Follow Datanami:
January 8, 2018

How ‘Meltdown’ and ‘Spectre’ Will Impact Analytics

(Jaiz Anuar/Shutterstock)

Organizations ramping up plans to employ big on-premise or cloud-based clusters to crunch big data sets are in for a nasty surprise thanks to the recently disclosed “Spectre” and “Meltdown” security vulnerabilities, which impact nearly all processor architectures developed over the last two decades.

The semiconductor industry shocked the world last week when a pair of extremely critical security vulnerabilities were disclosed. The flaws, dubbed Spectre and Meltdown, were discovered about six months ago to impact every processors that use speculative execution methods to boost multi-threaded performance. The researchers discovered they could get CPUs to disclose the contents of supposedly secure data stored in memory by implementing so-called “side-channel” attacks.

As chipmakers rushed to finish the first batch of security patches for the flaws last week, the full scope of the situation came into view. Here’s the net of it:

While the patches from Intel, IBM, AMD, ARM, and Apple  that have shipped (or soon will ship) should mostly plug the security holes that Spectre and Meltdown can exploit, they can also reduce overall performance by considerable amounts – in some cases up to 50%, according to reports.

Of course, the devil is in the details, and the exact penalty that users will absorb will vary with the workload and the data. It’s also worth keeping in mind that an architectural change is needed to fully protect against Spectre, which is the more severe of the two flaws, though it is reportedly also harder to exploit. There’s also the specter of additional flaws in CPUs being discovered, leading to more patches (and possibly more performance hits) over the coming months and years.

Side-channel attacks that exploit Spectre and Meltdown vulnerabilities can disclose private data — even passwords and cryptographic keys (Pinglabel/Shutterstock)

So how bad will the medicine taste? Intel, which makes the only chips susceptible to Meltdown, said the patches to the vulnerabilities carry a negligible performance cost. “The performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time,” Intel stated in a press release.

That press release also contained quotes from Apple, Microsoft, Amazon, and Google, all of which said there’s not much to worry about in the performance department. “Our testing with public benchmarks has shown that the changes in the December 2017 updates resulted in no measurable reduction in the performance of macOS and iOS as measured by the GeekBench 4 benchmark,” Apple stated.

A little more detail was released by Red Hat, whose Linux distribution is used for many production big data workloads running on X86 clusters. The company released the results from benchmark tests it conducted specifically to measure the impact. The results show the biggest impact will be felt by OLTP and database applications that use a lot of highly cached RAM and buffered I/O. The performance impact of the patches for these applications will vary from 8% to 19%, it said.

Database analytics, decision support systems, and Java virtual machines will experience a “modest” impact of 3% to 7%, Red Hat said, while HPC will suffer only a 2% to 5% hit “because jobs run mostly in user space and are scheduled using CPU-pinning or NUMA control,” the company said.

Qubole, which provides a Hadoop-as-a-service environment that runs on AWS and Microsoft Azure (and soon Google Cloud Compute), says it worked with cloud partners to ensure that all computing resources were patched, since Meltdown and Spectre are equally likely to affect big data deployment on premises and in the cloud.

“While concerns of potential security attacks have been raised, Qubole has proactively evaluated these risks and have found no impact to the services that we offer our customers,” Andrew Daniels, Qubole’s chief security officer and VP of IT and security, tells Datanami. “We believe that there should be negligible impact to customers using Qubole services because the performance risks are primarily centered around data loading and not processing.”

The patches appear to be taking a hit on NoSQL database performance already. Ben Bromhead, a CTO in San Francisco, tweeted that CPU utilization and latency on his 30-node Cassandra cluster running on AWS spiked following application of the patches (see embedded tweet below).

It appears that chipmakers have been favoring performance over security for years. Paul Kocher, who was one of several researchers to independently discover the Spectre vulnerability, says choices are being made for people. “The processor people were looking at performance and not looking at security,” he told Bloomberg. “It makes you shudder.”

Related Items:

Big Data Security: Progress Is Made, But Is It Enough?

Security Concerns Grow As Big Data Moves to Cloud