Great news, thank you!

Having read this, I feel smarter. Didn`t really understand it, but I feel smarter.

Thanks, great explanation and I feel confident Raspberry Pi’s are tough little computers.

If I am using Raspbian x86 desktop on Oracle Virtual Box, does the Virtual CPU have the exploit or is it protected by the Host OS. I am assuming the host hardware may have the exploit patched.

That is an *excellent* summary of how Spectre and Meltdown work. (The fact that the Pi is immune is just a bonus).

Wow. Silver lining related to Meltdown and Spectre: I’m learning a whole lot more about how processors work.

Eben, could you please clarify how this A53 CPU feature is different from the one that is exploitable by Spectre?

http://infocenter.arm.com/help/topic/com.arm.doc.ddi0500g/CHDGIAHH.html

+1

A well written and easy to understand introduction to some aspects of modern CPU design (add some more about instruction fusion and the crucial register renaming) and it should be permanently published in the education section.

Excellent write up Ebon. Thank you.

I’m still a little unclear on how knowing what memory address is in processor cache get us actual data from memory.

@Pete: The Raspberry Pi computer itself is invulnerable to the bug. The Intel or AMD-based computer you are running Raspbian on is not.

So if you are running Raspbian x86 you will need to install patches in both your Raspbian guest operating system and your host operating system to be safe from the vulnerability.

Eben .. thanks so much for this … I read through it once but will reread to hopefully understand it better .. It is nice to get education instead of hysteria! If you were willing to pay with performance to get security could you simply turn off specualtion? Is that what the news was referring to when they say the fix will cause a 30% degradation in performance?

Maybe we should have raspberry pi terminals communicating to IBM Z mainframes!

Thanks again!
-don

This is the best “tutorial” I have seen on this subject. The side effect of this attack has been a better awareness of modern processor architecture. It is unfortunate that this had to happen to get folks to draw back the curtain on this, instead of keeping the pretense of everything being scalar and in order. It does matter in many more instances than people think.

Thank you for the awesome lesson in processor technology.

Thanks for this. Even though you mention that the real exploit is more complex, this gives the context. I feel like I could read more and more on this topic.
Happy New Year*

Thanks for the excellent explanation!

I wonder, can a python program actually exploit this bug?

And how can you reliably “time a subsequent access to one of those addresses”?

Thank you for the incredible post! I understand so much more now.

This is fantastically friendly and clear. Thanks so much for the accessible explanation! I’m much less confused than I was before.

Thanks for the wonderfully explained post, Eden. You’ve explained a complex concept in a really simple manner.

So did you have an Archimedes too, or did you defect to Amiga? =)

For Christ sake, why should an userspace program ever “flush the cache”?

This might be good except for the fact that arm themselves started that those devices are effected by the “bug” if one could really call it that.

You are a mind reader! I was thinking about this problem earlier and I was about to ask it on the forums then this long and helpful post pops up.

Thank you for a fantastic explanation, it should be preserved somewhere for educational purposes!

Perhaps we should look at far simpler CPU designs more seriously as they say, “complexity kills”. SUBLEQ anyone? :-)

All this talk of scalar vs superscalar takes me back to the day I got my 68060 (a superscalar CPU) expansion board for my Amiga 1200 and overclocked it from 50Mhz to 66Mhz by simply soldering on a different clock crystal! :-)

PS: Love the RasberryPi, it’s really put the fun back into computing, keep up the great work!

Thanks for the article!

The Cortex A53 boasts an “Advanced Branch Predictor” which I assumed to mean it supports speculative execution. If the processor isn’t using the branch prediction to pre-execute instructions is it using it for instruction re-ordering? What’s the point of branch prediction without speculative execution of the predicted branch?

I hope Pi that will be released in 2019 (speculation?), also continue using ARM A-53 :)

Holy! Eben is awesome! Met him at a Maker Faire in NYC.
And Liz too!

Woah. I understood that and was able to follow it to the end of the article!

Thanks, Eben, you are a fine writer.

B

From what I read, AMD seems to reject that their chips are affected by Meltdown. Does this mean that AMD chips don’t implement speculative execution? Can’t imagine that however..

Good writing. Thanks!

I think I understand. Please correct if this is wrong.
So you’re saying:

You have an if that will equate to false that tries to read from kernel memory. (if you did read this memory, it’ll raise an exception)

You ensure the cache is flushed so that when the CPU speculatively executes the read from kernel memory the value will be in the cache.

The if is then checked and is found to be false and so an exception is not fired as the CPU pretends it was not executed.

Now the memory read from the kernel is in the cache (because of the speculative execution) and is in the same place that our user space memory would have been because of how the cache is aliased against the whole address space. And this is what allows you to read it????

You do not have to directly read data from within the cache. Your cachche was flushed, so either array[0] or array[4] are not cached. Then, afther execution, read access of one of these two values with timing will leak if is your particular value cached or not. If present or not could be tell apart by delay, short time mead data are cached, opossite whe readed directly from memory … what is exactly one bit of information ;)

This is extremely well-written, and if a reader has the patience to read it through carefully, that reader comes away with an understanding not just of how a kernel-reading exploit could be constructed, but also twenty years of advances in CPU design. I am in awe, and reassured to have people like Eben Upton on the users’ side.

Exactly what i was thinking.

(say about 1% of readers)

:)

pardon my noobie question,
does that mean smartphones made with Cortex-A53 processor are not affected by meltdown & spectre?
(e.g Xiaomi’s Honor 7X Smartphone with CPU : Octa-core (4×2.36 GHz Cortex-A53 & 4×1.7 GHz Cortex-A53) OS : Android 7.0 (Nougat)-)
million thanks….

What is not discussed is that you have to have a program running that is doing these timings. That, alone, would skew the numbers as control is taken from one thread and given to another. Or… If the pipeline is stuck waiting on something, where is this program going to run? I guess it could run on an additional core. Then it would have to be running really tight code to get these timings. In fact, it seems like the program would have to run faster than the cycle time of the core to be able to watch what is happening (timing wise) in another core or memory or cache or whatever it is exactly watching. This seems on the face of it to be impossible since you have to run faster than what you are timing for timing to be usable. Am I missing something here or was it just left out. So far, all of this seems theoretical. It seems like you would need another, faster processor to time the decision processes of the other, slower processor. How can all this actually run on the same CPU, even with multiple cores? Maybe the timing program can run faster after its memory is all in cache. But, then, it has to collect and eventually send this data out so it is subject to the same speed restrictions on the internal buss(es) as the program it is watching. Seems all very theoretical and not particularly practical. Where is this wrong? My speculations must be wrong if this can actually be done.

This is a great article in explaining the processor issues and the operation of the current software fixes. I’m terms of future processor architecture design, how easy will it be to design this out for ARM and Intel, and will it be possible to do so without suffering a significant performance hit in future processor designs ? Are there any designs in the pipeline that take a different approach to speculation and parallel pipelines from the current generation of processor architectures ?

And all these years, ARM has been ignored by major players. At least this should make people thinking about wider adoption of ARM processors.

Eben,

Long before I retired, I worked for some years as a Technical Author; an experience that makes me super-critical of so-called technical journalists and authors who don’t really understand their topic.

I have to say that this is the best bit of technical journalism that I’ve read for years. After technical authorship I worked as an engineer in the test industry, but 30 years of that did not equip me to understand the intricacies of CPU architecture. Your posting has impressed me most because it doesn’t assume that reader knows anything except a slight grounding in electronics engineering and computer science, but to me anyway, is incredibly readable.

Thanks for this and for everything else that you’ve done for education.

Amazingly clear writeup; more content like this please.

Very good article!

Thanks for explaining this complex matter in an easy to read and understandable way for everybody.

Keep on writing technical stories like this.

I see what you do Eben.
Raspberry Pi is actually Battlestar Galactica.
:-)
Nice explanantion. I now have something to point folks to

Hi Eben. A really helpful and informative post. It made way more sense than the flurry of pseudo-tech commentaries I’d been reading before today. Thanks for the update and pleased the Pi is spared.

Say hi to Liz toe

Geoff

Nice article that triggered an equally nice discussion in comments. Sad to see Wikipedia description incorrectly pin side channel attacks to crypto systems when in fact such attacks are widely used and not unique to crypto systems. Thanks for taking time to write, and for providing a useful product to the general public.

Reading the white papers, the only (known) way to deploy the Spectre attack would be to have a kernel with the Berkley Packet Filter JIT compiled in, which is in Ring 0. What if it’s more of a flaw in the BPF or gcc toolchain, and not necessarily a flaw with any particular processor?

Have we seen it deployed as anything other than taking advantage of any other methods?

Either way, the fix on the arm white paper for the issue isn’t computationally expensive.

Incredibly interesting. Thank you for the write up.

This excellent explanation is a greta primer on how (most) modern microprocessors and compilers attempt to maximize performance, as well as the clearest explanation of the fundamentals of Meltdown and Spectre. Great job!

Thanks Eben for taking the time and effort to write this article! It’s the most understandable one I have read so far.

This is hands-down the best explanation of Meltdown and Spectre that I have come across. Extremely well presented and easy to understand. Thanks.

Thanks for the great explanation!

Awesome explanation.
Easy to read, easy to understand.

The ARM Cortex A7 and A53 (and even the old 1176) certainly can both prefetch and execute speculatively. Speculative instructions will not be retired, but loads _will_ cause pahe walks and cache fills to be initiated while still speculative in the issue and dc1 stage. There are at most 6 instructions after the branch that are executed until the pipeline is cleared if mispredicted.

Whatever saves most arm processors from spectre it is not a lack of speculative issue of loads. What does save it is the fact that the first load will get abandoned before it can forward to the AGU for the second load, since there is no register renaming that can handle undoing of register updates. No speculative instructions after the branch will retire.

It would be possible for the second load to use a forwarded result from dc2 of the first load to start generating the tlb lookup. I guess something in the timing allows the page table walk to be abandoned before it or started.

Is Raspberry Pi vulnerable to Rowhammer?

That was a very well written piece about a complex subject. Thanks for that.

Such a great post, Eben. I don’t think I have ever read such a clear and concise explanation of this kind of problem in a CPU. (I know I was never able to be either, although I sometimes convinced management they’d had a bad idea.)

Thank you.

(Yes, the 68xxx family was the Betamax of CPUs. Should have won. Was better. The Amiga … (still have a hot-rodded 2000) … I have never had a WinTel machine that was as responsive to human input. Improper design focus, imao.)

I have the only non-vulnerable computer in the house!! Thanks for the information

Thanks. A #mustRead for all software-ingenieurs, I would say

And, an inspiration for everybody how to write documentation that is useful

You can always tell when someone understands something markedly; they explain it so well.

Thanks, Eben.

Hi Eben,
Your article is the first I have found that explains how memory is exposed where it shouldn’t be — Thank you! But I am having a difficult time understanding how this would be useful to anyone. Isn’t this like opening a book and reading a part on a random page one bit at a time? I don’t see how anyone could use this to figure out what book they’re reading. If an attacker’s purpose is to gather info (passwords, credit card data, etc.), how could they possibly know what they are reading until they read a sizable chunk of memory and analyze it to see what they collected? Or am I missing something?

Hi Eben,

Hennessy and Patterson might be a bit deep end for those wanting an introductory overview. Are you aware of the excellent `The Elements of Computing Systems’ by Nisan and Schocken? http://amzn.to/1qlmwCy

The first half introduces Boolean logic and their own little hardware-description language. They provide a series of Java emulators for the HDL and have one write plain text files to build logic gates, registers, RAM, ALU, etc., to implement a simple CPU for a PDA.

The second half has you use the language of your choice to write an assembler for it, then a compiler to byte-code for a simple OO language, and then the VM to execute that as the CPU’s operating system. Finally, there’s Pong written in that OO language.

All the exercises come with expected outputs and a test harness so you only progress when you’ve grasped the material. It’s a slim book, so not daunting, and covers just enough of each topic to string them together. It’s nicknamed `The NAND Book’, because you build this little PDA from just NANDs.

BTW, how did you transition from software to VLSI design? It’s an uncommon route.

Cheers, Ralph.

Hi Eben,

Thanks for the explanation. I might be wrong, but the real problem with the Spectre vulnerability is not the speculative execution in CPU. It is the ability to control the CPU cache, like cache eviction by userspace program. There is ARMageddon paper (https://www.blackhat.com/docs/eu-16/materials/eu-16-Lipp-ARMageddon-How-Your-Smartphone-CPU-Breaks-Software-Level-Security-And-Privacy.pdf) and they mention ARM Cortex A-53.
Is this not relevant for RPi ? If not, why ?

Thanks a lot. Example is better than a lecture:)

What an amazing way of explaining quite a few microprocessor design concepts building on the same example!

Just one nit which perhaps could make it more accessible: many readers would expect bit 8 in 0x100 to be named as “ninth” when referred to as an ordinal

Yes. Thanks very much for the effort of trying to explain this to a lot of people who don’t understand what’s going on, which includes me.

It’s always good to see the BBC B referred to in a story mentioning the good old days.

“””
Even though the processor always speculatively reads from the kernel address, it must defer the resulting fault until it knows that v was non-zero
“””

The zero-check ensures that a the memory access violation (A memory access violation zeros out the target register) isn’t sooner than the parallel computation . What if you remove the if statement (ie: remove any need for speculation)

Sure – you will get a less accurate memory dump (with some zeros here and there), but won’t this still mean you can get a somewhat estimated guess of the kernel memory contents?

Fantastic article. I have small question, and it’s somewhat subjective.

I’m wondering if perhaps there is an off by one error in here? You say “[this] will access either userland address 0x000 or address 0x100 depending on the eighth bit of the result of the illegal read.”

Wouldn’t this be dependent on the _ninth_ bit of the illegal read? Granted, it depends on whether we’re calling w_&0x1 the first bit or the zeroth bit.

Just wanted to clarify for myself and anyone else who may have wondering similarly. Definitely not trying to be pedantic. Thanks for the article, it’s very helpful.

Thank you Eben for your clear exposition of the basis of the Spectre problem. It would be very interesting if you could write a follow-up in which you describe the principles of the next steps in a hack. Not because I want to write a hacking program, but just because I’m curious.

As a non-assembler programmer I have the following questions:
1. How do you time separate fetch instruction (get the time differences between fetches from user-space and kernel-space)?
2. A program that loops over individual bits of the kernel-space must be pretty slow. Is it not possible that the state of the kernel changes during the loop?
3. Assuming that the kernel state is constant long enough, you know it when the loop is finished. That is, you have a large number of 0’s and 1’s. How do you disassemble such a long binary string to obtain passwords and userid’s from it? (At least this is what is generally described as the main threat of the Spectre vulnerability).
4. If it so happens that the momentary snapshot of the kernel-space does not contain useful info, does the hacking program then repeat the procedure in a kind of while (info is not useful) loop?

I would be grateful if you could answer – at least in principle – the questions above. Undoubtedly there are many more problems toward a hacking program that I’m not even aware of.

Thank you for the effort in dumbing this down so that others can understand this, I think I am starting to grasp what is needing to be fixed.

I still don’t understand how they are going to patch this via software and not a physical replacement of a component.

My pi shed tears of relief while I read this article to it.

to PW42.
The program (malware) needs to have a starting point. As soon as it has a starting point it can begin to execute it’s code. It does not determine passwords and user id’s from it’s derivation of memory locations. The programmer determines the starting point for executing his malware. Once his code begins to execute it’s katie bar the door.

Hello This Article is so awesome and what all we need to know the problems, not only pi users but also other architecture users.
I want it to translate to Japanese, Can I?

It makes me wonder about the authors of these attacks. They must come from a very select group of insiders making it difficult to hide their identities ?

mmm … rpi if it’s vulnerable..

——–

CVE-2017-5715 [branch target injection] aka ‘Spectre Variant 2’
* Mitigation 1
* Hardware (CPU microcode) support for mitigation: UNKNOWN (couldn’t read /dev/cpu/0/msr, is msr support enabled in your kernel?)
* Kernel support for IBRS: NO
* IBRS enabled for Kernel space: NO
* IBRS enabled for User space: NO
* Mitigation 2
* Kernel compiled with retpolines: UNKNOWN (couldn’t read your kernel configuration)
> STATUS: VULNERABLE (IBRS hardware + kernel support OR kernel with retpolines are needed to mitigate the vulnerability)

CVE-2017-5754 [rogue data cache load] aka ‘Meltdown’ aka ‘Variant 3’
* Kernel supports Page Table Isolation (PTI): UNKNOWN (couldn’t read your kernel configuration)
* PTI enabled and active: NO
> STATUS: VULNERABLE (PTI is needed to mitigate the vulnerability)

+1 for translating it in my native language (Italian). Please get in touch with directions if you’re interested.

Eben,
I followed this all the way up to the point where you did w_&0x100 to read only one bit from the cache.
Why do that? Why not just read the whole byte?

Thank you for taking the time and trouble to post this. It’s made my head hurt but no pain, no gain!

To CTSguy at 9th Jan 2018 at 2:11 am, thank you, that makes sense. As I understand you, all you have to do is insert into the kernel a call to executable malware stored somewhere in user-space. This can be done, for instance, by replacing in kernel-space a call to a bona fide program. Do I understand that correctly?

Such a hack is of course a lot easier than what I previously surmised, but it is still far from trivial. It requires more than JavaScript – I read somewhere that a hacking code could be written in JS.

Thanks, thats a good explanation.

I discussed with some colleagues today how such a bug could possibly be of use to hackers. Now I know a lot more.

It’s a lot like finding a buffer overflow in a program, allowing reading of memory you are not supposed to

For cloud computing, this is a very real issue. Or any multi-user environment (web hosting, schools, etc.)

But for the typical PC user, not so much, as there are plenty of easier attack vectors than the dribble of data from this. (emailed links, fake login screens, hacked downloads, social engineering, etc. etc.)

Spectre and Meltdown are not remote access vectors; an attacker must first deliver code to the victim. Javascript attacks are possible, but they would be active only as long as the javascript can execute. If the browser is closed or moved away from the attacker’s site, the attack stops.

If the attacker has a VM in an unpatched cloud provider, then the attacker can have unlimited time to look for usable data from other VMs on the same server.

Even if a Pi were vulnerable, the attacker would need remote access to the Pi. The easiest is to try “pi/raspberry”! If successful, they don’t need any other attack vector. Your Pi is PWNed! (change your Pi password!)

For a Spectre hack by JavaScript, see Sec. 4.1 of https://arxiv.org/pdf/1801.01203.pdf

The Spectre attack on a Cortex-A9 seems to be quite difficult. At least the example code which works fine on a PowerPC and Intel Core2 does not give any results on a Xilinx ZYNQ.

Great article and explanation!
Any idea how long it might take to “aquire” one MByte of Data?
Thomas

We’re not fooled for a minute, Eben – this most outstanding, lucid, informative post was written by Aphra and edited for technical accuracy by Mooncake and Liz, wasn’t it?

Greetings from Montana, where I’m off from teaching today due to a snow day following feet of fluffy white stuff falling the last couple of days. It’s hard to believe such a collection of quadrillions of every-one-unique crystalline structures can be both so beautiful and dad-burned impossible to drive through! The respite is needed so that I could catch up on my now roughly weekly perusal of the blog to see what’s happening in our wonderful community that you’ve all built.

Keep up the great work Eben and Liz … and, oh, yeah, with the Pi stuff, too!

This is how the vulnerabilities shall be explained. Even non-programmers (with a bit technical knowledge) should be able to understand relatively easily.

Thanks, great Explanation, although I didn’t understand all of it. But it is once again a great sign of how Raspi-People takes care for its community.

thanks for breaking this down to us. Well explained!

Also the Cortex-A53 and Cortex-A55 cores are NOT affected, b because those two processors cores don’t do out-of-order execution , btw Arm has also released Linux patches for all its processors.

I hope raspberry pi 4 will not have unsafe cpu.

Good read.

Thanks for the update. I came across an older paper while trying to understand spectre/meltdown and because one of the test devices was an ARM Cortex A53, I am eager to try and adapt its poc to a spectre like test on the Pi.

15.01.2018
I own an intructions set 8080. and 4 TEK 4/8 INMOS T 800 Transputer with Parallel c from logical systems. I wonder, that there are any forensic circumstancial after a Spectre attac ? BAD JAVA !

Thank you for writing this up – this is an excellent and clear explanation of why these two attacks depend on speculation. Keep up the great blog!

I may be no Raspberry PI devotee and therefore I find it difficult to join the praise chorus. I came here through a referral link, I read the thing carefully but the key questions still remain open:

1) may I understand why:
0 && 0x100 = 0x000
1 && 0x100 = 0x100
without having to read a massive academic treatise?

2) Shouldn’t an instruction issued by a user program to read into kernel memory be banned from execution regardless?

To me this page reads just like a sleek advertorial for the PI. You happened to choose processors without speculation, maybe you had to, possibly you regretted that choice thousand times in the last years; now it comes out that speculation is bad and -hooray!

http://developer.amd.com/wordpress/media/2013/12/Managing-Speculation-on-AMD-Processors.pdf

MITIGATION V2-1
Description:
Convert indirect branches into a “retpoline”. Retpoline sequences are a software construct which
allows indirect branches to be isolated from speculative execution. It uses properties of the return stack
buffer (RSB) to control speculation. The RSB can be filled with safe targets on entry to a privileged mode and
is per thread for SMT processors. So instead of
1:
jmp *[eax]
; jump to address pointed to by EAX2:
To this:
1:
call l5 ; keep return stack balanced
l2:
pause ; keep speculation to a minimum
3:
lfence
4:
jmp l2
l5:
add rsp, 8 ; assumes 64 bit stack
6:
push [eax] ; put true target on stack
7:
ret
and this 1: call *[eax]
;
WHITE PAPER:
SOFTWARE TECHNIQUES FOR MANAGING SPECULATION ON AMD PROCESSORS
6
MITIGATION V2-1
(CONTINUED)
To this:
1:
jmp l9
l2:
call l6
; keep return stack balanced
l3:
pause
4:
lfence
; keep speculation to a minimum
5:
jmp l3
l6:
add rsp, 8
; assumes 64 bit stack
7:
push [eax]
; put true target on stack
8:
ret
L9:
call l2
Effect:
This sequence controls the processor’s speculation to a safe known point. The performance impact
is likely greater than V2-2 but more portable across the x86 architecture. Care needs to be taken for use
outside of privileged mode where the RSB was not cleared on entry or the sequence can be interrupted.
AMD processors do not put RET based predictions in BTB type structures.
MITIGATION V2-2

THX

I’ve been digging in to this more, and have a super dumb question I can’t find an answer to online: does branch prediction on Cortex-A53 execute pre-fetched instructions or wait until it is known that the branch is correct (hence in-order execution)? I’m assuming from Eben’s explanation they are not, but I haven’t found the specifics of what happens in A53 branch prediction.

Thanks,
Bob

So, AMD CPUs are only affected by Specter.

But as I remember, in some comments of the dozens of threads that I read, the function affected by Specter can be disabled (and its disabled by default ). So, an AMD Cpu would have no problem unless you need that function.

Am I right?

Good, ARM has published some vulnerabilities on their processors:

https://developer.arm.com/support/security-update

Hey, where can I read the English version? Kidding, great post.

Why eighth bit? ..depending on the eighth bit of the result of the illegal read.. It could acquire whatever value…. Please can you describe?