Another week, another devastating, industry-shaking, cybersecurity threat. This week’s is particularly haunting, though — the resurrected corpse of the Spectre and Meltdown vulnerabilities, aptly known as ZombieLoad.
It’s been over 16 months since the original Spectre and Meltdown vulnerabilities were revealed, and little has been done to assure us our PCs are safe. Each of us has to make a choice between performance and security.
That really sucks.
The Hyper-threading problem
Unlike in 2018, the major companies’ products affected by this vulnerability have responded quickly. Statements and patches from Microsoft, Amazon, Google, Apple, and Intel were all released on day one of the publishing of the discovery. It’s great to see Intel confidently announce the problem it discovered and present the available solutions to its customers.
There are, however, performance compromises to some of these solutions.
Dips in performance (or far worse) were common in the Spectre microcode patches released by Intel in 2018. That was especially true toward the beginning of the process. As in the early days of the fight against ZombieLoad and other Micro-architectural Data Sampling (MDS) vulnerabilities, we’re seeing signs of that same problem.
Now, Intel has already addressed of the issue at the hardware level in its recent 8th and 9th-gen processors, but the biggest bit of confusion has been with the issue of Hyper-threading. It’s a proprietary Intel technology that brings higher thread counts on high core-count processors and allows much better performance in complex multi-threaded applications. It’s one of the primary features that distinguishes between desktop Core i5 processors and the more expensive Core i7 desktop options. But in this case, Hyper-threading presents a possible gap for systems to leak data out of.
While Intel says Simultaneous Multi-Threading could help protect certain systems, it’s not outright recommending disabling Hyper-threading.
“Once these updates are applied, it may be appropriate for some customers to consider additional steps,” said Intel in a statement. “This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment. Because these factors will vary considerably by customer, Intel is not recommending that Intel HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.”
There’s a serious issue with this statement. Other companies don’t agree with that evaluation. Because the vulnerability affects every Intel chip since 2008 (except for the newer aforementioned 8th and 9th-gen chips), laptop manufacturers and software developers are making their own calls. Google was the first to release an official statement saying Chrome OS 74, the latest software update for Chromebooks, will have Hyper-threading turned off completely.
Hyper-threading isn’t all that common on Chromebooks, so that might not strike you as a big deal. But what about your pumped-up Core i9 MacBook Pro? Or how about your $4,000 iMac Pro? Apple was the second to recommend its customers disable Hyper-threading. Its instructions for “full mitigation” of the vulnerability include disabling the feature entirely, resulting in a drop in performance by as much as 40%. That’s based on Apple’s own performance with “tests that include multi-threaded workloads and public benchmarks.”
You do, however, get the option. As Apple states, it might depend on how “high risk” your security is. Intel says the decision to disable hyper-threading will depend “on each individual’s security requirements.” If you’re a government agency or a banking institution, maybe that’s an easy decision. But for the average person, it’s a bit more ambiguous.
How much do you really care about your security? That’s the question begged by this entire scenario. Enough to throw away 40% of your computer’s performance? Enough to install the software patches but not go through the “full mitigation?” In certain situations — let’s say you’re a freelance video editor, for example — that drop in performance could be akin to throwing away profits because videos will take longer to encode and edit.
You must choose
When you zoom out from the experience of just one person, the problem compounds. Will the next version of Hyper-threading be ZombieLoad-proof? What about other future technologies? It’s an existential crisis for the entire industry. Improving performance has been the name of the game in computing. We have a need for speed that makes it hard for companies like Intel, AMD, Nvidia, or Qualcomm to take the gas off the pedal.
It’s not unlike the situation we currently face with privacy. Most of us are all too aware of how our data is taken and used, often without our consent. Yet, we’re rarely willing to trade convenience for privacy. It’s a price most of us just aren’t willing to pay.
In the long run, I have a hard time seeing us behaving differently when it comes to security. And that could become a cataclysmic problem for consumer tech.