Don't Melt Down Over the Meltdown and Spectre Flaws

Quick take based on reading of others’ work, but unless you’re a datacenter operator, there is really no need to go into full bore panic and scrap your plans in the wake of the new disclosure of hardwired flaws in Intel and other CPUs.

Many sources in media and plain old word of mouth between concerned users have run, I think, a little bit wild with the worst case impact metrics and risk assessment. On a single user endpoint in your own possession handling typical desktop workloads, the security risk and performance impact should both be negligible. If you are an operator of shared infrastructure or hosting the heaviest of I/O workloads, then you likely have some capacity issues to deal with right now. But that’s far flung for most of you.

Here is a verbatim dump of an exchange with a colleague I had today, to try to shed some color on the situation for those who are trying to gauge the impact and/or interested in the technical details:

Q: With the Meltdown flaw announced yesterday, should I cancel my new computer purchase, wait for the flaw to be patched, look at new benchmark results, then determine what chip I should get? Is it possible the i7 might not be the best chip to get after it is patched?

No, you should not change your course. A few points to shed some color on that:

– The underlying nature of the flaws first of all is that a rogue process can snoop on the timing of speculative execution branches in CPU to guess at values it shouldn’t have access to, like a protected real memory address of a process it doesn’t have privileges to. That can then be used to mount other attacks on that process’ memory contents. Meltdown is the specific leveraging of this technique to snoop at kernel page tables on Intel chips, which is where the kernel keeps track of virtual memory mapping for processes. Spectre is the more general application of this technique on any chip that does speculative execution which means all modern chips, for arbitrary purposes use cases of which have not yet been fully defined.

– A workaround for the Meltdown security flaw using the enabling of the already existing but optional kernel page table isolation has already been implemented in software in OSes. The Microsoft monthly January releases next Tuesday will deliver the fix to Windows systems. There is some performance impact but it varies greatly by workload and chip model.

– The performance impact is being overblown in media. The most impacted cases will be heavy server workloads especially hypervisors and database servers where there is constant I/O and context switching. The worst case benchmark performance impact being measured there is on the order of 30%. However that is not the impact you will experience as a desktop user. There it is maybe more like 2%. The media and wall street guys looking to short chip makers of course take the 30% number and run with it. There is also less measured performance impact on Sandy Bridge (circa 2012) and newer (so obviously anything you’d get now) chips because they implement a feature called process context id.

– The more general Spectre security flaw is not possible to be worked around, it is a hard defect in chips without a software countermeasure available. It will be present in chips for the next 5-10 years before they fully work it out of the pipeline. They are going to have to hardwire new features into chips to block the snooping on timing of speculative execution branches in the way that has been discovered possible. You cant buy a different chip to avoid this, not now.

– The risk of disclosure is on multiuser systems where users do not trust one another, like in a server farm of virtualized private servers (where a rogue guest VM could mount attacks against the hypervisor CPU), or a host where many shell users share CPU. Obviously, there is no memory disclosure risk when you are on a solitary desktop. It is, in fact, possible to disable the newly enabled kernel page table isolation switch with kernel flags if you are so inclined.