Leaking Kernel Secrets using Transient Execution

This training offers a hands-on introduction to Meltdown as a microarchitectural exploitation primitive. Participants first implement the Flush+Reload side-channel to reliably recover transiently encoded data. Building on this, they exploit Meltdown to establish a kernel memory read primitive. This primitive is then used to defeat Kernel Address Space Layout Randomization (KASLR), preparing the system for subsequent exploitation stages. Finally, participants extract credentials from kernel memory and leverage them to achieve privilege escalation to root.