Mellanox Mitigates Meltdown Mess, Stops Spectre Security Slowdown

 
Uncategorized

Earlier this month, major chip manufacturers announced that vulnerabilities known as Spectre and Meltdown affect processors that are currently deployed in millions of devices. These new security flaws open the door for hackers to access sensitive user data. The flaws are not unique. Instead, they impact chips for everything from phones to servers and may go back more than two decades.  The flaw is the result of a common design practice employed by most modern processors, which has been publicly described as allowing an unprivileged attacker to bypass memory security restrictions and gain read access to privileged memory.  These vulnerabilities allow an unprivileged local attacker to read privileged memory belonging to other processes or memory allocated to the kernel.

The relevant Common Vulnerabilities and Exposure (CVE) items associated with Meltdown and Spectre are recorded under:  Spectre attack: CVE-2017-5753CVE-2017-5715 and Meltdown attack: CVE-2017-5754. Full concise details, including links to the patches issued by OS vendors, are located under https://meltdownattack.com/ or under the Vulnerability Note VU#584653.

Patching Causes Performance Degradation

The nature of the flaws requires fixes to guard against attacks, which have the effect of slowing down computers and can cause a significant decrease in server performance. According to Intel, the worst affected workloads were those “that incorporate a larger number of user/kernel privilege changes and spend a significant amount of time in privileged mode”. While patches are available from major chip and OS vendors, applying these patches can have a major performance impact on workload performance. Performance testing completed by Mellanox before and after the patches were applied, show significant performance degradations as a result of the patch.

 

Fig. 1 Performance degradation on patched system

Fig 2. Performance degradation on patched system

 

This can be avoided by deploying SmartNIC technologies that offload transport and memory protection processing from the CPU. Leveraging these offloads the SmartNIC shoulders the burden of processing the TCP/IP data processing and storage network stacks. Mellanox delivers offload technologies such as RDMA and DPDK to remove the burden of processing the TCP/IP and storage stacks from the main system processor, moving it to the network adapter. This provides performance advantages and alleviates performance losses typically seen when patching systems for Spectre and Meltdown.  Testing of data intensive transport processing benchmarks on InfiniBand and RoCE enabled NICs, showed zero performance impact due to the security patches.

Fig. 3 Performance is maintained on systems running Ethernet offload technologies

Fig 4. Performance is maintained on systems running InfiniBand offload technologies

 

Adapters that deploy network “OnLoad” technologies do exactly the opposite – burdening the CPU with networking functions that rob horsepower from business applications. As a result, many common workloads such as OLTP, database analytics and virtual machines are susceptible to performance impacts on servers that have been patched. Internal testing at Mellanox showed a performance impact of up to 47% on systems reliant on the host processor for TCP/IP and OmniPath data transfers. For further information, read: Mitigating the Performance Penalty of Spectre and Meltdown

Fig. 5 Performance is maintained on systems running offload technologies while a larger degradation of performance is seen in systems running Onload-based adapters.

 

Impact of the vulnerability on Mellanox Products

Mellanox diligently reviewed any potential security impact of Spectre and Meltdown on all of our relevant products. Below is an update on Mellanox’ action and status with regards to these security breaches. Mellanox testing is still ongoing, and timely updates will continue to be released.

Impact of the vulnerability on Mellanox Network Adapters

Mellanox network adapters are not exploitable by the Spectre and Meltdown CVEs.

Mellanox is currently reviewing all of the released patches issued by OS vendors, and testing them to evaluate potential impact.

  • No functional nor stability impact has been uncovered so far on any of the distributions tested.
  • Performance impact has been observed in some cases, especially in CPU intensive scenarios. However RDMA performance is not impacted, an additional proof that our core technology not only provides better performance, but is also more secure.

Impact of the vulnerability on Mellanox switches (InfiniBand and Ethernet)

Mellanox switch ICs are not affected by the Meltdown or Spectre vulnerabilities.

Mellanox switch systems impact:

  • Externally managed InfiniBand switches and PPC based switch systems are not susceptible to these attacks.
  • Ethernet x86 based switches use Intel CPUs, and as such are potentially susceptible to these attacks. However, exploiting this vulnerability requires running custom code on Mellanox switches.
    • Systems running MLNX_OS
      • When not running virtual machine (VM) / Dockers, the switches are used as closed systems, with no access to shell, and as such are not vulnerable.
      • When running virtual machine (VM) / Dockers, the switches are potentially vulnerable. Customers may avoid exposure by following Mellanox security guidelines, including using only trusted software distributions on VMs and not allowing containers privileged shell access.
      • Mellanox is carefully investigating the released patches, and will release software updates as soon as available
    • Systems running Cumulus
      • Please refer to updates issued by Cumulus Networks.
    • Systems running SONiC
      • Please refer to updates issued by Microsoft/SONiC

Impact of the vulnerability on Mellanox BlueField systems

BlueField includes subsystem multicore Arm A72-based subsystem. Arm has publicly identified Arm cores with Cortex-A72 as not susceptible to Meltdown CVE (CVE-2017-5754), but potentially affected by Spectre CVE variants (CVE-2017-5753 and CVE-2017-5715).

BlueField SmartNIC fully supports secure boot and thus is not susceptible to the Spectre vulnerabilities, as unauthorized software/Users don’t have access to the Arm cores inside BlueField; other BlueField based platforms are potentially susceptible to Spectre vulnerabilities if untrusted code is allowed to run on the device. Mellanox is carefully investigating the released OS patches, and will release software updates as soon as available.

Impact of the vulnerability on Mellanox Management Software

NEO and UFM software are not susceptible to Spectre and Meltdown vulnerabilities.

UFM appliance is a closed system and as such is not susceptible to these vulnerabilities.

Summary

Reports of serious workload performance degradation as a result of the Spectre and Meltdown security patches range from 5% – 30%. Internal testing by Mellanox found a similar range from 2% – 47%. This will have a huge impact on large data centers in both OpEx and CapEx as servers will need to be replaced, or additional servers added to compensate for the performance losses. Mellanox ConnectX adapters with offload technologies bypass the kernel and have a proven track record of accelerating performance. If you haven’t looked into Mellanox offload technologies before, this presents a compelling case to deploy Mellanox intelligent network adapters today. Contact your Mellanox representative to learn more about how we can help you alleviate the potential pocket draining performance impacts of Spectre and Meltdown.

Learn more:

About Tim Lustig

Tim Lustig is the Director of Corporate Ethernet Marketing at Mellanox Technologies, Inc. As a professional in the networking industry, Tim Lustig has been at the forefront of marketing new networking technologies for over two decades. From his start in network and database administration to product marketing and corporate technologist roles, Lustig’s experience includes outbound marketing activities, third party testing/validation, strategic product marketing, market research, and technical writing. Lustig has written many papers and articles on multiple networking technologies, and has been a featured speaker at many industry conferences around the world. Prior to Mellanox Tim held positions at Brocade Communication as Sr. Product Marketing Manager and QLogic Corporation as the Director of Corporate Marketing. Tim Lustig currently sits on the 25 Gigabit Ethernet Consortium marketing committee where he is an industry steward for the promotion of 25, 50 and 100Gb Ethernet. Follow Tim on Twitter: @tlustig

Comments are closed.