Early this year a bomb was dropped on the internet – critical vulnerabilities in modern processors were found, which allow to steal our sensitive data (for example stored passwords). These hardware flaws can be already addressed by security patches but… the fixes themselves cause different issues. We’ve tested how exactly installation of the fixes affect GE Smallworld GIS systems.
Meltdown and Spectre – what’s going on?
In general, the flaws rely on mis-speculated execution. So far, there are three known variants of the issue:
- Speculative execution permission faults handling (CVE-2017-5754) – „Meltdown”
- Speculative execution bounds-check bypass (CVE-2017-5753) – „Spectre”
- Speculative execution branch target injection (CVE-2017-5715) – „Spectre”.
The first vulnerability (known as Meltdown) allows an unprivileged process (e.g. running on an ordinary user account) to read the contents of all system memory, including sensitive information, passwords, and other “secret” areas. The attack can work on almost all Intel processors manufactured after 1995, so the problem concerns personal computers, mobile devices, and cloud servers.
Two other flaws (called “Spectre”) allow any process to read the memory of other processes (but not the kernel data) and to steal information from them. Here, vulnerable are not only Intel CPUs but also AMD and ARM (used e.g. in smartphones) CPUs.
Currently, there are patches against the flaws for both Windows and Linux. Does it mean that the problem is solved? Unfortunately not entirely… Most reports about Meltdown and Spectre state that the fixes come with a performance cost (and that’s not all – according to the most recent news patches may even hang some systems).
How much does it impact Smallworld users?
We checked how the patches affect server with Smallworld 4.3 TSB 9 installed. Our team conducted limited performance tests using simple architecture system. Tests were done on a PC running Windows 10 Professional 1709 with:
- Intel i7-7700 3.6 GHz (4 cores / 8 threads)
- RAM 16 GB DDR4
- SSD NVMe 256 GB
Smallworld Core version 4.3 with the latest TSB 9 update was installed. To do the tests we used demonstration Cambridge database that comes with the product. To begin, we tested the SWMFS performance on the operating system without Meltdown/Spectre fixes in scenarios:
- average duration of three full Cambridge database backups
- average duration of synthetic read and write using the swmfs_test tool (1,000,000 blocks).
The results
The average duration of Cambridge database backup on system without Spectre/Meltdown fixes was 5 minutes and 20 seconds. After the installation of BIOS patch and Windows update, the average backup time was 5 minutes and 55 seconds. This means that the performance drop was ~10%.
For synthetic tests with the swmfs_test tool (read and write 1,000,000 blocks) the result was:
- 66.03 seconds for system without Meltdown/Spectre fixes
- 87.68 seconds with Meltdown/Spectre patches (performance drop ~25%).
It’s important to note that synthetic tests monitor selected feature simulating server behavior at the extreme load. This may not reflect performance of real-life operations, such as inserting or searching objects in Smallworld database. The 25% performance decrease is an extreme case which probably won’t be observed during actual usage of the system.
One more important note – performance decrease is not caused by Smallworld system itself. This is just the impact of fixes which simply block selected processors operations.
What can you do with the performance drop?
Bad news is that the available security patches inevitably cripple overall performance of servers and workstations. In case of Smallworld system, the actual performance hit will be between 5% to 25%.
The best way to win back lost productivity is to firstly conduct an audit of your Smallworld environment’s performance. This includes deep-down identification and analysis of both productivity gaps and optimization opportunities. Next, implementation of fixes on various levels of Smallworld environment should follow. This is where Globema Support team can help – we have experience in such audit projects and also dev&admin tools to improve Smallworld’s operational efficency.
We can also perform Meltdown/Spectre vulnerability analysis and recommend appropriate actions (as in some cases installation of Meltdown/Spectre patches might not be necessary or even not recommended!).
