Evaluating the effects from the mitigation of the Meltdown/Spectre attacks over StorPool software-defined storage

In light of the recent disclosure of the “Spectre” and “Meltdown” attacks (also known as  CVE-2017-5715, CVE-2017-5753 and CVE-2017-5754), StorPool is performing tests of its product on the patched versions of the Linux kernel, to assess if there is performance degradation related to the fixes, and its magnitude.

The attacks exploit a design flaw in most modern CPUs, related to the implementation of branch prediction and caching, which lead to the possibility to illicitly read memory and obtain other information from unrelated processes, from the kernel, or from the same application process (i.e. via JavaScript in the browser). These attacks can be used in multiple scenarios, from reading the kernel memory and secret information, to being able to access web service credentials from another tab in the browser.

A useful paper with full information for the Meltdown attacks can be found here.

Full information for the Spectre attacks you can read here.

Currently there are known ways for the exploits to work from userspace against the kernel, for VMs in Xen to work against the hypervisor, and some ways to use in-kernel functionality (like eBPF) against the kernel itself. KVM virtualization seems to be vulnerable to at least some of the attacks. This may escalate in severity as more resources are thrown in the exploring the problems, and as new discoveries are still coming in.

We don’t know how much KPTI, the mitigation for Meltdown, would affect specific applications and platforms. There is still uncertainty about what effect will mitigations have on KVM performance in all of its aspects. It would be highly dependent on the workload and would hopefully improve as the changes mature.

We have already verified that the StorPool storage system, unchanged, is compatible with the changes in mainline Linux kernel 4.15 and 4.14 and the releases from RedHat and the CentOS project. We can confirm that StorPool seems to work as fast on the KPTI-enabled kernels as it does on the pre-KPTI kernels. It is still early to tell – there are many more combinations to verify, and we hope to have more details soon.

Leave a Reply

Your email address will not be published. Required fields are marked *