Spectre and Meltdown: Now What Do We Do?

By Peter Murray, Principal Systems Engineer

blue background cpu chip ghost and fire iconsThe Spectre and Meltdown exploits, using the vulnerability in compute chipsets, present consumers of many processors – specifically x86 technologies – with a dilemma. For systems where it’s available, should you follow best practices and patch per vendor recommendations or avoid increased application latency and decreased throughput without patching? Where do trust and facts intersect? Will performance drops and increased processing latency be minor? Or will testers claiming performance drops of up to 50% or more be the reality?

The exploits take advantage of the fact that the flaw allows malware to access memory pages in a system and potentially steal information. Nearly every x86 product carries the vulnerabilities that make exploitation possible (the few that don’t date from the 1990s). The issue is not limited to Intel, as AMD and ARM are also vulnerable.

A comment in a recent article in The Register claims that any system allowing ssh access is vulnerable to code insertion. However, multiple storage array vendors claim in the same article that some or all their products are not at risk. Who do you believe? And what about the other servers, firewalls, load balancers, proxies, etc. that reside in the application data path?

For customers using products supported at the system level by the vendor, upgrades are made by the factory and distributed to customers via a software update. For those who implement software implementations that use standard operating systems, it’s important to understand, without a doubt, the performance impact to your most demanding applications the patches cause. Once this is known, organizations can then examine the potential security risk introduced by leaving systems unpatched. If the performance impact is minor, the patch can be installed with confidence that SLAs can be maintained. If the performance impact is significant, enterprises can then examine whether another method other than patching can be considered completely safe (based on vendor recommendations).

The recommended approach to either of these cases, regardless of any other action you may take, is to measure this impact with a service or product that will produce the most realistic results in your unique workload environment. Workload performance testing provides the best way to understand the cause and effect of devices that implement the recommended fixes.

Testing must be done in a way that emulates the applications in the data path. If you want to understand how your applications(s) are affected, it’s critical to emulate the application workload profiles and run them on systems in your (or your partner’s) test lab to see what the effects of the patches are.

You may find that it’s necessary to increase node count, or re-balance servers/VMs, storage fabric/network or storage ports to better serve your end user communities. If you are already considering a storage refresh, now is the time to determine a best fit to meet the application workload performance requirements and keep your business running at peak optimization. This may mean an evaluation phase of new vendor technologies or an expansion of current storage wares.

Virtual Instruments’ products and services offer you the best way to gain this insight and help you make the right decision about how best to mitigate the Spectre/Meltdown problem,

Call us, write to us or chat with us and find out how to protect your investments and ensure your business is running efficiently and effectively for your most precious communities: your customers and employees,