IT Vendors Continue Patching to Fix Meltdown, Spectre Vulnerability

AMD is now making microcode patches available to help mitigate Spectre vulnerabilities, as Google reveals how it has worked to mitigate the performance impact.

Meltdown Spectre

More than week after security researchers first publicly revealed the Meltdown and Spectre CPU vulnerabilities, vendors are continuing to deal with the impact and are issuing patches.

The initial speculation about the CPU vulnerabilities was that they only impacted Intel CPUs. As it turns out, AMD and ARM CPUs are also impacted, though to a more limited extent. On Jan. 11, AMD announced that it would issue processor microcode updates to help provide an additional degree of protection.

While AMD is now joining the patching fray, Intel continues to deal with issues related to patches it has already made available, including flaws that have caused systems to reboot. 

AMD Patches

The Meltdown and Spectre flaws are actually three different vulnerabilities with the Meltdown flaw identified as CVE-2017-5754 and Spectre identified as CVE-2017-5753 and CVE-2017-5715. The different flaws have different impacts on various CPUs. Even as Linux developers worked quietly to patch the Meltdown issues in late 2017, AMD asserted that its silicon was not at risk. It's an assertion that AMD continue to hold a week after the flaws were first reported.

"We believe AMD processors are not susceptible due to our use of privilege level protections within paging architecture and no mitigation is required," Mark Papermaster, Senior Vice President and Chief Technology Officer at AMD stated on Jan. 11.

While AMD has stood by the claim that its' processors are not at risk from the Meltdown flaw, the Spectre flaws are a different issue. For the Spectre CVE-2017-5753 vulnerability, which is a bounds check bypass issue, AMD has stated that the issue can be contained with an operating system patch, which both Microsoft as well as Linux vendors, have made available. There have been some issues with the AMD-related Microsoft patches which triggered a halt to the patch deployment on Jan. 4. Microsoft's patches for AMD systems were largely resumed on Jan. 10.

The Spectre CVE-2017-5715 flaw is a branch target injection vulnerability, which AMD had also hoped to patch at the operating system level. As of Jan 11, AMD sees a need for microcode patches as well.

"We have defined additional steps through a combination of processor microcode updates and OS patches that we will make available to AMD customers and partners to further mitigate the threat," Papermaster stated.

Intel Updates

The patches that are already available for Intel CPUs are having mixed performance impacts on end-user systems. The initial estimates of impact on Linux server systems was anywhere from 5 to 30 percent depending on workload. On Jan. 10, Intel published some of its own testing results for the impact of the Meltdown and Spectre patches.

"Across a variety of workloads, including office productivity and media creation as represented in the SYSMark2014SE benchmark, the expected impact is less than 6 percent," Navin Shenoy, executive vice president and general manager of the Data Center Group at Intel wrote. "In certain cases, some users may see a more noticeable impact."

One of the noticeable impacts that some customers are seeing are unexpected reboots. On Jan. 11, Shenoy stated that Intel had received reports of system reboots on Intel Broadwell and Haswell CPUs.

"If this requires a revised firmware update from Intel, we will distribute that update through the normal channels," Shenoy stated. " We are also working directly with data center customers to discuss the issue."

How Google Updated

Google's Project Zero research team was among the security researchers that publicly disclosed the Meltdown and Spectre issues, yet even Google had a challenging time patching. In a detailed blog post published on Jan. 11, Ben Treynor Sloss, vice president of engineering at Google, detailed the complexity of patching while mitigating performance issues.

Google began patching for the issues in September 2017, with updates deployed across Google services including search, Gmail and Drive. Sloss noted that the CVE-2017-5715 issue, also referred to as "variant 2", was the most challenging to mitigate.

"For several months, it appeared that disabling the vulnerable CPU features would be the only option for protecting all our workloads against Variant 2," Sloss wrote.

Shutting down CPU features, meant a significant performance impact for Google, so the company came up with a solution called Retpoline.

"With Retpoline, we didn't need to disable speculative execution or other hardware features," Sloss wrote."Instead, this solution modifies programs to ensure that execution cannot be influenced by an attacker."

Google has deployed the Reptoline code across its infrastructure, to protect against the Spectre risks, while not have a negative performance impact. The Reptoline code has also been open-sourced, so that other organizations can benefit.

"This set of vulnerabilities was perhaps the most challenging and hardest to fix in a decade, requiring changes to many layers of the software stack," Sloss stated.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.