A few years ago, major CPU vulnerabilities have been identified. For some reason, nobody spends time on research in this area and tried to utilize those leaks. At the same time, CPU chip companies underestimated this issue and have not started to implement a fix for this critical issue.
The Problem
Spectre and Meltdown are something like “hacker’s paradise” because they enable critical attacks against billions of computers and set their owners at risk. No firewall or infrastructural measure will prevent you from such attacks utilizing one of both vulnerabilities. The root cause of those issue is a performance trick how CPU deals with memory. Affected CPUs are guessing a few operations more than actually required. Attackers with enough insights can utilize this and read memory from a computer without authorization. Recent research has shown that a simple JavaScript is sufficient to make use of those leaks. Independent whether you are behind firewalls or you use modern and up-to-date virus scanners, the risk of becoming a victim of those issues is omnipresent.
High performance impact after patch deployed
Meanwhile, operating system vendors such as Microsoft, Redhat and IBM have implemented patches which restricts unauthorized access to computers memory. CPU manufacturing companies are still a few steps behind and spend not enough efforts on developing solutions. Business and private individuals have to install patches from OS manufacturers on their vulnerable machines. The good news is that they fix the vulnerabilities. The bad news is that the performance impact of such patches depends on overall workload, but in general, the CPU load after patching is 20 to 50 percent higher. After all, the answer to the question whether the patches for Spectre and Meltdown will slow down speed of websites depends really on your capacity in terms of spare CPU resources and the design of your application. I’ve seen some applications which experienced a 50 percent end to end slow down, while other systems remain at the same performance level.
Don’t forget to apply those patches on all layers such as end user machines, virtual environments, physical machines and the bios.
The way out
Billions of computers are affected. Replace your hardware or deployment of available patches are the only two relevant measures against those leaks. The former and the later will have a financial impact. If you decide to proceed with the latter, consider a load and performance test to clarify if your existing hardware is still sufficient after the patches have been deployed.
Security and Performance are often closely bound to each other. As a best practice, consider performance and security testing throughout your development life cycle, repeat those tests regularly after each major change and monitor both closely on production stages. Continue doing the good work. Don forget – performance and security are a journey and not a final destination!