Believe it or not, the mitigations for the Spectre-class of CPU vulnerabilities are now some of the biggest enemies of system administrators.
Despite being security-focused patches, these mitigations are known to introduce huge performance hits to Linux systems.
A recent benchmark showed that just one of the many Spectre mitigations –namely the one named Single Thread Indirect Branch Predictors (STIBP)– introduced a 30 percent performance dip for PHP servers, causing system administrators to reconsider applying some of these patches.
Despite being more than one year old, the Meltdown or Spectre vulnerabilities have remained a theoretical threat, and no malware strain or threat actor has ever used any in a real-world attack.
Over the course of the last year, system and network administrators have called on the Linux project for options to disable these protections.
Many argued that the threat is theoretical and could easily be mitigated with proper perimeter defenses, in some scenarios. Even Linus Torvalds has called for a slowdown in the deployment of some performance-hitting Spectre mitigations.
The Linux kernel team has reacted positively towards these requests and has been slowly adding controls to disable some of the more problematic mitigations.
Experts argue that some processes just don’t need Spectre protections and the performance impact far outweighs the security impact, especially in closed systems where malicious code can’t be introduced, such as graphics rendering farms, off-the-grid supercomputers, and other strictly confined systems where no third-party code is ever run.
Submitted by: Arnfried Walbrecht