Eben Upton Explains Why Raspberry Pi Isn't Vulnerable To Spectre Or Meltdown (raspberrypi.org) 70
Raspberry Pi founder and CEO Eben Upton says the Raspberry Pi isn't susceptible to the "Spectre" or "Meltdown" vulnerabilities because of the particular ARM cores they use. "Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel's address space (which should normally be inaccessible to user programs)," Upton writes. He goes on to provide a "primer on some concepts in modern processor design" and "illustrate these concepts using simple programs in Python syntax..."
In conclusion: "Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve," writes Upton. "Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality. The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort."
Then clearly we can conclude that ARM Holdings know very little about their own cores, as opposed to Raspberry Pi founder and CEO Eben Upton.
Re:Oh really? The Cortex-A7 and Cortex-A53.... (Score:5, Informative)
Except that ARM doesn’t list the A7 or A53 as vulnerable.
https://developer.arm.com/supp... [arm.com]
So Eben knows just as much as ARM does.
Care to point out where in Arms white paper it mentions the a7 or a53 cores being affected by Spectre?
https://developer.arm.com/support/security-update
What you qualify as "toys" are more powerful than the computers we used when I was in college in the mid-1990's.
Last time I checked we don’t live in the 90s anymore and those computers look like mere toys compared to the CPUs of today. Laughably so when even a dinky Intel m3 is many times faster.
Not a "toy" (Score:1)
It's a bona fide low-power computer that is suited for some computing tasks but is not a replacement for a laptop or desktop PC.
There is a difference.
Comparing a PC to a Pi is like comparing a professional-grade bicycle with a $50 kid's bike. Both get the job done and both are built to last for years, but one has a lot more features than the other.
It is NOT comparing a professional-grade bicycle with a toy bicycle that Ken and Barbie dolls can ride around on.
I don't know the exact number, of course, but I know that a raspberry pi is at MINIMUM a thousand times more powerful than computers that took us to the moon. So like, what fucking ever.
I can walk 100 times faster than a snail. Doesn’t make me an olympic athelete.
to bad they dump all IO on the usb bus (Score:2)
to bad they dump all IO on the usb 2.0 bus so no gig-e hell not even full 100M much less with any disk io at the same time.
I know that a raspberry pi is at MINIMUM a thousand times more powerful than computers that took us to the moon.
So why hasn't the Pi taken us to Mars? Something is wrong with your logic.
One word: Lousy programmers.
See? Most* can't even estimate their own workloads. It always takes twice as much as planned.
And then there are 'managers'... who prevent us from using assembly the way it's meant to be used. They want to *shudder* 'understand' what we write and collaborate and a fancy UI and garbage collection (there is a lot of garbage surrounding our little blue planet) and *fill in favorite hype/buzzword* using *popular piece of office software they say they can actually be productive in*. S
It depends what you use it for. An RP is a great for learning and for dedicated devices..... but we know it's far from being a modern desktop replacement. My "seat of my pants" feeling is that an RP3 is about as fast as a high end Pentium 3 (Circa 2000).
There are a *lot* of dedicated use devices that need much less power then a full fledged PC. The great thing is that PC technology doesn't stand still, and that a RP20 (or whatever the equivalent of an RP3 is in 15 years) will probably be as fast as to
Doubly irrelevant (Score:4, Informative)
Raspberry PIs and equivalents are toys.
Raspberry PI isn't a CPU. It is a single-board-computer designed for computer-science education and for rapid prototyping of embedded systems. The CPU in question is the Cortex A53 processor, which according to the manufacturer's datasheet is intended as a:
High efficiency processor for a wide range of applications in mobile, DTV, automotive, networking, storage, aerospace, and more.
This doesn't sound like a toy. It sounds like it is meant to be simple and efficient to integrate into industrial designs. That probably means that power consumption is a higher priority than squeezing the most performance out of the chip, which in turn means less aggressive use of speculative execution to keep as much of the chip working at any given time as possible.
So not being as vulnerable to this particular side channel attack isn't the result of the forethought of the Raspberry Pi's designers, or or Broadcom or ARM Holdings. It's the result of the intended applications of the CPU.
Re:tl;dr (Score:4, Informative)
It doesn't use an Intel cpu
True for "Meltdown", which only breaks Intel CPUs. But "Spectre" also breaks some AMD and ARM processors.
Fortunately, the particular ARM cores in the Raspbery Pi are also NOT doing the thing that lets Spectre break them.
Spectre breaks anything that does out of order processing, and it's the first shoe to fall. The techniques discovered in Spectre are just the beginning of a whole new wave of attacks based on the timing attacks Spectre use.
I'm going to make a fortune and release Z80-based IoT devices!
There are already Z80 chips in IoT devices. At this point, they're used as microcontrollers, and Zilog threw hardware TCP/IP stacks on them with internet-connected devices in mind.
My fridge runs CP/M Wooooo!
Actually that would be kinda neat...
Don't really know if a list is practical. As you Say there are a lot of ARM based CPUs.
However most CPUs if you google the model number you can find a product page that will tell you which cores are in it. Compare the cores to ARMs list here https://developer.arm.com/support/security-update
So your example of the Texas Instruments DM3725 http://www.ti.com/product/DM3725 contains an Arm A-8 core which is affected by variant 1 and 2 of spectre.
In other words (Score:5, Informative)
You wanted a cheap computer, so we picked a cheap CPU that doesn't do fancy-schmancy stuff like trying to guess what you will do next.
In other news, my abacus never has a battery fire.
I don't think it's just because the CPU is cheap (Score:2)
And uninstall your web browser, Since almost every web page contains javascript that gets downloaded and run as "local code". Spectre can work via javascript.
SnapDragon CPUs are affected by spectre as well. Quallcomm just recently verified this.
Excellent tutorial (Score:2)
With all the hype and panic about these vulnerabilities, it was refreshing to read Eben's clear, detailed tutorial on processor architecture and how these exploits work (and why the RPi isn't vulnerable).
Highly recommend reading the article.
You guys... (Score:2)
3) Does anyone have any idea of how difficult it is to leverage this particular vulnerability to do something useful?
NVD doesn't, yet. They have a big banner that says "undergoing analysis".
https://nvd.nist.gov/vuln/deta... [nist.gov]
The slowest CPU in the world (Score:1)
The Raspberry Pi is known for having one of the slowest CPUs in the world.
Who cares if it doesn't suffer from a 20% slowdown? It's already slow as fuck.
