Companies disagree over Meltdown patch performance impact

January 8, 2018 // 11:27 a.m.

Tags: #azure #ec2 #epic-games #fortnite #insecurity #meltdown #microsoft #patch #security #spectre #speculative-execution #vulnerability

Companies are in disagreement over the precise impact of the workarounds required to protect systems from the Meltdown and Spectre speculative execution flaws revealed earlier this month, with some pointing to a doubling of CPU time in their workloads while others claim to have seen 'negligible impact'.

First reported ahead of its official announcement as an Intel-exclusive flaw, the security issues hitting almost every modern computer were later revealed as three variants of two core vulnerabilities: The cross-vendor vulnerabilities Variant 1 and Variant 2, together known as Spectre, and the Intel-specific Variant 3, known as Meltdown. Since the announcement, a fourth variant of Meltdown - dubbed Variant 3a - has been developed, extending the attack to selected non-Intel processors as well. In all cases, the issue is a serious one which allows unprivileged code - including JavaScript running in the browser - to access the contents of privileged memory, gaining access to passwords and other secretive data.

The ongoing release of patches and firmware updates will help to protect users, but they come at a cost: A performance impact of between five and 35 percent to selected server-centric workloads has been confirmed, with some companies reporting even higher hits from loss of the performance-boosting speculative execution instructions at the heart of the issue. Epic Games is among these: The company has issued a blog post blaming server congestion in its Fortnight multiplayer game on Meltdown, showing pre- and post-Meltdown-patch CPU usage doubling - meaning the company now has to spin up twice as many servers to support the same number of players, significantly increasing its costs.

Cloud computing companies, meanwhile, are claiming that performance impact warnings are over-egging the pudding. Microsoft has claimed that 'the majority of Azure [cloud platform] customers should not see a noticeable performance impact with this update [as] we've worked to optimise the CPU and disk I/O path and are not seeing noticeable performance impact after the fix has been applied,' while rival Amazon says similar of its own Elastic Compute Cloud (EC2). Google, too, claims to be witnessing 'negligible impact on performance' for 'most of our workloads'.

Work continues on mitigating the impact of the Meltdown and Spectre vulnerabilities, including adding protections against JavaScript exploitation to web browsers.

Discuss this in the forums