Paul Nashawaty

What You Need to Know About Spectre, Meltdown, and Data Storage

By now, you’ve probably heard about Spectre and Meltdown, two vulnerabilities that were recently discovered by Jann Horn and a team from Google’s Project Zero. These are not software viruses, but hardware bugs that exploit critical design flaws in Intel, AMD, ARM and POWER chips that will impact every single computer made in the past 20 years, as stated by Amazon.

To state the obvious, but because processors handle extremely sensitive data, including passwords and encryption keys, an attack on a computer chip can quickly turn into a serious security concern for computer systems of every size—including phones, laptops, desktop systems, and hyper-converged data storage systems. The following is an overview of the two hardware vulnerabilities and how it may impact you and the performance of your storage devices.

Meltdown Creates Mayhem on CPU Performance

According to Daniel Gruss, a researcher at Graz University of Technology and one of the people responsible for discovering it, Meltdown is one of the worst bugs ever found for a CPU. It primarily affects Intel and ARM chips, where it can breach the CPU and steal sensitive application data, such as passwords, from the machine kernel. The way it works is Meltdown breaks through the isolation between user applications and the operating system. It is then able to access the memory, and thus other programs on the operating system, and steal data being processed on the computer. Meltdown is dangerous because anything running as an application can break through and steal your data, even a Javascript script running on a web page on any given browser. This makes Meltdown dangerous for users and easy for hackers. Although it is relatively easy to protect against Meltdown, it will cost you in terms of CPU performance.

Elusive Spectre Is Harder to Mitigate

Spectre is slightly different from Meltdown, although it poses a similar type of threat as Meltdown in that it can exploit the processor to obtain secure application information. It affects all processors and is the more dangerous threat of the two because even though it requires more knowledge to set up, it is less understood and harder to mitigate. Spectre breaks the isolation between different applications and allows hackers to fool the applications (even the stable versions of the respective application) running on a machine to give up secret information from the Kernel module of the operating system.

The Good News and the Bad News

The good news is that according to the UK’s National Cyber Security Centre, no trace of Meltdown or Spectre has been detected on any machine around the globe. The bad news? These attacks are so sensitive that they are difficult to detect. Other cybersecurity experts predict that hackers will quickly develop programs to start attacking users, now that the vulnerabilities are public. The good news? Leading tech companies from Apple to Red Hat are already releasing fixes at the time of this publication.

The Impact to DataCore Performance

As mentioned, there is a general consensus that mitigation efforts for Meltdown and Spectre will create performance degradation. Could this impact previously published benchmark results for DataCore storage devices? The Storage Performance Council (SPC -1) leveraging Transaction Processing Performance Council (TPC) benchmark involves two components: a host running Windows or Linux generating the load and the test system. The load generator will likely be using kernel services at high frequency and as a result will incur an extra cost as a result of a mitigation. Extra resources may need to be added in order to re-create the same load. This does not invalidate previously published results since, in general, benchmarks are designed to determine the performance of the system under test rather than the load generator. In general, though, it is likely that reproducing benchmarks published by some vendors will not be possible. If the system under test is external, it could be considered a “closed” system, which means the cost of mitigation will be borne by the hosts and the storage device performance under test will not be affected.

We believe that SPC-1 will continue to produce comparable and reliable indicators of storage performance, even when mitigation is applied. In other words, as vendors continue to produce SPC-1 results, we can expect SPC-1 to continue to produce a reliable indication of device performance, comparable to current and previous results—but vendors may need to use more hosts to produce their results.

Key Security Takeaways

In the event that a DataCore installation has been compromised, the risk of data under management being exposed currently appears to be almost zero.  In order for Meltdown to gain unauthorized access, the memory needs to have a virtual address assigned to it, which is not the case for the DataCore cache.

A virtual address will be assigned temporarily to individual cache buffers when performing specific operations on a snapshot, replicating data, or allocating storage to a thinly provisioned volume, but this is released as soon as the operation is complete. Given that the reported data access rate using Meltdown is up to 503KB/s, it is implausible that an attacker would be able to identify a temporary mapping and extract data in the time available.

Spectre is based around manipulating the CPUs “branch prediction” to force an application to speculatively execute unintended code paths and leak private information from the application.  For this to work, the attacker needs to be sharing the CPU with the application, perhaps through hyper-threading. There is currently no effective software workaround to completely protect against this type of attack. However, the information about Spectre suggests that network-based attacks are conceivable, but has not been demonstrated in practice with any reports of real-world attacks.


Learn More

Want to learn more about the impact of apply these patches to your DataCore-powered servers? Visit our FAQ 1671 on our support main page or contact our support team.

Get a Live Demo

Talk with a solution advisor about how DataCore SDS can make your storage infrastructure modern, performant, and flexible.

Request Live Demo

Related Posts
 
Mike East
The Role of Monitoring and Analytics in Success 2.0
No matter what the emerging trend is in our industry, one of the constants is building core competencies around elegant solutions that empower storage administrators…
 
A New Challenge for IT: Supporting the Consumerization of Healthcare
Earlier this year, the U.S. Department of Health and Human Services proposed new rules for the seamless and secure access, exchange, and use of electronic…
 
Rizwan Pirani
Transforming Data into Actionable Insights
Powerful analytics tools with visualization features and data insight services are driving a new paradigm in business decision-making, and are already having a positive impact…