Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches
Microsoft and Intel have shared more information on the performance impact of the patches released for the recently disclosed attack methods known as Spectre and Meltdown. The Spectre and Meltdown exploits work on systems using CPUs from Intel, AMD and ARM, and they allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Patches and workarounds have been released by both hardware and software vendors, but they may introduce significant performance penalties. Intel has insisted that average computer users - owners of typical home and business PCs - should not see any significant impact on performance during common tasks, such as reading emails, viewing photos or writing documents.
Benchmark tests conducted by the company using SYSmark 2014 showed an impact of 6 percent or less for 8th Generation Core platforms with solid state storage. All but two of currently supported Intel processors are said to be affected by the Spectre and Meltdown vulnerabilities. However, a technology called PCID (Process-Context Identifiers), which is present in newer processors, should lessen impact on performance.
Intel says it has yet to "build a complete picture of the impact on data center systems," but points to statements from major vendors who have conducted tests. Shortly after applying the Meltdown and Spectre patches to its Azure cloud platform, Microsoft said it had not seen any noticeable performance impact. The company noted that some users may experience networking performance impact, but that can be addressed using the Azure Accelerated Networking feature.
After conducting more tests, Microsoft pointed out that mitigations for Meltdown (CVE-2017-5754) and one of the Spectre flaws (CVE-2017-5753) have minimal performance impact, but the remediation for the second Spectre vulnerability (CVE-2017-5715) does introduce more significant performance penalties. Specifically, Microsoft found that users running Windows 10 on newer chips (2016-era PCs with Skylake, Kabylake or newer CPUs) should not notice any slowdowns. While there are some single-digit performance penalties, they are reflected in milliseconds.
On the other hand, when running Windows 10, Windows 8 or Windows 7 on devices with older chips (2015-era PCs with Haswell or older CPUs), benchmark tests showed more significant penalties and users may actually notice a decrease in performance. On Windows 10, only some users should experience slowdowns, but on older versions of the operating system most users are expected to notice performance issues. In the case of Windows Server, regardless of what type of chip is used, a more significant performance impact is expected after mitigations are applied, particularly in the case of IO-intensive applications.
In the case of Windows Server, Microsoft has actually advised users to evaluate the risk of untrusted code running on their machines and "balance the security versus performance tradeoff" for their specific environment. "For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel," Microsoft explained.
Red Hat has also reported seeing measurable performance impact, ranging between 8 and 19 percent, for operations involving highly cached random memory. Amazon said it had not observed any significant performance impact for the overwhelming majority of EC2 workloads, but some AWS customers have complained about degraded performance after the patches were applied starting with December. Apple, which started performing tests after releasing updates in December, also said it had not seen any measurable reduction in the performance of macOS and iOS.
Google also claimed to have observed negligible impact on performance after applying mitigations to its own systems. Epic Games informed users recently that the CPU usage of its backend cloud services increased significantly after Meltdown mitigations were applied, which led to login issues and service instability. Related: Industry Reactions to Meltdown, Spectre Attacks
- ^ Spectre and Meltdown exploits (www.securityweek.com)
- ^ Patches and workarounds (www.securityweek.com)
- ^ hardware (www.securityweek.com)
- ^ Intel has insisted (newsroom.intel.com)
- ^ affected (www.reddit.com)
- ^ statements (newsroom.intel.com)
- ^ Microsoft said (azure.microsoft.com)
- ^ Microsoft explained (cloudblogs.microsoft.com)
- ^ measurable performance impact (access.redhat.com)
- ^ Amazon said (aws.amazon.com)
- ^ Epic Games (www.epicgames.com)
- ^ Industry Reactions to Meltdown, Spectre Attacks (www.securityweek.com)
- ^ Microsoft Suspends CPU Flaw Patches for AMD Devices (www.securityweek.com)
- ^ Lawsuits Filed Against Intel Over CPU Vulnerabilities (www.securityweek.com)