My office implemented both Meltdown and Spectre patches over the weekend…
In the previous weeks, both the Meltdown and Spectre processor vulnerabilities have been making a great deal of news. At my office – a financial firm – a Windows shop running Windows 7 (like most of the business world), implemented Windows based patches this past weekend. The results, especially in some of our older hardware, haven’t been very good. Thankfully, those machines are non-critical, non-business systems: For example, those that are used to display presentations in a conference room during a meeting. Unfortunately, the performance on those machines is atrocious. They are nearly unusable.
To understand what’s going on with those machines and why they now suck beyond all relief, we have to understand what the vulnerabilities are and what’s needed to patch both of them.
Meltdown effects both x86 and ARM based microprocessors and allows rogue processes read all memory, even if unauthorized to do so. Meltdown effects nearly ALL processors used today. Resolution of this vulnerability will require a hardware revision, or effectively a new processor. For most computers – laptops especially – this isn’t likely to happen. Replacing a laptop’s microprocessor is expensive, and is likely not possible, as it would also require new system boards and supporting chipsets.
The only way to resolve this vulnerability is to come up with some level of operating system patch. Most of the operating systems used today have been, or are in the process of being, patched, including iOS, Linux, macOS and Windows.
Unfortunately, Meltdown patches are likely to cause performance issues, especially in older machines. The vulnerability makes all memory, including cache memory accessible. The patch works by constantly flushing the cache, making the computer work harder to put information back into it, where it can be read quickly. Unfortunately, since the cache is constantly being flushed, the computer is often forced to read it back into memory from the hard drive, slowing things down. In some cases, this happens far too often, forcing your computer’s hardware to fight against its operating system, putting it into a constant read loop. By the time the drive has read ahead enough information, its likely had the cache flushed, requiring it to start over again.
Spectre is a vulnerability that effects modern processors that perform branch prediction, or a way to predetermine possible execution outcomes allowing for speed of computations and actions. When the computer doesn’t predict where “you’re going” correctly, your computer may leave observable side effects that may reveal private data to hackers. For example, if the pattern of memory accesses performed by such speculative execution depends on private data, the resulting state of the data cache constitutes a side channel through which an attacker may be able to extract information about the private data using a timing attack.
Unfortunately, Spectre patches are also known to cause performance issues; and they have been reported to significantly slow down a PC’s performance, especially, again, on older computers. On newer, 8th generation Intel processors, performance has been known to take a 2% to 14% hit.
With both of these patches on your machine, your current computing experience is likely totally hosed, no matter what generation processor you have or how much computing power you possess.
For example, if you do anything with any kind of video, you’re going to have an especially hard time. Patches for both of these vulnerabilities are likely to result in a performance hit of anywhere between 10% to as much as 50%. As a result, graphic and video renders can take up to twice as long to complete, if they don’t just crash your machine.
It has also been suggested that the cost of mitigation can be alleviated by processors which feature selective translation lookaside buffer (TLB) flushing, a feature which is called process-context identifier (PCID) under Intel 64 architecture; and under Alpha, an address space number (ASN). This is because selective flushing enables the TLB behavior crucial to the exploit to be isolated across processes, without constantly flushing the entire TLB – the primary reason for the cost of mitigation.
Personally, I haven’t seen much of a slow down on my Late 2013 MacBook Pro. Thankfully, I seem to be falling somewhere in the 2% to 14% performance hit. How things go from here, however will help me decide if I stay with this Mac or wait until Apple releases a new Mac with a new processor that doesn’t fall victim to this nasty issue.
What happened to you and your computer? Do you have an older machine? Have you installed the patches? Are you experiencing a performance hit that you’d like to reveal or discuss with someone?
If so, give me a shout and let me know where you stand. You can find me in the Discussion are a below or you can send me an email.
The post The Day After the [Patches] Before appeared first on Soft32 Blog.