Performance hit for Intel systems on the way...

Ozymand

New Member
Oct 17, 2014
14
4
3
45
And now we're getting official confirmation. Intel is running a press conference and here is the slide deck:

https://s21.q4cdn.com/600692695/files/doc_presentations/2018/Side-Channel-Analysis-Security.pdf

... and Google just published this blog post:

Google Online Security Blog: Today's CPU vulnerability: what you need to know

It so far confirms the three cases in which this exploit may occur, as well as the enlightening fact that the initial disclosure was to be the 9th of January (coinciding with the Microsoft patch).
 

wildpig1234

Well-Known Member
Aug 22, 2016
1,824
273
83
45
It seems like this is a MAJOR vulnerability that is only now just named? I am ecpecting to hear much more bigger upcoming announcement about it?
 
  • Like
Reactions: vanfawx

Churchill

Admiral
Jan 6, 2016
788
185
43
We are preparing to scale up our AWS instances on Friday after the patches are released. We have several AWS notifications that state that Friday our systems will reboot whether we like it or not. I'll be sitting with the dev team all day to see how bad things are after we roll through Dev>SQA>PROD and to minimize our downtime as much as possible.

Sadly this is gonna suck but it's par for the course, I hope that Intel has a class action lawsuit on their hands.
 

Churchill

Admiral
Jan 6, 2016
788
185
43
It seems like this is a MAJOR vulnerability that is only now just named? I am ecpecting to hear much more bigger upcoming announcement about it?
Majority of companies were under a NDA/Embargo because...well....this affects everyone and getting this out in the wild before the massive patches are ready would cause chaos. Silence is the best policy for this and now the Cat is out of the bag so you are hearing all of this before Patch Tuesday.
 

Churchill

Admiral
Jan 6, 2016
788
185
43
Well there goes my work load tomorrow as I'll have to answer stupid questions from OEM customers and PHB morons. I updated my Management chain that we have to wait till the kernel patches are released before we begin testing. I fully expect him to get a call from the CxO folks going "OMG WE R SKREWED! WHUT U DOIN!?!?!" He thanked me for giving him all the answers so he knows what to tell them. Free Comp days whut whut!

"Google said in a blog post that Android phones running the latest security updates are protected, as are its own Nexus and Pixel phones with the latest security updates. "

So both phones are secure? Fantastic job on security patching kicking the can down the line google. Very glad I got an iphone from a vendor that gives a damn.
 
Last edited:

Evan

Well-Known Member
Jan 6, 2016
3,128
522
113
He's really slowing down as there were 0 F-Bombs in that post
Hahaha
I remember emailing with him in the early 90’s when I was building kernels every night and he certianly had some character then, it was of course at that point still really a hobby you could say.

He has an exact point, for how long will intel ship ‘defective’ silicon ?? I guess the current in design chips won’t have any changes so it will be a while.

Let’s just say I have 10.13.2 on my Mac’s and did not notice a thing, let’s hope I can say the same at work. End of the day in an enterprise setting we are probably looking at less than 5% if servers that will even need a second look as the vast majority are run workloads that are either not so affected or are lightly loaded servers and have heaps of headroom. Just the same no doubt we have to re-run a heap of stress tests on the next few months once the dust settled to get new baselines.
 

pricklypunter

Well-Known Member
Nov 10, 2015
1,607
471
83
Canada
It looks like M$ are seizing the opportunity to mention that "only Win 10" will be updated/ patched, so anyone using any M$ OS older than that are sol and gonna be left vulnerable. Well according to the reporting by the BBC on the matter anyway. I wonder how many sheep they will manage to scare into buying an upgrade, and how many folks rail against them because of that decision :)
 

Evan

Well-Known Member
Jan 6, 2016
3,128
522
113
Last time I checked windows 7 & 8, win2k8 r2 are still supported and especially in enterprise ...
Then again all are rather old and I would prefer not to have them but reality is the will be around a while longer.
 

Drewy

Member
Apr 23, 2016
168
23
18
50
I’m hearing at least one tier 1 hardware supplier advising enterprise customers not to install the mitigation patches due to performance issues they have seen in testing.
 

Evan

Well-Known Member
Jan 6, 2016
3,128
522
113
I’m hearing at least one tier 1 hardware supplier advising enterprise customers not to install the mitigation patches due to performance issues they have seen in testing.
And outside of shared hosting or VM environments and with internal enterprise systems it’s probably ok to delay a short while to test yourself and see if there is round 2 of patches a few weeks later
 

TedB

Member
Dec 2, 2016
105
21
18
42
From what I've seen you can command-line bypass the changes in Linux if you're using a AMD processor, I just don't know if Microsoft is going to be so amenable.
In MS Windows Server by default patches are not enabled even if installed until you switch them on using registry settings.
 

wildpig1234

Well-Known Member
Aug 22, 2016
1,824
273
83
45
Well, the deep down problem I think is that since this is a hardware level, you can patch the software all you want but there is probably always a way to exploit it. it's like the spyware that's built into a firmware.... you can patch the antivirus software or install as many antiviral software as you want....

in the end, only a hardware architectural change will do it. you can only patch enough of the software and o/s to deter 99.99% of the hackers...

There will be cost. there's always some trade off between security and speed.

In the meantime, I will happily carry on with my xeon :)
 

mstone

Active Member
Mar 11, 2015
505
117
43
42
I have read some more details about the vulnerabilities (out of pure curiosity, I have zero security background) and I am honestly surprised such things are even possible (when I have first read it, it resembled to me those fancy spying methods, where you can analyse vibration of a window's glass to recreate voices of people in a room or a key-logger which works by observing electromagnetic waves around the keyboard cable to leak the keys pressed).
It's basically a side channel attack, which have been discussed in computer security literature for 40+ years. There are a lot of them out there, and finding and mitigating them is really hard. For the most part very few people have bothered because there are usually easier vulnerabilities to exploit so it's not worth the effort. As the security of other parts of the system improve, these become much more attractive targets. I expect that people will be playing whack a mole with these until there are fundamentally different architectures available (nothing promising on the horizon). People will need to make even more complicated risk based decisions about what kinds of side channels to try to prevent, because the costs of doing so increase rapidly. The cloud providers have little choice but to take the hit, but on dedicated hardware it depends. If anything, this class of vulnerabilities should make people think twice about multi-tenant cloud services.