changing thread scheduling, sched_yield.

We believe this is not a real-world scenarion, but very relevant for getting the data to be attacked into the cache, which seems to be a precondition to let meltdown work.

In our tests, the attack do not work anymore at all if you remove this - what should not be the case if the meltdown-paper would be exhaustive.



Who can verify this sighting, with which hardwardware, and who can not?

You can help if you try the official PoC from the paper writer, and our modified mentioned secret.realworld.c.

Green is not our code or steps, but steps for Demo 4 from the the PoC of the creators of meltdown-paper.

Red is our new test, which gets attacked with the unmodified tool from the creators of the meltdown-paper - which works in our test only against secret.c but not secret.realworld.c.


1. Download the extended PoC from https://github.com/pRiVi/meltdown.git


2. Find your KASLR - or that it has been deactivated



3. Try if the PoC works with the tricking non-realworld program:




Success!... with the tricked secret.c

4. Try if the PoC works with the non-tricking realworld program:




Failed?... with the non tricked secret.realworld.c


Please submit your result here:

Summit your result








11.01.2018 - Markus Schräder - CryptoMagic GmbH