Fending off Zombieload attacks will crush your performance
How bad is the Intel chip Zombieload security vulnerability? It depends on who you ask. But the potential is grave, with attackers being able to spy on your data. Yes, the fixes are in, but even with operating system patches’ new microcode, to fully protect your systems from potential Zombieload attackers, you must turn off Intel CPU hyper-threading.
If you don’t want your computers to run with one foot-in-the-bucket, you do not want to turn off hyper-threading. But are your systems safe without hyper-threading? Intel thinks you’d be OK. But then, what else would it say? Other companies disagree.
Canonical, the company behind Ubuntu Linux, recommended disabling hyper-threads — if the system is used to execute untrusted or potentially malicious code. Of course, no one means to run such code, but if you’re on a cloud, you have no control over what your neighbor in the next virtual machine (VM) over is running. Red Hat agreed that Zombieload can be especially dangerous on clouds.
As cloud-security company Twistlock CTO John Morello said, “This vulnerability is probably of greatest impact to dense, multi-tenant public cloud providers. In single-user environments, it’s far less interesting.”
Be that as it may, Apple and Google both warned their MacOS and Chrome OS users may want to disable hyper-threading to gain full protection. In fact, Google now disables hyper-threading by default starting with Chrome OS 74.
So, if you want to really protect your systems — virtual or physical — you must turn off hyper-threading. That comes at a terrible performance price.
Even Intel admitted disabling hyper-threading will reduce your CPU performance by up to 9%. Apple has found it will knock your Mac’s speed down by “as much as a 40% reduction in performance with tests that include multithreaded workloads and public benchmarks.” The Zombieload researchers agreed. They stated that turning off hyper-threading will drop “performance for certain workloads by 30% to 40%.”
Other benchmarks also show fully guarding yourself against Zombieload will cost you a significant percentage of your speed.
How much? The Linux benchmarking site Phoronix tested workloads on Ubuntu 19.04 using its newest stable release with the patched Linux 5.0 kernel, and the new Intel CPU microcode images found Linux — the most important by far cloud operating system — suffered serious performance problems. The geometric mean of its tests saw about a “16% lower performance out-of-the-box now with these default mitigations.”
It’s often worse when you turn off hyper-threading for maximum security. The PostgreSQL benchmark, for example, found a show-stopping performance drop of almost 40%. Meanwhile, the Ngnix benchmark saw a painful performance hit of about 34%.
So, should you go all the way with protecting your servers? Intel stated, “Practical exploitation of MDS [Microarchitectural Data Sampling, aka Zombieload] is a very complex undertaking. MDS does not, by itself, provide an attacker with a way to choose the data that is leaked.”
As for me, it may be complex, but with full details of the vulnerability already out there, along with proof-of-concept code, it’s only a matter of time until someone makes an easy-to-use attack program. So, I’ve already disabled hyper-threading on my cloud-based servers. I suggest you do, too.