pasUNITY Mitigation of Spectre and Meltdown

Written By Gary Fletcher

Blogs pasUNITY Hosting

UPDATE: Last modified on 1/17/2018 12:19:04 PM

The IT world is buzzing right now about a very serious new set of security vulnerabilities that affect nearly every computer produced in the past 20 years.  The vulnerabilities (known collectively as Meltdown and Spectre) exploit design flaws in the CPUs by major chip makers including Intel, AMD, ARM, NVidia, and others. 

What makes this any different from any other security vulnerability?

Unlike most security vulnerabilities this one exists in the hardware - not the operating systems and application software.  To combat this type of vulnerability software essentially has to be rearchitected to avoid using the hardware features that are known to be at risk. 

Who is affected?

Almost everyone is affected.  These CPUs affected go back to 1995 and they power nearly every server, laptop, tablet, gaming console, and smartphone in use today.  It doesn't matter if you are working on a Dell laptop or Apple iPad - you are affected.

What is being done about it?

Patches are being released as a combination of firmware updates from hardware vendors and patches to operating systems by the software vendors.  Every major operating system in existence today from Windows to Linux to Android to iOS has already started releasing updates.  Keep in mind that the error was not in the operating systems but it is nevertheless incumbent on the OS vendors to mitigate the problem as the only alternative would be to replace the physical CPUs in all those devices - and let's face it - that is not a practical option. 

What is the impact?

The OS vendors are issuing patches that work around these vulnerable CPU features but that means that as they are no longer able to take advantage of the streamlined CPU core instructions they essentially have to work around them in application code.  No matter how efficient these patches are they will never come close to the efficiency of the CPU hardware native instructions themselves.  As a result, all systems that are patched WILL display degraded performance.  Current benchmarks are showing this slowdown to be about 10% to 30% over unpatched workloads.  The good news for those of you with newer hardware and operating systems is that you should feel the impact the least.  For example, modern Dell servers with Skylake CPUs and running Windows Server 2016 would be far less impacted than similar machines from only a few years ago running Windows Server 2012.  Not everyone can be patched, however.  The reason is that many 3rd party anti-virus applications are reacting adversely to the new patches and this has led to reports of system crashes and unexpected restarts among other issues.  For this reason it is important to ensure that anti-virus software is updated prior to operating systems.

What is pasUNITY doing to protect customers and mitigate the vulnerabilities?

We are taking a number of steps to protect customers.  First, we are aggressively testing and rolling out both the firmware and the operating system patches to all of our affected machines as quickly and safely as we can.  To date we have patched ALL of our virtualization infrastructure with the latest operating system patches released from Microsoft affecting Windows 2008 through Windows 2016 to ensure that all customer application code is running in a safe environment.  Second, to mitigate the expected decrease in performance we are upping the baseline CPU core count on many of our virtual machines from four to eight.  What this does is provide customer environments with additional parallel processing capability.  As a result, many of our customers may actually experience a net gain in performance.  Third, we are continuing to test and apply new firmware and software updates as they continue to be released and can be safely tested in a lab environment.  Finally, we will be awaiting the release of new CPUs unaffected by these vulnerabilities at which time we will be refreshing our current server environment with new hardware that not require these operating system workarounds and be able to obtain an even greater performance benchmark than we have today.

Is there anything that I need to do?

Yes.  Make sure that your personal devices are patched appropriately.  Talk to your IT department to make sure that they are on top of this to protect your organization.  And remain vigilant.

Where can I learn more?

The Meltdown and Spectre vulnerabilities are widely documented on a number of popular sites but let us recommend this article from the Microsoft Security team that solidly addresses the impact on Windows operating systems and this list of resources to major hardware vendors where firmware updates can be obtained.

2024-12-21 23:01:59
© 2003 - 2024 pasUNITY, Inc. | Terms Of Use | Privacy Statement