Meltdown, Spectre Repeat Hard Security Lessons

　　Vendors are still issuing patches and starting to think about optimizations for them after last week’s disclosure of one of the largest security flaws ever to hit microprocessors. Meltdown and Spectre provided the latest painful lesson about the nature of what’s known in the security world as common vulnerabilities and exposures (CVEs).

　　The U.S. maintains what aims to be an authoritative list of CVEs. As of this writing it included a whopping 94,971 entries.

　　Vendors typically assign teams to keep up with the flow of new hacks and patches for them. But few are as broad as Meltdown and Spectre that effect microprocessors that support speculative execution. The technique is used widely in high-end chips shipped over the last several years from companies including AMD, ARM, Apple, IBM, Intel, Oracle and others.

　　Reuters reported about 5 percent of the 120 billion chips ARM has shipped to date may be affected by Spectre, but fewer would be susceptible to Meltdown. Intel and AMD have not disclosed how many of their chips are affected, but AMD said its chips are not affected by Meltdown.

　　The flaw Google researchers found last summer involved a way sophisticated hackers with intimate access to a system could use speculative execution to access data in cache — including encryption keys.

　　There’s nothing intrinsically wrong with speculative execution, a crucial technique for microprocessor performance. So, chip vendors are issuing patches for the cache-data leak and will close the hole in future CPUs, said Linley Gwennap, principal of the Linley Group.

　　Gwennap praised vendors for collaborating on an effort in which many have issued most of the patches their products need. Thankfully, there are no reports of anyone using the vulnerabilities maliciously to date.

　　However, not all affected products have patches yet, and existing patches in some cases are creating performance issues.

　　To date, AMD, Apple, ARM, Google, IBM, Intel and Microsoft are among vendors who have released details about their patches. So far, Cavium, Oracle and Qualcomm are among those who have not issued specific statements about Meltdown/Spectre.

　　Nvidia is a special case. GPUs do not use speculative execution, said Jon Peddie, principal of Jon Peddie Research. However, Nvidia issued patches for its ARM-based chips and for its GPU drivers that run on host CPUs.

　　Initially vendors said the patches would have minimal impact, typically below a 5 percent performance hit. Red Hat found 8-19 percent performance degradations on applications with “highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions.”

　　That’s significant given the wide use of such apps. Such reports have IT managers and large data center operators concerned. Part of the solution will come in optimized versions of the patches, something Red Hat said it is working on.

　　Given many high-end microprocessors use speculative execution to some extent, changing hardware is not a strong option — at least not just to avoid a single security flaw. However, there is a software option.

　　“On systems with a lot of users running virtual machines, you have to patch those. But on, for example, Amazon running its Alexa service where you own the code and no one else is using the systems — these guys are thinking hard about if they need to run patches and take performance hit or not,” Gwennap said.

　　Intel is likely to be the most affected because its products make the most aggressive use of speculative execution. CPUs from AMD and ARM that are not affected may not have as high performance overall, forcing the difficult choice between greater performance and greater security.

　　For its part, Microsoft reported this week that systems shipped in 2015 or earlier could have noticeable performance hits from patches for the Spectre variant 2.

　　Given Meltdown/Spectre are now being addressed and have not been used by malicious hackers, the performance issues for patches will be a key focus for the future, Gwennap said. The good news is most Linux apps Red Hat tested so far fell into mid- and low-single digital performance hits.

　　As for security, there are still more than 94,970 other CVEs known to tech experts. The ones of greatest concern are likely those that are still unknown.

　　The work of the Google Zero team shows how broad flaws can be found inside today’s systems and the complex set of chips, boards and software inside them. Hackers can find them, too.

　　Thus, security is a constant leapfrog game of measures and countermeasures. So far vendors and users have generally valued low cost and high performance more than security.

　　The good news is Meltdown and Spectre reminded users that systems are never 100-percent secure, and they gave vendors a relatively successful experience collaborating on security. The bad news is this is a process without an end.