Eben Upton Explains Why Raspberry Pi Isn't Vulnerable To Spectre Or Meltdown

Posted by BeauHD
Raspberry Pi founder and CEO Eben Upton says the Raspberry Pi isn't susceptible to the "Spectre" or "Meltdown" vulnerabilities because of the particular ARM cores they use. "Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel's address space (which should normally be inaccessible to user programs)," Upton writes. He goes on to provide a "primer on some concepts in modern processor design" and "illustrate these concepts using simple programs in Python syntax..."

In conclusion: "Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve," writes Upton. "Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality. The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort."

Eben Upton Explains Why Raspberry Pi Isn't Vulnerable To Spectre Or Meltdown

  • In other words (Score:5, Informative)

    by Anonymous Coward on Friday January 05, 2018 @05:50PM (#55872069)

    You wanted a cheap computer, so we picked a cheap CPU that doesn't do fancy-schmancy stuff like trying to guess what you will do next.

    In other news, my abacus never has a battery fire.

    • Speculative execution requires the CPU to do operations which it might be called upon to do in the future, then throw away the results if it turns out the code doesn't call for that operation. There's got to be an energy cost associated with that since you're making it do a bunch of operations it doesn't need to do. ARM SoCs are mostly used on mobile devices whose only power source is a battery. So it makes sense that they wouldn't incorporate energy-wasting "features" like speculation.

      • Re: (Score:2)

        by Ramze ( 640788 )

        considering what little CPU percentage is used by the average PC user, there may be an argument for desktops and laptops not needing it either.... Maybe even for data centers where large caches are more important than branch predictions.

        I know, I know... Insanity! Branch prediction is like... 75% to 99% correct, so it's not that much of a waste... and pipelines are long... but, Intel just helped put out a patch that wipes cache when switching between user mode and kernel mode and your average user can't

  • With all the hype and panic about these vulnerabilities, it was refreshing to read Eben's clear, detailed tutorial on processor architecture and how these exploits work (and why the RPi isn't vulnerable).
    Highly recommend reading the article.

  • "Oh! Is THIS ARM chip vulnerable? Oh, NNNNNOOOO...." Everyone seems to have lost perspective here. 1) In order for you to be "vulnerable", you must be running some kind of malware. If you're running malware, you are already fucked with a sand-paper dildo. 2) Given #1, coupled with the astounding number/variety of destructive forms of malware extant, it is ludicrous to give more than a nano-second's consideration (as a basic user or admin) to this. 3) Does anyone have any idea of how difficult it is to lever

    • 3) Does anyone have any idea of how difficult it is to leverage this particular vulnerability to do something useful?

      NVD doesn't, yet. They have a big banner that says "undergoing analysis".

      https://nvd.nist.gov/vuln/deta... [nist.gov]

    • Everyone seems to have lost perspective here. 1) In order for you to be "vulnerable", you must be running some kind of malware. If you're running malware, you are already fucked with a sand-paper dildo.

      It would be surprising if the average user didn't encounter malicious code, because malicious Javascript is a thing. At least one of these attacks can be made through your browser. How are you enjoying your anal sanding?

  • The Raspberry Pi is known for having one of the slowest CPUs in the world.
    Who cares if it doesn't suffer from a 20% slowdown? It's already slow as fuck.

    • Re: (Score:2)

      by Xenx ( 2211586 )
      I'm sure people that use the Pi care. I mean, based on you eloquent definition of their speed, they don't have much headroom for a performance drop.
  • Raspberry PI 3 is far from a toy. The main thing is to install the Raspbian Lite without GUI desktop. Most of the computing "power" is spent on handling of the HD, 4K, 8K, etc. display.

    I installed Apache 2, PHP 7, SSH, SFTP on one RPI3 and MySQL database on another. This system is incredibly stable and quite fast. I think of moving to self-hosting with this setup. It practically does not consume any electricity.

    I realize now that it does not requite too much computing power to send HTML files and even

