Getting a Handle on Meltdown Update Impact, Stay Tuned for Spectre

When news broke on Meltdown and Spectre ahead of the original disclosure plan, word spread like wildfire and it was hard to separate fact from speculation. One commonly repeated claim was that the fix would slow down computers by up to 30% for some workloads. A report released by Microsoft today says that “average users” with post-2015 hardware won’t notice the difference. Without getting into specific numbers, they mention that they expect folks running pre-2015 hardware to experience noticeable slowdowns with the patches applied.

The impact from Meltdown updates are easier to categorize: they slow down the transition from an user’s application level code to system level kernel code. The good news: such transitions were already a performance killjoy before Meltdown came along. There exists an extensive collection of tools (design patterns, libraries, and APIs) to help software developers reduce the number of user-kernel transitions.

Performance sensitive code that were already written to minimize kernel transitions will suffer very little from Meltdown updates. This includes most games and mainstream applications. The updates will have a greater impact on the minority of applications that frequently jump between kernel and user worlds. Antivirus software (with their own problems) have reasons to do so, and probably will end up causing most of the slowdowns seen by normal users.

Servers, with their extensive disk and networking IO — and thus kernel usage — are going to have a much worse time, even as seen through Microsoft’s rosy spectacles. So much so that Microsoft is recommending that admins “balance the security versus performance tradeoff for your environment”.

The impact from Spectre updates are harder to pin down. Speculative execution and caching are too important in modern CPUs to “just” turn off. The fixes will be more complex and we’ll have to wait for them to roll out (bumps and all) before we have a better picture.

The effects might end up being negligible as some tech titans are currently saying, and that probably will fit your experience, unless you’re running a server farm. But even if they’re wrong, you’ll still be comfortably faster than an Intel 486 or a Raspberry Pi.

Do any of you have numbers yet?

[via The Verge]

 

31 thoughts on “Getting a Handle on Meltdown Update Impact, Stay Tuned for Spectre

  1. “it was hard to separate fact from speculation”
    LOL – the pun was the first thing I noticed.

    I really don’t think speculative execution is going anywhere soon – Intel and other companies are trying to stretch their performance as far as possible. Some people seem to think that these bugs were caused by speculative execution. They are NOT – they have to do with poor management of the TLB.

    1. The TLB have absolutely nothing to do with spectre and essentially nothing to do with meltdown.

      Intel doesn’t check the permission (that is probably stored in the TLB cache) before letting a program read data.

      There isn’t a problem with the TLB or the management of that – it’s in Intel thinking bypassing the protection mechanism was okay under some circumstances. They don’t think that anymore.

  2. So I’ve read a bunch of articles that carried on about the direness of the situation but I haven’t yet found a single article explaining HOW it attacks my devices? Malware? Evil code on a webpage? Should I not copy that floppy?

    1. Currently none of the above, and potentially all of the above. The malicious bit is that any user space code can be used to read out non user space data, like passwords and other things that can be used to increase control over the system. The method cannot be used to directly alter data, but it can read data that was never supposed to be read that way. Something that was deemed to be mundane is now suddenly turning out to be very dangerous.

      Code running use side on a website would be a potential vector, but as you can imagine, there’s an almost infinite number of ways this can be exploited. There’s also some fear there are sides to the vulnerabilities that haven’t been discovered yet.

      1. Two questions:
        1. Can this be used to read all of memory space, or is limited to only cache, or memory used by kernel?
        2. How can the attacker tell that this piece of data is my super-secret password, that one is private key, and another memory location holds only some data for driver for serial/parallel card I have installed?

        1. 1- meldown expose all the physical memory without patches, so kernel/user space. Spectre can also leaks both, but is incredibly harder to exploit.
          2- The attacker knowns your binary, so can know where to look for. In kernel there is ASLR which mitigate this issue, but it’s only slow down attack and can be defeated. Having your own compiled distro (gentoo etc…) can help a little more but it’s still obfuscation, not protection.

      2. As far as the potential for using javascript in browsers to actually pull this off, I’m very skeptical on the practical viability of this attack vector. It seems that even with having local access to the machine, the exploits needs to be tailored for the target machine to work like specific timings regarding the CPU and memory and also the abstraction layers it runs on.

        With browsers now defusing this extremely difficult vector with simple alterations to the timer functionality, the web angle attack seems rather far fetched as a practical exploit. Even the minority of old machines that have reached their maximum updates, of which I have a few, it would seems that without actually knowing the exact type of machine, memory, OS version and browser type and version, a successful targeted attack would be highly unlikely. Even more unlikely would be a usable yield of secure data from the exploit.

        I think that this will turn out to be an interesting academic case study in the future, nothing less.

        1. So this weakness is like an unlocked file cabinet, among 500 other file cabinets, in a locked room among 500 other locked rooms in a building with pretty tight security to begin with?
          Basically us normies have little to worry about? This is a BFD as far as hardware architecture but not something your every day Facebook addict needs to even know about?

    2. In a nut shell, they basically have to get into your machine by some other means… then they can apply Meltdown/Spectre to read information.

      The biggest risk is to public virtual machine hosts. Suppose I knew you had a virtual machine hosted with DodgyVMsInc that VPNs back into your network … and so I hired a virtual machine instance, managing to score an allocation on the same host as yours. I then perform an attack of my own instance via Spectre/Meltdown… and suppose it leaks the memory that stores your virtual machine’s private VPN key.

      Now I can log into your network, impersonating that VM.

  3. “Servers, with their extensive disk and networking IO — and thus kernel usage — are going to have a much worse time, even as seen through Microsoft’s rosy spectacles. ”

    Since there are a lot of co-processors in a modern computer, wonder how much can they lessen the impact?

  4. the “average user” has overkill hardware wise compared to the little facebook games they play, or tweets they check. dedicated gaming rigs made to play at the edge of it’s capabilities will suffer big time from this shit.

    1. Games by both their nature and design don’t make a lot of kernel calls. They won’t suffer a lot, certainly not as much as hypervisors, database and I/O operations, which is basically what a server does. Gaming good, server bad, pretty much.

  5. OK, how about someone recreating either Meltdown, or Spectre in a simulator (pick any one easily accessible). It should at very least show just how good the simulator is.

      1. Nobody said “not a hack”.

        Nobody said this isn’t interesting.

        Nobody said you couldn’t try to bring up those exploits in every little story even if not even tangentially related.

        Somebody asked WHY you try bringing it up in every little story even if not tangentially related.

  6. Just upgraded every Kernel on the LAN here, servers and desktops, no slowdown observed at all so far, if anything the machines are more responsive. Need to try a big transfer between servers via ssh to be sure though.

  7. It is so weird – bitcoin price jumped sky-high since May….June 2017 when information about Intel Management Engine and Speculative Fetch/Execution/cache modifiers started to surface – at the same time with first coordinated ransomware cyber-attacks.
    Instead making things work, experts went through so much trouble giving ridiculous names for some malfunctions.

    How about replacing that full-of-bugs MINIX blob inside CPUs with some open-source stuff such as Linux or BSD? I bet the community will come with a sollution within one week since release.

    How about HDDs, videocards, network cards, all of there have microcontrollers and firmwares, are they perfect? No errors, no flaws?

    It is all about the money and we are talking about old habits in the elite league. Let’s not forget some huge computer company used to tatoo serial numbers on some people hands in order to identify them in the concentration camps of 1940s.

    All of these are coordinated attacks with final goal to steal all btc and maybe fiat currencies from the market.

    1. “How about replacing that full-of-bugs MINIX blob inside CPUs with some open-source stuff such as Linux or BSD? I bet the community will come with a sollution within one week since release.”

      Yeah, because replacing something designed by few people and tailored to perform specific tasks with big piece of bloatware designed by committee is a better solution. And in next few years there would be dozens of different flavors of MINIX replacements for CPUs, each one different from others and none with good support or everything working…

      “How about HDDs, videocards, network cards, all of there have microcontrollers and firmwares, are they perfect? No errors, no flaws?”

      If device permits a firmware update, it could be reprogrammed by malware, if it could gain access to the device’s update routine. If the update is not an option, the microcontroller has fusebits set to prevent reading the firmware, and writing new one would require physical access to the device and some kind of in circuit programmer…

  8. I tried doing a simple benchmark to see the performance hit of a trivial call into the kernel (writing to /dev/null).
    Code is here (https://pastebin.com/5qacGA17), note that the high_resolution_clock::now() calls were profiled with strace and do not cause calls into the kernel, so the only syscall being profiled is the write().
    On Ubuntu here is the result:

    Linux 4.4.0-104-generic #127-Ubuntu SMP Mon Dec 11 12:16:42 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

    min=91 ns
    avg=101 ns

    Linux 4.4.0-108-generic #131-Ubuntu SMP Sun Jan 7 14:34:49 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

    min=265 ns
    avg=283 ns

    So the patch increases the overhead of kernel calls roughly 3 times. Obviously for nontrivial calls the overhead will be lower, and applications aren’t calling the kernel all the time so the impact will be even lower, but the effect of the patch is there.

  9. Get ready for the big KILL.
    I bet these patches are going to kill more computers then they fix.
    Do your backup now. Especially if you are on windows 10.
    One morning you are going to get out of bed and goto your computer and turn it on and have the nice Blue screen or a reboot after reboot.
    Good morning to you!!!
    And say Thank-you

  10. It’s IT Doomsday…On January 1st 2000 all computers are going to crash simultaneously because of a BIOS date problem and society will come to a standstill as we know it.

    Oops, that crises already came and went. What’s this current crises called again? Maybe Apple will sell us a “low cost” battery replacement as a fix to their software slowing the OS down for older devices on purpose…

    1. “On January 1st 2000 all computers are going to crash simultaneously because of a BIOS date problem and society will come to a standstill as we know it.”

      Has it ever occurred to you that maybe all the computers didn’t crash exactly because people spent a lot of resources trying to prevent that from happening?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s