Meltdown and Spectre: The Pain Has Only Just Begun

Posted by | · · · | Blog · News

Donald G. Carder

Ars Technica has published an excellent in-depth article detailing how the upcoming software and hardware patches designed to deal with the Meltdown and Spectre vulnerabilities will likely have a negative impact on computer performance.

To recap: modern high-performance processors perform what is called speculative execution. They will make assumptions about which way branches in the code are taken and speculatively compute results accordingly. If they guess correctly, they win some extra performance; if they guess wrong, they throw away their speculatively calculated results. This is meant to be transparent to programs, but it turns out that this speculation slightly changes the state of the processor. These small changes can be measured, disclosing information about the data and instructions that were used speculatively.

For Meltdown, the fix involves changing the way a system’s memory tables were (traditionally) shared so that the kernel , which formerly used a single table shared amongst all application processes, now has a split table that can only be used by actively running programs. This prevents an attacker from reading memory threads outside the boundaries, but re-introduces performance issues chip designers were seeking to address in the first place.

The good news is that, for most users with newer computers, the slowdowns re-introduced will likely be minimal in nature, with Microsoft reporting an average performance hit of “a few percentage points” while doing average daily tasks, such as reading email, typing documents, and web browsing. Unfortunately, though, applications that make numerous calls to the kernel’s memory space, or writes to the system’s hard drive – such as databases – will likely see data transfer rates slow down by as much as 30%. Virtualized systems get hit twice as hard as these not only have to switch between shared memory tables, but also shared kernel spaces; meaning there are and exponential number of calls in play, all of which will contribute to slower loads and performance declines based on the number of virtual machines active.

For Spectre, the problem is more application-related, with web-browsers being the primary vector of attack via a poisoned bit of java script. Some developers are testing an option that radically alters the way memory tables are referenced by obfuscating the ID numbers of the tables being called. While the initial results of these experiments show performance drop in the 3% range, it is expected this will be a minor, and acceptable trade-off for a safer browsing experience.

But again, the solutions outline above primarily benefit newer processors. Older CPUs (all too common in the non-profit sector), or machines that make heavy use of I/O intensive processes such as database or server applications, are going to be hit much harder, with some experts suggesting system speeds may be reduced by as much as 40% under certain conditions. And there’s also a question of of whether or not these systems will even be updated – many hardware manufacturers are loath to support components they consider beyond “end-of-life”, and may choose to simply ignore the needs of customers, effectively forcing them to “upgrade or die”. Should that become the case, a great many firms may find themselves in sudden need of a capital expense they never saw coming.

The full article can be found here:

Feel Free to Share