If your system is powered by an Intel CPU, you are likely vulnerable to a new breed of security vulnerability targeting the processor itself. While there are steps users can take to protect systems from these threats, the recommended fixes can result in significant hits to performance.
How the Attacks Work
There are several varieties of this particular vulnerability (Meltdown, Spectre, Zombieload, Fallout, RIDL, and more), but they all work in a similar fashion. Intel CPUs use a feature called “speculative execution” which helps the processor predict which data your programs will need next, in order to boost performance. The processor is effectively carrying out commands before they’re called for in order to save time when the request is made.
This means that the results of these operations are stored on the CPU’s onboard memory cache. The above security attacks allow hackers access to these caches, and to potentially read sensitive information directly from the processor, including passwords, encryption keys, documents, and more. A proof-of-concept demonstration on Zombieload even showed that hackers could see which websites a user was browsing in real time.
This type of vulnerability affects Intel CPUs from as far back as 2011. Intel claims that some of its newer 8th and 9th-generation processors have implemented hardware-based mitigation to protect against these threats, though that claim is disputed by the researchers that uncovered the attacks.
AMD processors are much less susceptible to these attacks, though some varieties of Spectre can affect them. AMD has also begun implementing hardware-based mitigation to close these vulnerabilities.
How to Protect Your System
Intel, Apple, Google, and Microsoft have all released patches intended to close these security holes, and recommend that users update their systems ASAP to keep their data and passwords safe. The downside is that applying these patches can result in a non-negligible drop in CPU performance.
According to Phoronix, a publication focused on Linux news and reviews, performance on Intel CPUs dropped by around 16% with mitigations applied, much higher than the 3% drop experienced on AMD processors. Worse, several companies such as Google and Apple suggest disabling Hyper-Threading (Intel’s multi-threading technology) as the only way to completely protect from these attacks, but doing so dropped Intel CPU performance by nearly 50% in some tests. The CPUs tested did not have the hardware-based mitigations applied that are found in newer chips, so more recent processors may not see as dramatic a performance reduction.
Conclusion
Nodal generally recommends taking any and all necessary steps to secure your data. In this situation the proper solution is less clear, because applying the security update patches can significantly impact system performance (and disabling Hyper-Threading amplifies this issue dramatically). In the animation/post/VFX industry where performance is paramount, users will have to decide whether the drop in CPU speed is worth it, or take steps to limit which critical data vulnerable systems are able to access.
If you have questions or concerns about these attacks, or need guidance on how to best protect your systems, Nodal can help.
For more information on these attacks and how they work, check out the writeup on Tom’s Guide. For step-by-step instructions on how to update your system to include the recommended security patches, check out Lifehacker’s guide. Additional information about Phoronix’s performance testing can be found in this article from Tom’s Hardware.