Thursday, January 04, 2018

Some notes on Meltdown/Spectre

I thought I'd write up some notes.

You don't have to worry if you patch. If you download the latest update from Microsoft, Apple, or Linux, then the problem is fixed for you and you don't have to worry. If you aren't up to date, then there's a lot of other nasties out there you should probably also be worrying about. I mention this because while this bug is big in the news, it's probably not news the average consumer needs to concern themselves with.

This will force a redesign of CPUs and operating systems. While not a big news item for consumers, it's huge in the geek world. We'll need to redesign operating systems and how CPUs are made.

Don't worry about the performance hit. Some, especially avid gamers, are concerned about the claims of "30%" performance reduction when applying the patch. That's only in some rare cases, so you shouldn't worry too much about it. As far as I can tell, 3D games aren't likely to see less than 1% performance degradation. If you imagine your game is suddenly slower after the patch, then something else broke it.

This wasn't foreseeable. A common cliche is that such bugs happen because people don't take security seriously, or that they are taking "shortcuts". That's not the case here. Speculative execution and timing issues with caches are inherent issues with CPU hardware. "Fixing" this would make CPUs run ten times slower. Thus, while we can tweek hardware going forward, the larger change will be in software.

There's no good way to disclose this. The cybersecurity industry has a process for coordinating the release of such bugs, which appears to have broken down. In truth, it didn't. Once Linus announced a security patch that would degrade performance of the Linux kernel, we knew the coming bug was going to be Big. Looking at the Linux patch, tracking backwards to the bug was only a matter of time. Hence, the release of this information was a bit sooner than some wanted. This is to be expected, and is nothing to be upset about.

It helps to have a name. Many are offended by the crassness of naming vulnerabilities and giving them logos. On the other hand, we are going to be talking about these bugs for the next decade. Having a recognizable name, rather than a hard-to-remember number, is useful.

Should I stop buying Intel? Intel has the worst of the bugs here. On the other hand, ARM and AMD alternatives have their own problems. Many want to deploy ARM servers in their data centers, but these are likely to expose bugs you don't see on x86 servers. The software fix, "page table isolation", seems to work, so there might not be anything to worry about. On the other hand, holding up purchases because of "fear" of this bug is a good way to squeeze price reductions out of your vendor. Conversely, later generation CPUs, "Haswell" and even "Skylake" seem to have the least performance degradation, so it might be time to upgrade older servers to newer processors.

Intel misleads. Intel has a press release that implies they are not impacted any worse than others. This is wrong: the "Meltdown" issue appears to apply only to Intel CPUs. I don't like such marketing crap, so I mention it.




Statements from companies:










12 comments:

ekasperc said...

As usual, thanks for your great work ! Nicely summarized !

Josh Strike said...

What happens when you set aside a bunch of address space to hold the kernel... other than slowing down most operations? I'm more concerned about applications crashing randomly because the places they're trying to address is getting overwritten in an unexpected way. I'm also skeptical about the "30%" average being high, because anyone using an i3 or i5 a few years old probably doesn't just have to upgrade their firmware...they need to upgrade their OS to a much later version, which is going to cause massive slowdowns. It's all fine to say gamers, emailers and web browsers don't have to worry... because the former mainly exercise their GPUs and the latter aren't power users. But the reality is that if CPUs take a 30% hit out of this, across the board, quality of life is going to decline for everyone. It already takes an eternity for Windows to settle down after you boot up. What I'd like to see is what kind of theoretical Javascript in a browser could actually overflow a buffer and screw the kernel up to the point someone can root it. If that's actually the thing that's going on here... maybe it's time to fix that in apps that execute JS, rather than rebuild the damn processor around it.

Andy T said...

Very useful summary, thanks. Is there a list / criteria anywhere from which vulnerable CPUs/chipsets can be determined? Thanks to the wonders of Linux, most of my core home systems are *well* over a decade old and still going strong, but a 30% reduction in peak capacity might change this...

Anonymous said...

I've asked some tech friends for links regarding the benchmark, because they told, that PostgreSQL team measured 7-17% degradation.

They replied with https://www.phoronix.com/scan.php?page=article&item=linux-more-x86pti&num=1 and https://www.phoronix.com/scan.php?page=article&item=linux-415-x86pti&num=2

rose williams said...

When people say hackers are not reliable I laugh at them aloud. I was introduced to a competent hacker. cyberhackez@gmail.com when I had marital issues with my husband, he help me hack into his facebook account. I couldn’t believe it when he did it in 4 hours. he is very good and trustworthy. He offer other facebook, whatsapp instagram hacks.I want to fully recommed cyberhackez@gmail.com for helping me. He saved my life literally, at least I owe him publicity

GreenReaper said...

Josh: The issue is now they have to switch back and forth between a kernel view and the user view, while previously they were shared. Imagine one of those bureaus where there's a desk inside - it takes time if you have to keep opening and shutting it.

If Windows is slow, the issue is likely to be the sheer amount of disk access. Actually a more modern Windows might help because they've spent a lot of time working on those problems, and also on making Windows itself smaller and more independent (so if you're not using X, you don't need the bits it relies on).

Specific workloads such as heavy database and network operations *are* impacted, and those of us responsible for those kinds of things are worrying about it, but most shouldn't worry too much beyond ensuring that their update is working.

Unknown said...

Are you tired of fake hackers? Here https://goo.gl/forms/DG3nRCxT7IvfwKVx2  #Reliablehackers #Hackers #hacking

Daniel Miessler said...

Great info as usual, Rob, but Apple's Ax chips are vulnerable to Meltdown as well. They're not Intel.

Matthew said...

"As far as I can tell, 3D games aren't likely to see less than 1% performance degradation." This is a double negative; I think you meant to say, "... are likely to see less than 1% performance degradation." Unless we are likely to see a more than 1% performance hit in 3d games?

phil lighbothe said...

Thanks very informative. But I know more steps. Visit my blog for more information.

Mike Sanders said...

Have you ever been curious of what your partner, kids or employees are up to? You can now intercept cell phones, boost credit scores and hack any website remotely. All you need to do is contact a verified hacker Helpline: +1 (347)-857-7580 Email: extremeinfiltrators@gmail.com

caroline hudderson said...

Do you suspect your spouse of cheating, are you being overly paranoid or seeing signs of infidelity… Then you're sure he's cheating, I was in that exact same position when I was referred to brian through my best friend Ella, who helped me hack into my boyfriend’s phone activities remotely, he helped me clone my boyfriend’s phone and I got first-hand information from his phone. Now I get all his incoming and outgoing text messages, emails, call logs, web browsing history, photos and videos, instant messengers(Facebook, Whatsapp, bbm, IG, Viber, etc), GPS locations, phone tap to get live transmissions on all phone conversations...if you're in need of such services contact him via address below...
E-mail...brianhackwizard@gmail.com
Text no: +1(571)-286-5929.
Whatsapp no:+1(628)-203-5734.