Meltdown & Spectre patch’s - performance?

[tvmaster2]

Has anyone seen their Sagetv server suffer in anyway from applying the Meltdown and Spectre patches to their Intel or AMD based servers? Any effects with particular operating systems? I’m running W7 32 bit on an AMD Phenom, which may not be an effected CPU.

[wayner]

How do you know if the updates you have done have these patches?

[tvmaster2]

Quote:

Originally Posted by wayner

How do you know if the updates you have done have these patches?

There are lists posted online which patches align with which cpu, OS, etc. Do a Google search. Microsoft yanked a few on January 9th due to compatibility errors, blue screens, etc.

[trk2]

You can use this tool to see the current patched state of your computer. I have had no issues on my Sage sever (win 7) but my windows 10 PC does not initialize the video following a wake from sleep after the MS patch was applied.

[tvmaster2]

http://www.zdnet.com/article/meltdow...based-devices/

[tvmaster2]

Quote:

Originally Posted by trk2

You can use this tool to see the current patched state of your computer. I have had no issues on my Sage sever (win 7) but my windows 10 PC does not initialize the video following a wake from sleep after the MS patch was applied.

which CPU's for which OS?

[trk2]

The Sage server is Windows 7 on a Core 2 Duo with a Bearlake chipset. My desktop is Windows 10, I7 Ivy Bridge. The motherboards on both systems are old enough that a patched bios has not and probably will not be released. So my only protections is the Windows security patch.

[reggie14]

I don't know if was related, but my SageTV server crashed hard last weekend. It would not longer boot, with Windows giving me in "Inaccessible Boot Device" error.

I take full/incremental backups on a nightly basis (in a GFS scheme). But, I had to go back to January 5th to get to a backup that wasn't corrupted in the same way. That's around the time the Spectre/Meltdown patches went out.

This was on a Haswell-based system.

After restoring from the backup, I deleted any pending Windows Updates, re-downloaded them, and the system continues to run now. It has the Meltdown patch, but I haven't done a BIOS update for Spectre. I'm not even sure there is one for my motherboard, and the update fiasco on Intel's part is going to stop Microsoft from changing their position about pushing CPU microcode updates through Windows Update and the kernel.

[tvmaster2]

Quote:

Originally Posted by reggie14

I don't know if was related, but my SageTV server crashed hard last weekend. It would not longer boot, with Windows giving me in "Inaccessible Boot Device" error.

I take full/incremental backups on a nightly basis (in a GFS scheme). But, I had to go back to January 5th to get to a backup that wasn't corrupted in the same way. That's around the time the Spectre/Meltdown patches went out.

This was on a Haswell-based system.

After restoring from the backup, I deleted any pending Windows Updates, re-downloaded them, and the system continues to run now. It has the Meltdown patch, but I haven't done a BIOS update for Spectre. I'm not even sure there is one for my motherboard, and the update fiasco on Intel's part is going to stop Microsoft from changing their position about pushing CPU microcode updates through Windows Update and the kernel.

I was listening to TWIT Windows Weekly broadcast, and Haswell chipsets were mentioned as a problem. Their thought on this whole thing is that Intel has a major problem they’re not really coming forward about...

[wayner]

Are these risks that we should be worried about for home PCs? I thought the big risk here was for stuff like VMs - these bugs would allow you to break through and hack into other VMs on the same hardware. So that's a big issue if you have an application on AWS, but nothing to worry about on my home media server.

[wayner]

Quote:

Originally Posted by tvmaster2

I was listening to TWIT Windows Weekly broadcast, and Haswell chipsets were mentioned as a problem. Their thought on this whole thing is that Intel has a major problem they’re not really coming forward about...

To me this is a major issue. I was an owner of Intel stock but I sold it because I think this is going to be a huge liability.

I would envision lawsuits from the likes of Amazon, MS and Google as the largest providers of cloud services. If you apply these patches and they reduce system performance then you have to through more CPU hardware at your cloud services. So I would be suing Intel for that. The market doesn't seem to agree with me since Intel stock is approximately unchanged in the last month - however that means it is lagging everything else.

[reggie14]

Quote:

Originally Posted by tvmaster2

I was listening to TWIT Windows Weekly broadcast, and Haswell chipsets were mentioned as a problem. Their thought on this whole thing is that Intel has a major problem they’re not really coming forward about...

Well, I think those problems were linked back to the CPU microcode updates carried in BIOS updates. For a variety of reasons, that wouldn't really explain the problem I ran into.

Quote:

Originally Posted by wayner

Are these risks that we should be worried about for home PCs? I thought the big risk here was for stuff like VMs - these bugs would allow you to break through and hack into other VMs on the same hardware. So that's a big issue if you have an application on AWS, but nothing to worry about on my home media server.

To try to put it simply, these vulnerabilities allow an attacker that is capable of running code on your computer to access memory that he shouldn't have access to. That might sound like a contrived threat- after all, why are you letting an attacker run code on your computer? But it actually happens a lot: javascript.

There are proof-of-concept attacks using the Spectre vulnerability with a malicious javascript to steal secrets from your browser. e.g., cookies, passwords.

Ostensibly, similar attacks may be possible with Meltdown. In that case, it might be possible to read secrets from the operating system kernel.

Admittedly, I think the practical threat for home PCs has been a bit exaggerated. Javascript attacks are a real concern, but it's not a big deal for the browsers to push application-level security updates to block that attack vector.

Beyond the javascript case, the need for the attacker to control/run code on the victim PC means you already have to have a major problem to be attacked. If you're running malware on your PC, its probably already game-over for you. But shared computing infrastructures (e.g., VMs in cloud environments), and, to a lesser extent, sandboxed platforms like Android, are supposed to isolate malicious processes from legitimate ones.

[KarylFStein]

Quote:

Originally Posted by wayner

Are these risks that we should be worried about for home PCs? I thought the big risk here was for stuff like VMs - these bugs would allow you to break through and hack into other VMs on the same hardware. So that's a big issue if you have an application on AWS, but nothing to worry about on my home media server.

These attacks "only" allow you to read application or system memory, not modify things. The variant that provides access to application memory affects Intel, AMD and ARM processors. The variant that provides access to system memory affects Intel. As known last I saw.

The reason VMs were discussed is because if you have access to the host system memory you can read what's in the memory of another VM. (In a cloud hosting environment that would include VMs not "owned" by you.) On your home PC without VMs it can just read the memory of things on that PC.

Google from what I remember reading has changed its compiler to create code not vulnerable to the flaws with little or no performance impact, (or so they say).

I also remember reading something where certain browsers were succeptable through their JS engines.

So say you have a password manager on your PC and it is targeted by the "application" variant than someone could possibly grab all your passwords. Or if it targets Word it could read whatever document you have open. Etc. It can't "take over" your computer though.