Meltdown and Spectre - Anyone concerned?

rein

Colonist
Joined
Oct 1, 2008
Likes
27
Location
The Natural State
#1
I am sure most everyone has come across the news about both of these vulnerabilities recently coming to light. I read a rumored patch day for Microsoft might be the 9th.


Link: meltdownattack.com

Meltdown breaks the most fundamental isolation between user applications and the operating system. This attack allows a program to access the memory, and thus also the secrets, of other programs and the operating system.
If your computer has a vulnerable processor and runs an unpatched operating system, it is not safe to work with sensitive information without the chance of leaking the information. This applies both to personal computers as well as cloud infrastructure. Luckily, there are software patches against Meltdown.
Spectre breaks the isolation between different applications. It allows an attacker to trick error-free programs, which follow best practices, into leaking their secrets. In fact, the safety checks of said best practices actually increase the attack surface and may make applications more susceptible to Spectre
Spectre is harder to exploit than Meltdown, but it is also harder to mitigate. However, it is possible to prevent specific known exploits based on Spectre through software patches.
Is this two of the biggest vulnerabilities ever? It is my understanding that this could take years to correct since it is a design flaw. With rumors of performance hits being in the 5-30% after software patches how much of an impact can we expect on the processor market? Since, so far at least, Meltdown does not seem to impact AMD chips how much of an advantage do they gain?

Really though, bottom line, I am concerned how much it will impact my FPS once patched out. :cool:

* Seriously, for those in the know. What should we expect as far as security and performance hits in the real world?
 
Last edited by a moderator:

jpublic

Threadslayer
Joined
Sep 30, 2008
Likes
101
Location
Toontown, Canuckia
#2
I wouldn't worry too much.

Both vulnerabilities require ludicrously precise timing, and frankly luck, to be effective. Most OS vendors already have a patch for Meltdown, and the performance impacts have been minimal except in very specific loads.

For Spectre, since the prime vector it could conceivably use is web browsers, browser developers have been implementing mitigation patches, like reducing the precision on JS.

I can say I wouldn't buy a new computer now. Wait until Intel and AMD come out with new processors that fix the issue
 

Mot Wakorb

47 Friendly Fires
Joined
Sep 30, 2008
Likes
54
Location
77 Sq. Mi surrounded by reality
#4
Yes, as I work in an enterprise environment and any performance loss has to be measured. I have 30 days to get my team going on benchmarking our tools against the patch. Not a fantastic time. We likely have some of those "specific loads" which makes my life even harder.

On a positive note, this is my chance in a leadership position, so that's nice.


Sent from my iPhone using Tapatalk
 

jpublic

Threadslayer
Joined
Sep 30, 2008
Likes
101
Location
Toontown, Canuckia
#6
Yes, as I work in an enterprise environment and any performance loss has to be measured. I have 30 days to get my team going on benchmarking our tools against the patch. Not a fantastic time. We likely have some of those "specific loads" which makes my life even harder.

On a positive note, this is my chance in a leadership position, so that's nice.


Sent from my iPhone using Tapatalk
Yeah, unfortunately my work is in the same boat, as it seems the problematic workloads are related to virtualization. I'm going to have a fun time when I get back to work on Tuesday.
 

jpublic

Threadslayer
Joined
Sep 30, 2008
Likes
101
Location
Toontown, Canuckia
#7
You say that 2 days after I got my new computer up and running...
Check your MB maker - if your machine is that new there's likely a BIOS update available to address the issue.

I'm screwed - I run a Z97M from ASUS and they're not updating the BIOS because it's too old.
 

Mot Wakorb

47 Friendly Fires
Joined
Sep 30, 2008
Likes
54
Location
77 Sq. Mi surrounded by reality
#8
Yeah, unfortunately my work is in the same boat, as it seems the problematic workloads are related to virtualization. I'm going to have a fun time when I get back to work on Tuesday.


Depends on your hypervisor. VMware is affected by Spectre but not Meltdown, which is the one that causes performance issues. The guest OSes still can suffer post-patch of the guests themselves though.

Also starting to look like the biggest effect is high I/O, single-thread workloads.


Sent from my iPhone using Tapatalk
 
Top Bottom