nuzada
Posts: 3
Joined: Mon Jun 24, 2019 1:48 pm

Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Mon Jun 24, 2019 2:10 pm

Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

gkaiseril
Posts: 615
Joined: Mon Aug 08, 2016 9:27 pm
Location: Chicago, IL

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Mon Jun 24, 2019 2:51 pm

Most viruses are machine dependent and this virus as many rely on the Intel and AMD family of chips. Since the Pi uses the ARM processor, the machine code is not compatible with Intel and AMD systems.
f u cn rd ths, u cn gt a gd jb n cmptr prgrmmng.

User avatar
bensimmo
Posts: 4075
Joined: Sun Dec 28, 2014 3:02 pm
Location: East Yorkshire

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Mon Jun 24, 2019 3:04 pm

It should be as it uses the A72, the OS or whatever may stop that.

Heater
Posts: 12747
Joined: Tue Jul 17, 2012 3:02 pm

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Mon Jun 24, 2019 3:20 pm

gkaiseril,
Most viruses are machine dependent ...
True.
...and this virus as many rely on the Intel and AMD family of chips
Not true.

These attacks depend of processor optimization features that can be present in any processor architecture.

I have no idea if our Pi's ARM cores employ such features though, or if anyone has yet managed to exploit them on other than Intel/AMD machines.
Since the Pi uses the ARM processor, the machine code is not compatible with Intel and AMD systems.
Given that Meltdown and/or Spectre attacks have been demonstrated in Javascript it's clear that actual machine instruction set is not critical to their operation.

Anyway, I'm not about to worry about it.

cspan
Posts: 122
Joined: Sat Jun 10, 2017 1:03 pm
Location: Chattanooga, TN, USA

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Mon Jun 24, 2019 10:01 pm

I am concerned about this too. When Eben penned this:

https://www.raspberrypi.org/blog/why-ra ... -meltdown/

... I was heartened.

However, in the PDF issued by pi3g.com (Inside the Raspberry Pi 4), on page 6, it mentions that the new core has "out-of-order execution ('pipelined processor with deeply out of order, speculative issue 3-way superscalar execution pipeline')"

It isn't 100% clear to me what this exactly means, but it does contain the terms "speculative" and "execution" - without a negative modifier. It's a bit concerning, and I'd like clarificiation. Hard to believe that RPT would concede security for performance, after having proudly pointed out their immunity to this chip vulnerability.

ejolson
Posts: 3084
Joined: Tue Mar 18, 2014 11:47 am

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Mon Jun 24, 2019 10:42 pm

bensimmo wrote:
Mon Jun 24, 2019 3:04 pm
It should be as it uses the A72, the OS or whatever may stop that.
According to Wikipedia
ARM has reported that the majority of their processors are not vulnerable, and published a list of the specific processors that are affected. The ARM Cortex-A75 core is affected directly by both Meltdown and Spectre vulnerabilities, and Cortex-R7, Cortex-R8, Cortex-A8, Cortex-A9, Cortex-A15, Cortex-A17, Cortex-A57, Cortex-A72 and Cortex-A73 cores are affected only by the Spectre vulnerability.[61] This contradicts some early statements made about the Meltdown vulnerability as being Intel-only.[73]
Therefore, it would appear the Pi 4 is susceptible to Spectre but not Meltdown.
Last edited by ejolson on Mon Jun 24, 2019 10:44 pm, edited 1 time in total.

jerrm
Posts: 88
Joined: Wed May 02, 2018 7:35 pm

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Mon Jun 24, 2019 10:44 pm

Cortex A72 is potentially at risk, no idea about the Pi's specific variation.

If the Pi revision susceptible, I would hope the mitigations are enabled by default.

See https://developer.arm.com/support/arm-s ... -arm-cores

Andyroo
Posts: 3384
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Mon Jun 24, 2019 11:51 pm

There was an interesting note on how effective these attacks could be last year:
In fact, I doubt we will ever see a lot of in-the-wild malware using the Meltdown or Spectre exploits. Memory-read attacks simply aren't that attractive to most attackers: they don't allow an attacker to run arbitrary code on a targeted system, nor do they give the attacker access to stored data they are interested in. It is telling that Heartbleed, an unrelated attack that also allowed access to large chunks of memory, was not exploited widely in the wild, if it even was at all.
Taken from https://www.virusbulletin.com/blog/2018 ... r-spectre/

I know there are ‘working samples’ at https://meltdownattack.com/ but I’m more concerned how stable Buster will be :oops:
Need Pi spray - these things are breeding in my house...

Andyroo
Posts: 3384
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Tue Jun 25, 2019 12:21 am

Following on from my last sentence:
Please note that security updates for testing distribution are not yet managed by the security team. Hence, testing does not get security updates in a timely manner. You are encouraged to switch your sources.list entries from testing to stretch for the time being if you need security support. See also the entry in the Security Team's FAQ for the testing distribution.
Taken from https://www.debian.org/releases/testing/
Need Pi spray - these things are breeding in my house...

ejolson
Posts: 3084
Joined: Tue Mar 18, 2014 11:47 am

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Tue Jun 25, 2019 12:45 am

Andyroo wrote:
Mon Jun 24, 2019 11:51 pm
There was an interesting note on how effective these attacks could be last year:
In fact, I doubt we will ever see a lot of in-the-wild malware using the Meltdown or Spectre exploits. Memory-read attacks simply aren't that attractive to most attackers: they don't allow an attacker to run arbitrary code on a targeted system, nor do they give the attacker access to stored data they are interested in. It is telling that Heartbleed, an unrelated attack that also allowed access to large chunks of memory, was not exploited widely in the wild, if it even was at all.
Taken from https://www.virusbulletin.com/blog/2018 ... r-spectre/

I know there are ‘working samples’ at https://meltdownattack.com/ but I’m more concerned how stable Buster will be :oops:
I think these side-channel information leaks mostly affect cloud providers by demonstrating that partitioning an Intel Xeon server into multiple virtual machines doesn't provide anywhere near the isolation and security that the marketing types wanted.

At this point various mitigations that negatively affect performance have been added upstream to Linux and applications that require additional security. Therefore, the standard mitigations are surely in place for Raspbian. In the future, I suspect one may see specialized hardware designed for security-sensitive code paths. For example, if it weren't for Oracle cancelling future development, the SPARC M8 security-in-silicon encrypted memory seems like a promising way to avoid many side channel attacks.

Since the secure sharing of a single Raspberry Pi among adversarial users is generally not an issue, the main vulnerability for the Pi 4 occurs when a web browser downloads a page that contains WebAssembler or JavaScript that employs the Spectre side-channel to read privileged memory. Unless you are a government-class espionage target, the chance of accidentally downloading such a webpage and it actually extracting damaging information is minimal. If you are such an espionage target, it might be better to stick to the 3B+ or pencil and paper.

Andyroo
Posts: 3384
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Tue Jun 25, 2019 1:18 am

The problems then becomes once a third party has access to your machine you can become a bot and help mine them money or take part in a DOS attack etc etc and that’s not even thinking about being a platform for attacks inside the network for bank details etc.

It’s just another worry about connecting ANY computer to the Internet nowadays and I’m glad I do not have Intel / AMD support concerns anymore. (I’m also only up to 3B+ at the top end of the Pi boxes here - so I can wait).

Wonder if Smiths still sell 4B pencils :lol:
Need Pi spray - these things are breeding in my house...

User avatar
DavidS
Posts: 4314
Joined: Thu Dec 15, 2011 6:39 am
Location: USA
Contact: Website

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Tue Jun 25, 2019 3:07 am

I do not understand why it would matter if it is vulnerable to a Spectre attack, that is just a way of getting at information that is not accessible from normal modes of operation. So what information would you have on an internet connected machine that would matter in such a way. I guess it is technically possible to use such a thing to inject code into protected memory, though no one has yet done that with it.

As for Meltdown attacks, well I have not heard any news suggesting that the Cortex-A72 is vulnerable, I am not 100% sure though. And again if you have data that it matters if is read from a different context then there is a problem with your setup. What would be the use of such a thing?
RPi = The best ARM based RISC OS computer around
More than 95% of posts made from RISC OS on RPi 1B/1B+ computers. Most of the rest from RISC OS on RPi 2B/3B/3B+ computers

User avatar
DavidS
Posts: 4314
Joined: Thu Dec 15, 2011 6:39 am
Location: USA
Contact: Website

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Tue Jun 25, 2019 3:14 am

Put another way, it is normal for most systems to allow read access between protected contexts. There should be no data anywhere on your system that if read from an unknown context could be a vulnerability in any way. So no passwords in raw text or in a form that is easy to decrypt (and ideally only in non reversible encryption, the only reversible form should be in the human memory).

And no data that could potentially be of importance on a level that others should not have it should ever be on a computer that is connected to the internet (unfortunately our banking systems break this rule badly).
RPi = The best ARM based RISC OS computer around
More than 95% of posts made from RISC OS on RPi 1B/1B+ computers. Most of the rest from RISC OS on RPi 2B/3B/3B+ computers

klockstone
Posts: 1
Joined: Tue Jun 25, 2019 9:14 am

Re: Is the new Raspberry Pi 4 vulnerable to Meltdown and Spectre attacks?

Tue Jun 25, 2019 9:19 am

https://en.wikipedia.org/wiki/Meltdown_ ... erability) says:

... Also, no Raspberry Pi computers are vulnerable to either Meltdown or Spectre, except the newly-released Raspberry Pi 4, which uses the ARM Cortex-A72 CPU.

If there has been some work-around, we need to be told and Wikipedia updated.

Keith.

Return to “General discussion”