Major security related issues were disclosed just a few days ago affecting CPUs across all vendors and architectures, including Intel and AMD. These vulnerabilities have become known as Meltdown and Spectre and are very severe.
Mitigations have been released for many systems and environment, but you should check if you are fully patched up before continue reading this article! The problem effects all systems, regardless of virtualization or not.
There is still a lot of speculation on possible performance impacts caused by mitigations of Meltdown and Spectre. While AWS states that they "have not observed meaningful performance impact for the overwhelming majority of EC2 workloads", other reports indicate quite an impact (e.g. reported on the PostreSQL mailing list).
PostgreSQL SELECT 1 with the KPTI workaround for Intel CPU vulnerability https://t.co/N9gSvML2Fo— The Register (@TheRegister) January 2, 2018
Best case: 17% slowdown
Worst case: 23%
Performance impacts are workload related
The security problem is related to the isolation of user and kernel processes so mitigations try to attack there. The performance degradation happens because the user process has to ask the kernel for many tasks for example IO-related operations like disk access or networking (system calls). This probably explains why a pure database workload is more impacted than a typical web application that does much more non-IO business logic.
Determine how your performance is impacted
While not protecting against these issue is not an option, you might want to know what the performance and thus your business impact is.
Ideally you already have knowledge of the performance characteristics of your system. In this case you can compare pre and post patch behavior and look for potential issues, like increased resource utilization or latencies. Hint: If you are looking for a nice overview for Linux performance analysis, check out Linux Performance Analysis in 60,000 Milliseconds by Netflix.
In any case, the only way to reliably determine that your business won't be affected by the yet unknown performance penalty is to do performance tests.
How to get started?
Performance testing is hard and you need to invest some time. However to get the first impression just create a test case for your web application or HTTP API.
If you have any questions just drop a line – we're happy to help!
- Google Project Zero: Reading privileged memory with a side-channel
- Official statement by Intel Corporation
- A Simple Explanation of the Differences Between Meltdown and Spectre
- Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign
Performance testing is not security or penetration testing!
The field of operation of StormForger is performance testing and not any type of security testing or security auditing, please refer to experts like cure53 for this.