Context: user program needs a secret string of characters, a ‘password’, to perform some restricted action. The idea was for the attacker, ignorant of the secret, to place a string across a page boundary so that the first character is in one page and the rest is in the next page. The attacker then attempts the action indicating the secret by address, which is the last character in some page. The attacker has made the following page invalid. If the attacker has guessed the first character correctly then the response to the attacker will be page fault. If the guess is wrong he will get a secret mismatch. If the attacker tries all possible first characters he will find the right first character. The attacker then moves the putative secret to an address one character smaller. The attacker now learns the second character the same way he found the first. ETC.

I heard of this attack from someone at DEC who had seen it performed on a PDP-1.