Friday, August 11th 2023
"Downfall" Intel CPU Vulnerability Can Impact Performance By 50%
Intel has recently revealed a security vulnerability named Downfall (CVE-2022-40982) that impacts multiple generations of Intel processors. The vulnerability is linked to Intel's memory optimization feature, exploiting the Gather instruction, a function that accelerates data fetching from scattered memory locations. It inadvertently exposes internal hardware registers, allowing malicious software access to data held by other programs. The flaw affects Intel mainstream and server processors ranging from the Skylake to Rocket Lake microarchitecture. The entire list of affected CPUs is here. Intel has responded by releasing updated software-level microcode to fix the flaw. However, there's concern over the performance impact of the fix, potentially affecting AVX2 and AVX-512 workloads involving the Gather instruction by up to 50%.
Phoronix tested the Downfall mitigations and reported varying performance decreases on different processors. For instance, two Xeon Platinum 8380 processors were around 6% slower in certain tests, while the Core i7-1165G7 faced performance degradation ranging from 11% to 39% in specific benchmarks. While these reductions were less than Intel's forecasted 50% overhead, they remain significant, especially in High-Performance Computing (HPC) workloads. The ramifications of Downfall are not restricted to specialized tasks like AI or HPC but may extend to more common applications such as video encoding. Though the microcode update is not mandatory and Intel provides an opt-out mechanism, users are left with a challenging decision between security and performance. Executing a Downfall attack might seem complex, but the final choice between implementing the mitigation or retaining performance will likely vary depending on individual needs and risk assessments.
Source:
Phoronix
Phoronix tested the Downfall mitigations and reported varying performance decreases on different processors. For instance, two Xeon Platinum 8380 processors were around 6% slower in certain tests, while the Core i7-1165G7 faced performance degradation ranging from 11% to 39% in specific benchmarks. While these reductions were less than Intel's forecasted 50% overhead, they remain significant, especially in High-Performance Computing (HPC) workloads. The ramifications of Downfall are not restricted to specialized tasks like AI or HPC but may extend to more common applications such as video encoding. Though the microcode update is not mandatory and Intel provides an opt-out mechanism, users are left with a challenging decision between security and performance. Executing a Downfall attack might seem complex, but the final choice between implementing the mitigation or retaining performance will likely vary depending on individual needs and risk assessments.
162 Comments on "Downfall" Intel CPU Vulnerability Can Impact Performance By 50%
Though I must admit I was expecting worse from the title of the article, potential impact on AVX2 and AVX-512 workloads seems far more limited than say, any and all workloads at least.
But regardless, I'm not sure if this is an odd thought.. but I can't shake the feeling sometimes that Intel purposely cuts corners to increase performance while increasing security vulnerabilities...
Booo.
This is a variant of meltdown and quite bad.
There has been a trend towards security at hardware or other levels, when these are rarely (never?) exploited in the real world anyway. The best hacking tools are social engineering, user and configuration error and generally the human element. Not hardware!
Multiple admins connected to a server isn't a concern, as admins can do everything anyways.
But there is one major use case where it is; cloud providers.
This has been the case for most major bugs found in recent years, incl. Meltdown, Spectre and others, they have some potential in hypervisors (albeit often little effective), but elsewhere, like single computers and normal servers, it's not a real world problem as you said.
This is the exact reason why good security is implemented in layers. You should always expect that a single layer can be compromised at some point. And this is one of the reasons why I have said for >5 years that cloud computing is stupid, as it allows a single bug to potentially bypass all layers of security.
But I'm not saying Intel (and potentially others) shouldn't fix all such bugs in future designs, they certainly should, because if there is future bug in a different layer, e.g. OS, driver, etc., then such bugs become very dangerous.
In generations prior to Zen 3 the previous Indirect Branch Predictor Barrier (IBPB) mitigations for Spectre are being re-used for handling this issue.
Phoronix has not completed the AMD benchmarks yet, so the actual real world impact is unknown.
The Microsoft Windows patch article states:We'll have to wait for third party benchmarks.
This sort of bug is more relevant for cloud servers where supposedly isolated VMs could eavesdrop on each other this way though as I said earlier, simply assigning whole cores to processes would make this eavesdropping more difficult.
Maybe you meant Zenbleed? But that affects Zen 2, and not Zen 3/4 as R-T-B stated ;)
Researchers have been busy eh :)
Any rate this Is Intel's shitstorm, I'll leave them to it.
Anyone who has disabled spectre/meltdown mitigations, will likely have this disabled as well as the same registry keys will probably be used.
Fortunately AFAIK only two (the original and this) exist.
However from the OS changes it's clear that every generation is affected, see next part.It is not microcode only. Here's the Linux mitigation commit, and the AMD Whitepaper that describes mitigation strategies on previous generations.
The Linux code clearly states:Not every mitigation has a configuration knob in the kernel.
The comments here also imply some performance impact, but again - we'll need to wait for Phoronix benchmarks.