Earlier this month, major chip manufacturers announced that vulnerabilities known as Spectre and Meltdown affect processors that are currently deployed in millions of devices. These new security flaws open the door for hackers to access sensitive user data. The flaws are not unique. Instead, they impact chips for everything from phones to servers and may go back more than two decades. The flaw is the result of a common design practice employed by most modern processors, which has been publicly described as allowing an unprivileged attacker to bypass memory security restrictions and gain read access to privileged memory. These vulnerabilities allow an unprivileged local attacker to read privileged memory belonging to other processes or memory allocated to the kernel.
The relevant Common Vulnerabilities and Exposure (CVE) items associated with Meltdown and Spectre are recorded under: Spectre attack: CVE-2017-5753, CVE-2017-5715 and Meltdown attack: CVE-2017-5754. Full concise details, including links to the patches issued by OS vendors, are located under https://meltdownattack.com/ or under the Vulnerability Note VU#584653.
Patching Causes Performance Degradation
The nature of the flaws requires fixes to guard against attacks, which have the effect of slowing down computers and can cause a significant decrease in server performance. According to Intel, the worst affected workloads were those “that incorporate a larger number of user/kernel privilege changes and spend a significant amount of time in privileged mode”. While patches are available from major chip and OS vendors, applying these patches can have a major performance impact on workload performance. Performance testing completed by Mellanox before and after the patches were applied, show significant performance degradations as a result of the patch.
This can be avoided by deploying SmartNIC technologies that offload transport and memory protection processing from the CPU. Leveraging these offloads the SmartNIC shoulders the burden of processing the TCP/IP data processing and storage network stacks. Mellanox delivers offload technologies such as RDMA and DPDK to remove the burden of processing the TCP/IP and storage stacks from the main system processor, moving it to the network adapter. This provides performance advantages and alleviates performance losses typically seen when patching systems for Spectre and Meltdown. Testing of data intensive transport processing benchmarks on InfiniBand and RoCE enabled NICs, showed zero performance impact due to the security patches.
Adapters that deploy network “OnLoad” technologies do exactly the opposite – burdening the CPU with networking functions that rob horsepower from business applications. As a result, many common workloads such as OLTP, database analytics and virtual machines are susceptible to performance impacts on servers that have been patched. Internal testing at Mellanox showed a performance impact of up to 47% on systems reliant on the host processor for TCP/IP and OmniPath data transfers. For further information, read: Mitigating the Performance Penalty of Spectre and Meltdown
Impact of the vulnerability on Mellanox Products
Mellanox diligently reviewed any potential security impact of Spectre and Meltdown on all of our relevant products. Below is an update on Mellanox’ action and status with regards to these security breaches. Mellanox testing is still ongoing, and timely updates will continue to be released.
Impact of the vulnerability on Mellanox Network Adapters
Mellanox network adapters are not exploitable by the Spectre and Meltdown CVEs.
Mellanox is currently reviewing all of the released patches issued by OS vendors, and testing them to evaluate potential impact.
- No functional nor stability impact has been uncovered so far on any of the distributions tested.
- Performance impact has been observed in some cases, especially in CPU intensive scenarios. However RDMA performance is not impacted, an additional proof that our core technology not only provides better performance, but is also more secure.
Impact of the vulnerability on Mellanox switches (InfiniBand and Ethernet)
Mellanox switch ICs are not affected by the Meltdown or Spectre vulnerabilities.
Mellanox switch systems impact:
- Externally managed InfiniBand switches and PPC based switch systems are not susceptible to these attacks.
- Ethernet x86 based switches use Intel CPUs, and as such are potentially susceptible to these attacks. However, exploiting this vulnerability requires running custom code on Mellanox switches.
- Systems running MLNX_OS
- When not running virtual machine (VM) / Dockers, the switches are used as closed systems, with no access to shell, and as such are not vulnerable.
- When running virtual machine (VM) / Dockers, the switches are potentially vulnerable. Customers may avoid exposure by following Mellanox security guidelines, including using only trusted software distributions on VMs and not allowing containers privileged shell access.
- Mellanox is carefully investigating the released patches, and will release software updates as soon as available
- Systems running Cumulus
- Please refer to updates issued by Cumulus Networks.
- Systems running SONiC
- Please refer to updates issued by Microsoft/SONiC
- Systems running MLNX_OS
Impact of the vulnerability on Mellanox BlueField systems
BlueField includes subsystem multicore Arm A72-based subsystem. Arm has publicly identified Arm cores with Cortex-A72 as not susceptible to Meltdown CVE (CVE-2017-5754), but potentially affected by Spectre CVE variants (CVE-2017-5753 and CVE-2017-5715).
BlueField SmartNIC fully supports secure boot and thus is not susceptible to the Spectre vulnerabilities, as unauthorized software/Users don’t have access to the Arm cores inside BlueField; other BlueField based platforms are potentially susceptible to Spectre vulnerabilities if untrusted code is allowed to run on the device. Mellanox is carefully investigating the released OS patches, and will release software updates as soon as available.
Impact of the vulnerability on Mellanox Management Software
NEO and UFM software are not susceptible to Spectre and Meltdown vulnerabilities.
UFM appliance is a closed system and as such is not susceptible to these vulnerabilities.
Reports of serious workload performance degradation as a result of the Spectre and Meltdown security patches range from 5% – 30%. Internal testing by Mellanox found a similar range from 2% – 47%. This will have a huge impact on large data centers in both OpEx and CapEx as servers will need to be replaced, or additional servers added to compensate for the performance losses. Mellanox ConnectX adapters with offload technologies bypass the kernel and have a proven track record of accelerating performance. If you haven’t looked into Mellanox offload technologies before, this presents a compelling case to deploy Mellanox intelligent network adapters today. Contact your Mellanox representative to learn more about how we can help you alleviate the potential pocket draining performance impacts of Spectre and Meltdown.