Meltdown and Spectre Patches - What is going on?

[TekLord]

I am writing this from the floor of the CES show in Las Vegas.

I am a software developer and I use VirtualBox extensively to maintain code that requires VB6 and Windows XP. I do NOT want the software patches that have been forced on users in a spasm of panic by Microsoft and Intel. It is hard to get a straight answers from either company here at the show. As a software developer I can tell you that a rushed "kludge" patch job usually breaks more things than it fixes.

I cannot risk installing any type of patch that breaks my development machines or our web servers. I also do not want to degrade the performance of my machines (especially our web servers which run on two dedicated machines at a secure data center in Austin.)

Upon hearing about Meltdown and Spectre I immediately disconnected all of my machines from the web prior to the "fix" by Microsoft. I already had a group policy setting to prevent automatic updates in Windows. I also made a registry change which sets the Ethernet connection as a "metered" connection which will also prevent Windows from automatically downloading updates.

It is hard to determine exactly how significant the risk is for these two vulnerabilities and whether the risk and/or performance hit are actually worth the mitigation. My understanding is that both of these exploits are difficult to implement. Apparently, malware must also infect the system before the exploit can take place. Or, it may be possible for a banner ad or Java code to exploit the vulnerability.

I have never had a single intrusion on any of my systems. I use commercial Antivirus software on all of my machines (including the guest OS in VirtualBox.) No one has physical access to my equipment. I use Quad 9 (9.9.9.9) for DNS resolution.

So... how much of a risk am I actually taking by not updating my system with this patch?

[BillG]

That is an interesting question, but there is really not much point in asking it. If you received a reply, why would you have any reason to believe that it was right?

Even more interestingly, what if you received two conflicting answers? Why would you have any reason to trust one or the other (or either for that matter). Who would or could know?

[michaln]

So... how much of a risk am I actually taking by not updating my system with this patch?

Realistically, about as much as you were a month ago.

Intel admits that all currently used CPUs vulnerable (everything except old Atom CPUs). The issue conceptually goes back to 1995. There is every indication that Intel truly was not aware of the problem. We can only guess if it really took over 20 years for someone to discover the issue, or if it was known before and not publicized. No one can say how many other vulnerabilities there are that we don't know about.

On Linux, the performance-sapping mitigations can be disabled. I believe the same is true of Windows 10. Though I understand your concern that simply installing the patched software might cause trouble. So far there have been no widespread issues, but it may be early to tell. In a week or so we'll have a better picture. I should add that some of the mitigations require microcode updates, and some OEMs have been quick in providing them while others have been dragging their feet.

You are right that exploitation requires local code execution. In the end, you have to make your own decisions. There's been plenty written about Spectre/Meltdown.

[TekLord]

Thanks for the input. As I walk around some of the Casinos in Las Vegas I sometimes see large monitors (above a bank of slot machines for instance) that are showing Blue Screen of Death. I am not certain that these were caused by the Microsoft patch but this is my 33rd consecutive CES and I have never seen that before.

Here is my thinking...

• The exploit(s) are VERY difficult to implement. (Maybe this is why it took 20 years to figure out.)
• Some other type of malware must ALREADY be on your system.
• Some type of "physical" access must exist to the target machine.
• Anti-virus software does not fix the vulnerability but it can prevent the malware from infecting your computer.
• Quad-9 does a good job of preventing malicious sites from resolving in DNS.
• Good, common-sense on-line browsing/email strategies will reduce the potential for malware.
• The current patches by Microsoft may slow down the performance of your system.
• The current patches by Microsoft may cause operational errors/crashes and or catastrophic system problems.
• The patches were put made in haste and the full impact of the changes may not bee known at this time.
• From an ROI perspective, I believe someone capable of pulling off an exploit of this type would carefully consider their victim.

I will not be updating my infrastructure with the patches or firmware updates because I believe the potential for problems created by these "fixes" significantly outweigh the problem(s) that are intended to correct. I hope I don't regret this decision.

[Harry M Johnston]

In the short term, it seems to me that the risk from Meltdown and Spectre are probably minimal, provided you update your web browser. In the long term this is less clear.

However, Windows updates are only available on a take-it-or-leave-it basis. So if you don't want the Meltdown/Spectre updates, the only way to do that is to stop installing ANY updates. I'd be more worried about all the other vulnerabilities fixed in the January updates (and eventually the February updates, and so on) than about Meltdown and Spectre per se.

[michaln]

• The exploit(s) are VERY difficult to implement. (Maybe this is why it took 20 years to figure out.)

Actually, no, it's not difficult to implement. The reason why it took 20 years to figure out is that it requires thinking very much outside the box.

• Some other type of malware must ALREADY be on your system.

That is true. Local access is required.

• The patches were put made in haste and the full impact of the changes may not bee known at this time.

The problem with these things is that the balance is unknowable. The patches have a non-zero cost (if nothing else, Intel/Microsoft/Linux/etc. have been doing little else in the last few months) and applying them will also incur some costs, while unpatched systems are at risk of attacks with potentially very high cost. We might one day know the cost of patching, but we won't ever know the cost of leaving everything unpatched.

[AlexMK]

Has anyone tested the impact on VirtualBox performance? I installed KB4056892 on the host system (Win10 Host and Linux guest) and got terrible results. I ran several CPU-intensive Python scripts on the guest and performance dropped on 40-60%! Then I disabled the fix by setting registry key and performance was recovered.

Also, the patch on the guest system did not have a significant impact on performance.

[michaln]

CPU-intensive Python scripts on the guest and performance dropped on 40-60%!

What host hardware? Crucial detail because older CPUs will be hit much harder than newer CPUs.

Truly CPU intensive tasks will not be affected much. But anything that causes lots of transitions between user and kernel code (more I/O intensive than CPU intensive) will be. In a VM the slowdown may be worse; again that will depend on the host CPU.

[socratis]

@AlexMK
Mind you that the VirtualBox fixes are *not* in yet, so this is not VirtualBox, this is your host OS doing the whole thing. And it is affecting VirtualBox big time in some cases, as michaln pointed out. But the VirtualBox fixes/patches themselves are not in yet (as of build 120181).

[TekLord]

In the short term, it seems to me that the risk from Meltdown and Spectre are probably minimal, provided you update your web browser. In the long term this is less clear.

However, Windows updates are only available on a take-it-or-leave-it basis. So if you don't want the Meltdown/Spectre updates, the only way to do that is to stop installing ANY updates. I'd be more worried about all the other vulnerabilities fixed in the January updates (and eventually the February updates, and so on) than about Meltdown and Spectre per se.

Is it possible to use the registry settings described at https://support.microsoft.com/en-us/hel ... ilities-in to disable the "fix"? Then, you could continue applying Microsoft patches WITHOUT using the Meltdown/Spectre "fix".

[Harry M Johnston]

@TekLord, yes, that should work.

I wouldn't recommend it as a permanent measure, see, e.g., https://security.stackexchange.com/a/177389/47469 but it should allow you to continue to install security updates but exclude implementation of the current set of speculative execution mitigations.

[TekLord]

I own my servers and they are located at an OnRamp data center. I receive general communications from OnRamp from time to time. Today, I received the following...

"At this time, OnRamp Security and Engineering teams have patched OnRamp internal and shared systems. Monitoring post patch implementation has yielded data indicating an average CPU load increase of 6%, and an average disk IO increase of 3% on systems that have been patched."

This patch does not affect my equipment but I wanted to share the performance information that they have provided.

The up side of all of this is I expect a LOT of good equipment (servers) to be available on Ebay shortly as all of the major companies start replacing their equipment with systems that incorporate CPU's that are not vulnerable (once they become available.) I am sure Microsoft and the other vendors will eventually fine-tune the mitigation to reduce the performance degradation further. But the fix is still a hack. I downloaded the Excel spreadsheet containing the list of modified files and it is huge! I am still going to wait this one out.

[AlexMK]

@michaln
I have Haswell i7-4710MQ . I tried to profile the scripts and noted that degradation was mostly related to IPC calls (up to 4x!). Also I ran simple micro benchmark

Code: Select all

sysbench cpu --cpu-max-prime=20000 run

For unpatched host I got ~360 ev/sec in average, for patched ~290 ev/sec (-20%).

[michaln]

For unpatched host I got ~360 ev/sec in average, for patched ~290 ev/sec (-20%).

OK, that's about the expected hit. IPC/syscalls/anything that needs context switching is affected (on Intel CPUs, not AMD). For Haswell and later, there may be improvements, and even then the impact won't be zero. For older CPUs there's not a lot to be done.

[TekLord]

Today, Intel told users to stop installing chip patches for Meltdown and Spectre. The article was very clear about which patches but I assume it is for the microcode created by Intel.

http://www.bbc.co.uk/news/technology-42788169