Meltdown and Spectre Security Flaws

  • KM03071562
  • 11-Jan-2018
  • 11-Jan-2018

Summary

Vertica Test Results for Operating System Patches for Meltdown and Spectre Security Flaws

Error

Vertica engineers have run performance tests using the operating system patches for the Meltdown and Spectre security flaws. Based on the results, Vertica recommends that, for minimal performance impact and addressing most security issues, customers enable the PTI and IBPB features but not the IBRS feature.

Earlier this month, researchers announced two speculative execution security vulnerabilities in chips that are present in most modern processors.

·        Meltdown: Meltdown allows multiple processes on a processor to access the contents of another process's memory. This vulnerability has only be verified on Intel processors: CVE-2017-5754

·        Spectre: Spectre affects processors that implement branch prediction and speculative execution. This vulnerability may allow processes to read and modify the data cache.

Two variants of Spectre has been verified on several modern processors: Variant 1 (CVE-2017-5753) and Variant 2 (CVE-2017-5715). Variant 1 is fixed with a kernel patch. You cannot disable this patch and there is no measureable performance impact from this patch.

There are three optional patches that ship in current hotfixes of most Linux distributions. They install the following features:

·        KPTI (Kernel Page Table Isolation) protects against Meltdown. Implemented in the kernel.

·        IBRS (Indirect Branch Restricted Speculation) protects against Spectre Variant 2. Implemented in the kernel and CPU microcode.
·        IBPB (Indirect Branch Prediction Barrier) protects against Spectre Variant 2. Implemented in the kernel and CPU microcode.
 For more detailed information about these patches, see https://access.redhat.com/articles/3311301.
 Vertica engineers ran a select few queries from the industry-standard TPC-H database benchmark using the following hardware configuration:

A cluster of 4 HP DL360 Gen9 servers configured with two Xeon E5-2698 v3 processors that use the Haswell microarchitecture. Each processor has 16 cores and 256GiB of memory, running the latest RHEL 6.9 kernel, version 2.6.32-696.18.7.el6.

Vertica engineers measured query performance of all three features enabled, and in all other configurations of the patches. The results are summarized as follows:
 
PTI Enabled
IBRS Enabled
IBPB Enabled
Performance Results
0
0
0
No or minor performance degradation.
1
1
1
Average 112% degradation.
1
0
0
Most queries perform the same, some slightly slower. Average 1% degradation.
1
0
1
Average 2% degradation
1
0
2
Average 15% degradation; worst case 30%.

For further details, graphs and FAQs please review attached document. You may also find the complete notification at one of the following URLS:

https://my.vertica.com/blog/vertica-test-results-operating-system-patches-meltdown-spectre-security-flaws/

https://forum.vertica.com/discussion/239346/vertica-test-results-for-operating-system-patches-for-meltdown-and-spectre-security-flaws#latest

https://www.linkedin.com/pulse/vertica-test-results-operating-system-patches-spectre-technical-team/