Understanding performance impact of Spectre and Meltdown mitigations

Brink

Administrator
Staff member
Local time
10:34 AM
Messages
74,912
Location
Oklahoma
Last week the technology industry and many of our customers learned of new vulnerabilities in the hardware chips that power phones, PCs and servers. We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure. In this blog, I’ll describe the discovered vulnerabilities as clearly as I can, discuss what customers can do to help keep themselves safe, and share what we’ve learned so far about performance impacts.

What Are the New Vulnerabilities?

On Wednesday, Jan. 3, security researchers publicly detailed three potential vulnerabilities named “Meltdown” and “Spectre.” Several blogs have tried to explain these vulnerabilities further — a clear description can be found via Stratechery.

On a phone or a PC, this means malicious software could exploit the silicon vulnerability to access information in one software program from another. These attacks extend into browsers where malicious JavaScript deployed through a webpage or advertisement could access information (such as a legal document or financial information) across the system in another running software program or browser tab. In an environment where multiple servers are sharing capabilities (such as exists in some cloud services configurations), these vulnerabilities could mean it is possible for someone to access information in one virtual machine from another.

What Steps Should I Take to Help Protect My System?

Currently three exploits have been demonstrated as technically possible. In partnership with our silicon partners, we have mitigated those through changes to Windows and silicon microcode.

table.png

Because Windows clients interact with untrusted code in many ways, including browsing webpages with advertisements and downloading apps, our recommendation is to protect all systems with Windows Updates and silicon microcode updates.

For Windows Server, administrators should ensure they have mitigations in place at the physical server level to ensure they can isolate virtualized workloads running on the server. For on-premises servers, this can be done by applying the appropriate microcode update to the physical server, and if you are running using Hyper-V updating it using our recent Windows Update release. If you are running on Azure, you do not need to take any steps to achieve virtualized isolation as we have already applied infrastructure updates to all servers in Azure that ensure your workloads are isolated from other customers running in our cloud. This means that other customers running on Azure cannot attack your VMs or applications using these vulnerabilities.

Windows Server customers, running either on-premises or in the cloud, also need to evaluate whether to apply additional security mitigations within each of their Windows Server VM guest or physical instances. These mitigations are needed when you are running untrusted code within your Windows Server instances (for example, you allow one of your customers to upload a binary or code snippet that you then run within your Windows Server instance) and you want to isolate the application binary or code to ensure it can’t access memory within the Windows Server instance that it should not have access to. You do not need to apply these mitigations to isolate your Windows Server VMs from other VMs on a virtualized server, as they are instead only needed to isolate untrusted code running within a specific Windows Server instance.

We currently support 45 editions of Windows. Patches for 41 of them are available now through Windows Update. We expect the remaining editions to be patched soon. We are maintaining a table of editions and update schedule in our Windows customer guidance article.

Silicon microcode is distributed by the silicon vendor to the system OEM, which then decides to release it to customers. Some system OEMs use Windows Update to distribute such microcode, others use their own update systems. We are maintaining a table of system microcode update information here. Surface will be updated through Windows Update starting today.

Guidance on how to check and enable or disable these mitigations can be found here:

Performance

One of the questions for all these fixes is the impact they could have on the performance of both PCs and servers. It is important to note that many of the benchmarks published so far do not include both OS and silicon updates. We’re performing our own sets of benchmarks and will publish them when complete, but I also want to note that we are simultaneously working on further refining our work to tune performance. In general, our experience is that Variant 1 and Variant 3 mitigations have minimal performance impact, while Variant 2 remediation, including OS and microcode, has a performance impact.

Here is the summary of what we have found so far:

  • With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
  • With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
  • With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
  • Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel. We will publish data on benchmark performance in the weeks ahead.

Conclusion

As you can tell, there is a lot to this topic of side-channel attack methods. A new exploit like this requires our entire industry to work together to find the best possible solutions for our customers. The security of the systems our customers depend upon and enjoy is a top priority for us. We’re also committed to being as transparent and factual as possible to help our customers make the best possible decisions for their devices and the systems that run organizations around the world. That’s why we’ve chosen to provide more context and information today and why we released updates and remediations as quickly as we could on Jan. 3. Our commitment to delivering the technology you depend upon, and in optimizing performance where we can, continues around the clock and we will continue to communicate as we learn more.

-Terry


Source: Understanding the performance impact of Spectre and Meltdown mitigations on Windows Systems Microsoft Secure
 

My Computer My Computer

At a glance

64-bit Windows 11 Pro for WorkstationsIntel i7-8700K OC'd to 5 GHz64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600...ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Self built custom
OS
64-bit Windows 11 Pro for Workstations
CPU
Intel i7-8700K OC'd to 5 GHz
Motherboard
ASUS ROG Maximus XI Formula Z390
Memory
64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz
Graphics Card(s)
ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
Sound Card
Integrated
Monitor(s) Displays
2 x Samsung Odyssey G7 27"
Screen Resolution
2560x1440
Hard Drives
1TB Samsung 990 PRO M.2,
4TB Samsung 990 PRO PRO M.2,
TerraMaster F8 SSD Plus NAS
PSU
Seasonic Prime Titanium 850W
Case
Thermaltake Core P3
Cooling
Corsair Hydro H115i
Keyboard
Logitech wireless K800
Mouse
Logitech MX Master 4
Internet Speed
2 Gb/s Download and 100 Mb/s Upload
Antivirus
Malwarebyte Anti-Malware Premium
Browser
Google Chrome
Other Info
Logitech Z625 speaker system,
Logitech BRIO 4K Pro webcam,
HP Color LaserJet Pro MFP M477fdn,
APC SMART-UPS RT 1000 XL - SURT1000XLI,
Galaxy S23 Plus phone
People wonder why these security violation were just now being worked on. Seem they have been working on the problem for some time now. In my opinion they didn't want to release the warning before they got some fixes to issue to the world. The bad guys don't need a heads up.

From post #1

We (and others in the industry) had learned of this vulnerability under nondisclosure agreement several months ago and immediately began developing engineering mitigations and updating our cloud infrastructure.


Well does the words (under nondisclosure agreement) bring light to the wonderment?)

Jack
 

My Computer My Computer

At a glance

Windows 10 Pro. 64/ version 1709 Windows 7 Pr...Intel i7-6800K @ 4.3Corsair Platinum 16 gig @2400EVGA GTX 1070 OC
Computer type
PC/Desktop
Computer Manufacturer/Model Number
Home made Desktop
OS
Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64
CPU
Intel i7-6800K @ 4.3
Motherboard
ASUS X-99 Deluxe II
Memory
Corsair Platinum 16 gig @2400
Graphics Card(s)
EVGA GTX 1070 OC
Monitor(s) Displays
Asus 27" LED LCD/VE278Q
Screen Resolution
1920-1080 or 1280-720 HDMI
Hard Drives
INTEL SSD 730-240 Gb Sata 3.0/
PSU
EVGA Platium 1200W
Case
Phanteks Luxe Tempered Glass 8 fans/ one radiator
Cooling
XSPC/ Water Cooled CPU
Keyboard
Das 4 Professional
Mouse
Logitech M705/MX Anywhere 2-S
Internet Speed
100 mbits
Antivirus
Microsoft Security Essentials/ Malwarebytes Premium 3.0/ SAS
Browser
I.E. 11 default/Firefox/ ISP Time Warner Cable/Spectrum
Other Info
LG BluRay Burner/
Sound system-KLipsch-THX/
Icy Dock ssd Hot Swap bays.

My Computer My Computer

At a glance

W7 home premium 32bit/W7HP 64bit/w10 tp insid...E5300 dual core3gbNvidia Geforce 7100 Nforce 630i
Computer type
PC/Desktop
Computer Manufacturer/Model Number
medionl/Aspire 6930G/acer x55a
OS
W7 home premium 32bit/W7HP 64bit/w10 tp insider ring
CPU
E5300 dual core
Motherboard
medion MS7366
Memory
3gb
Graphics Card(s)
Nvidia Geforce 7100 Nforce 630i
Monitor(s) Displays
avixc
Internet Speed
n (isp resticted to 72)
Antivirus
mse/pands
Browser
palemoon
Other Info
Belkin Fd7050 n USB using Railink RT2870 drivers, more upto date

My Computer My Computer

At a glance

W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, ...AMD Phenom II x6 1100T, 3.3 GHz12GB DDR3 1333 G-Skill (4GB x 2), G-Skill (2G...NVIDIA GeForce GTX 660
Computer type
PC/Desktop
Computer Manufacturer/Model Number
n/a
OS
W7 Ultimate SP1, LM19.2 MATE, W10 Home 1703, W10 Pro 1703 VM, #All 64 bit
CPU
AMD Phenom II x6 1100T, 3.3 GHz
Motherboard
ASUS M4A88T-M/USB3 (AM3)
Memory
12GB DDR3 1333 G-Skill (4GB x 2), G-Skill (2GB x 2)
Graphics Card(s)
NVIDIA GeForce GTX 660
Sound Card
Realtek?
Monitor(s) Displays
Samsung S23B350
Screen Resolution
1920x1080
Hard Drives
WD Green 2TB (SATA), WD Green 3TB (SATA), WD Blue 4TB (SATA), WD Blue 6TB (SATA)
PSU
Cooler Master
Case
Antec GX300 Tower
Cooling
3x Antec TRICOOL 120mm Fans
Mouse
Wired Optical
Internet Speed
DSL
Antivirus
Avast
Browser
Pale Moon (64 bit)
Other Info
2018-12-27 Upgraded HDDs
2015-12-10 Upgraded case, graphics card, storage
2015-08-15 Upgraded motherboard & RAM
2015-07-15 Upgraded LM17.1 to LM17.2
People wonder why these security violation were just now being worked on. Seem they have been working on the problem for some time now. In my opinion they didn't want to release the warning before they got some fixes to issue to the world. The bad guys don't need a heads up.

Was thinking the same. It's a well-known procedure called Responsible Disclosure that states to only publish vulnerabilities when a fix is already available and not before (unless the developer refuses to fix them). Other OSs have done similar things too. For the KRACK problem a similar approach was followed.

MS did the right thing here.
 

My Computer My Computer

At a glance

Windows 7 Ultimate x64Intel Core i7-740QM8 GB DDR3NVIDIA GeForce 330GT
Computer type
Laptop
Computer Manufacturer/Model Number
Toshiba Sattelite A665-S6092
OS
Windows 7 Ultimate x64
CPU
Intel Core i7-740QM
Memory
8 GB DDR3
Graphics Card(s)
NVIDIA GeForce 330GT
Screen Resolution
1366x768
Hard Drives
Samsung 840 SSD 500GB
1TB USB3 external HD
Cooling
Coolermaster Notepal U3 notebook cooling pad
Internet Speed
3mbps ASDL
Antivirus
ClamWin 0.98.7
Browser
Opera 12.17 x86 (main), Firefox 38 (sec), IE11 (last resort)
I found it interesting that the windows 7 patch causes a greater slowdown than on windows 10

Steve Gibson reckons this is unnecessary in his article, could we be seeing another ''upgrade to ten'' debacle. ?
 

My Computer My Computer

At a glance

Windows 7 Home prem x64Intel Core i7 4790 s1150 Ret16 GB VengPro DDR3 21332GB Nv GTX760 SC +ACX Cooling
Computer type
PC/Desktop
Computer Manufacturer/Model Number
SCAN Gamer 20i
OS
Windows 7 Home prem x64
CPU
Intel Core i7 4790 s1150 Ret
Motherboard
ASUS Z97-K MOTHERBOARD
Memory
16 GB VengPro DDR3 2133
Graphics Card(s)
2GB Nv GTX760 SC +ACX Cooling
Sound Card
Integrated
Monitor(s) Displays
BenQ GL2450
Screen Resolution
1920 x 1080
Hard Drives
1 x 1TB Internal
1 x 1TB External
1 x 1TB External backup
PSU
Corsair CX600M BRONZE CP-9020060UK
Case
Corsair 230T Solid Grey
Cooling
HR-02 Macho
Keyboard
Logitech K330 (mouse & Keyboard set)
Mouse
Logitech K330 (mouse & Keyboard set)
Internet Speed
Infinity2 (approx 75mbs/16mbs)
Browser
Firefox
Spectre is quite a spectacle

I found it interesting that the windows 7 patch causes a greater slowdown than on windows 10

Steve Gibson reckons this is unnecessary in his article, could we be seeing another ''upgrade to ten'' debacle. ?

I've wondered the same thing myself, Andy. There just seems to be too much going on here to be mere "coincidence" and I cannot help but to wonder when a C.E.O. is selling out his shares at a most convenient time for him to do so, given Mr. Snowden's earlier warnings, whether all of this was deliberately orchestrated. Call me a conspiracy theorist but it's walking like a duck, flying like a duck, and quacking like a duck. In fact Intel is already boasting how the new chips will be safe from these *cough* vulnerabilities. Until next time???
 

My Computers My Computers

  • At a glance

    Windows 7 Ultimate, Windows 8.1 Pro, Linux Mi...INTEL 6900KCORSAIR DOMINATOR PLATINUM 128GBEVGA GTX 1070 FTW
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    ASUS CUSTOM BUILD IN THERMALTAKE LEVEL 10 GT CASE
    OS
    Windows 7 Ultimate, Windows 8.1 Pro, Linux Mint/Cinnimon (Triple Boot)
    CPU
    INTEL 6900K
    Motherboard
    X99-E WS USB 3.1
    Memory
    CORSAIR DOMINATOR PLATINUM 128GB
    Graphics Card(s)
    EVGA GTX 1070 FTW
    Sound Card
    Onboard Crystal Sound - very nice ;)
    Monitor(s) Displays
    SAMSUNG 4K 28"
    Screen Resolution
    3140 x 2160 - A little extreme. Need to change it.
    Hard Drives
    1) LSI LOGICAL VOLUME RAID 10 (250 GBX4) SSD ARRAY
    2) INTEL RAID 0 KINGSTON (2) SSD ARRAY
    3) INTEL RAID 1 SEAGATE (2) 1TB ARRAY (secured backup)
    4) INTEL RAID 1 SEAGATE HYBRID (2) (secure secured backup)
    5) AHCI SEAGATE 3TB (1) BACKUP & STORAGE (back
    PSU
    CORSAIR HX 1000i
    Case
    THERMAL TAKE LEVEL 10 GT
    Cooling
    NOCTUA TOWER COOLING - PUSH/PULL
    Keyboard
    LOGITECH PRODIGY (One day I'll get a real keyboard.)
    Mouse
    LOGITECH (One day I'll get a real mouse.)
    Internet Speed
    300 Gb down 12 up Intel(R) I210 Gigabit Network Connection
    Antivirus
    several - Network implementing vs from other PCs - ask me
    Browser
    Mostly FireFox these days
    Other Info
    NOT ENOUGH ROOM TO LIST ALL HARD DRIVES HERE. Cuts me off at 5. Did you know that if you run a network you can scan your PC for viruses via other PCs using several different virus scanners? No virus scanner gets it all. This is narrows down the window for contracting a virus. By using multiple operating systems you can use different virus scanners with no risk of conflict.
  • Antivirus
    KASPERSKY

My Computers My Computers

  • At a glance

    Windows 7 Ultimate, Windows 8.1 Pro, Linux Mi...INTEL 6900KCORSAIR DOMINATOR PLATINUM 128GBEVGA GTX 1070 FTW
    Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    ASUS CUSTOM BUILD IN THERMALTAKE LEVEL 10 GT CASE
    OS
    Windows 7 Ultimate, Windows 8.1 Pro, Linux Mint/Cinnimon (Triple Boot)
    CPU
    INTEL 6900K
    Motherboard
    X99-E WS USB 3.1
    Memory
    CORSAIR DOMINATOR PLATINUM 128GB
    Graphics Card(s)
    EVGA GTX 1070 FTW
    Sound Card
    Onboard Crystal Sound - very nice ;)
    Monitor(s) Displays
    SAMSUNG 4K 28"
    Screen Resolution
    3140 x 2160 - A little extreme. Need to change it.
    Hard Drives
    1) LSI LOGICAL VOLUME RAID 10 (250 GBX4) SSD ARRAY
    2) INTEL RAID 0 KINGSTON (2) SSD ARRAY
    3) INTEL RAID 1 SEAGATE (2) 1TB ARRAY (secured backup)
    4) INTEL RAID 1 SEAGATE HYBRID (2) (secure secured backup)
    5) AHCI SEAGATE 3TB (1) BACKUP & STORAGE (back
    PSU
    CORSAIR HX 1000i
    Case
    THERMAL TAKE LEVEL 10 GT
    Cooling
    NOCTUA TOWER COOLING - PUSH/PULL
    Keyboard
    LOGITECH PRODIGY (One day I'll get a real keyboard.)
    Mouse
    LOGITECH (One day I'll get a real mouse.)
    Internet Speed
    300 Gb down 12 up Intel(R) I210 Gigabit Network Connection
    Antivirus
    several - Network implementing vs from other PCs - ask me
    Browser
    Mostly FireFox these days
    Other Info
    NOT ENOUGH ROOM TO LIST ALL HARD DRIVES HERE. Cuts me off at 5. Did you know that if you run a network you can scan your PC for viruses via other PCs using several different virus scanners? No virus scanner gets it all. This is narrows down the window for contracting a virus. By using multiple operating systems you can use different virus scanners with no risk of conflict.
  • Antivirus
    KASPERSKY
Back
Top