SAN JOSE, Calif. — Vendors are still issuing patches and starting to think about optimizations for them after last week’s disclosure of one of the largest security flaws ever to hit microprocessors. Meltdown and Spectre provided the latest painful lesson about the nature of what’s known in the security world as common vulnerabilities and exposures (CVEs).
The U.S. maintains what aims to be an authoritative list of CVEs. As of this writing, it included a whopping 94,971 entries.
Vendors typically assign teams to keep up with the flow of new hacks and patches for them. But few are as broad as Meltdown and Spectre that affect microprocessors that support speculative execution. The technique is used widely in high-end chips shipped over the last several years from companies including AMD, ARM, Apple, IBM, Intel, Oracle, and others.
Reuters reported that about 5% of the 120 billion chips that ARM has shipped to date may be affected by Spectre, but fewer would be susceptible to Meltdown. Intel and AMD have not disclosed how many of their chips are affected, but AMD said that its chips are not affected by Meltdown.
The flaw that Google researchers found last summer involved a way that sophisticated hackers with intimate access to a system could use speculative execution to access data in cache — including encryption keys.
There’s nothing intrinsically wrong with speculative execution, a crucial technique for microprocessor performance. So chip vendors are issuing patches for the cache-data leak and will close the hole in future CPUs, said Linley Gwennap, principal of the Linley Group.
Gwennap praised vendors for collaborating on an effort in which many have issued most of the patches that their products need. Thankfully, there are no reports of anyone using the vulnerabilities maliciously to date.
However, not all affected products have patches yet, and existing patches are creating performance issues in some cases.
To date, AMD, Apple, ARM, Google, IBM, Intel, and Microsoft are among vendors who have released details about their patches. So far, Cavium, Oracle, and Qualcomm are among those who have not issued specific statements about Meltdown/Spectre.
After this story was posted, Qualcomm released a statement (posted in the comment thread below) saying it is working with ARM to evaluate and deploy mitigations for the new CVEs.
For it's part, Cavium said it has already released patches protecting its ThunderX2 processor from Spectre. The chip is not susceptible to Meltdown and its original ThunderX does not use speculative execution, said Gopal Hegde, general manager of Cavium’s data center group.
Nvidia is a special case. GPUs do not use speculative execution, said Jon Peddie, principal of Jon Peddie Research. However, Nvidia issued patches for its ARM-based chips and for its GPU drivers that run on host CPUs.
Initially, vendors said that the patches would have minimal impact, typically below a 5% performance hit. Red Hat found 8% to 19% performance degradations on applications with “highly cached random memory, with buffered I/O, OLTP database workloads, and benchmarks with high kernel-to-user space transitions.
That’s significant given the wide use of such apps. Such reports have IT managers and large data center operators concerned. Part of the solution will come in optimized versions of the patches, something Red Hat said that it is working on.
Next page: Hard performance vs. security choices