Sunday, January 7, 2018

There Is a Major Computer Not Vulnerable to Spectre or Meltdown

It turns out that, the Raspberry Pi is not subject to these vulnerabilities (From the Raspberry Pi blog) because they chose a processor that did not strive for the last iota of peformance.

The Raspberry Pi single board computer was designed as a low cost single board computer for use in computer education and in the 3rd world, and so absolute performance is not a priority, which means no predictive execution, and no vulnerabilities to either of these exploits:
Over the last couple of days, there has been a lot of discussion about a pair of security vulnerabilities nicknamed Spectre and Meltdown. These affect all modern Intel processors, and (in the case of Spectre) many AMD processors and ARM cores. Spectre allows an attacker to bypass software checks to read data from arbitrary locations in the current address space; Meltdown allows an attacker to read data from arbitrary locations in the operating system kernel’s address space (which should normally be inaccessible to user programs).

Both vulnerabilities exploit performance features (caching and speculative execution) common to many modern processors to leak data via a so-called side-channel attack. Happily, the Raspberry Pi isn’t susceptible to these vulnerabilities, because of the particular ARM cores that we use.

………

Modern processors go to great lengths to preserve the abstraction that they are in-order scalar machines that access memory directly, while in fact using a host of techniques including caching, instruction reordering, and speculation to deliver much higher performance than a simple processor could hope to achieve. Meltdown and Spectre are examples of what happens when we reason about security in the context of that abstraction, and then encounter minor discrepancies between the abstraction and reality.

The lack of speculation in the ARM1176, Cortex-A7, and Cortex-A53 cores used in Raspberry Pi render us immune to attacks of the sort.
Of course, we need the additional performance because no one writes tight code any more.

No comments:

Post a Comment