top of page
Search
statvierolere

Testing MDS (Zombieload) Patch Status on Windows Systems: Best Practices and Tools



KernelCare started testing live patches for MDS on Friday, May 17, and they are now rolled out for all main distributions, with others shortly to follow. For the latest news, follow us on @KernelCare.




How to test MDS (Zombieload) patch status on Windows systems




Unfortunately, as our tests show below, the mitigations have had a huge impact on storage speeds on systems with Intel processors, affecting the times it takes your SSD to do everything from loading games to copying files. In test after test, we saw Intel's storage performance dive several percentage points after last year's Spectre / Meltdown patches and then lose a few points more with the new Zombieload fixes. Where AMD, which hasn't suffered from all of these vulnerabilities, trailed Intel in storage performance before patches, it has now caught up or even moved ahead on many workloads.


To find out just how much the patches affect storage performance and how team blue stacks up to team red in storage performance, we ran some tests with two desktops: one powered by an Intel Core i7-9700K and the other by an AMD Ryzen 7 2700X.


It's noteworthy that the Core i7-9700K we used for testing isn't a Hyper-Threaded processor. Intel advises that customers in riskier environments should disable Hyper-Threading to ensure 100% protection from the latest vulnerabilities, so the performance impact can be higher than outlined here. Intel's 9700K also has in-silicon mitigations that help reduce the impact of some previous vulnerabilities, so be aware that older processors will lose more performance that outlined below. AMD's processors are immune to the MDS vulnerabilities, but do lose a minimal amount of performance from the existing Spectre patches.


We recently conducted a fresh round of testing with all of the latest Spectre and Meltdown patches for another article, but just days after, Intel announced the latest Microarchitectural Data Sampling (MDS) vulnerabilities, more broadly called Zombieload, RIDL, and Fallout.


We have two sets of data for comparison today. One test configuration consists of Windows 10 64-bit, OS Build 17763.504 with Meltdown and Spectre patches disabled via the InSpectre application on the Intel system, representing a "clean" unpatched system. We also tested with all Meltdown, Spectre, and MDS mitigations enabled with that same Windows build on both systems.


We included our original testing on the Intel system with with Windows OS Build 17763.475 and the Spectre and Meltdown patches enabled, but without the MDS patches. This will allow us to see the impact of the latest round of mitigations compared to the previous patches.


In our game load test, there is a 6.2% reduction in Intel's performance with the Meltdown/Spectre patches enabled, and about a 1% additional loss when we add the MDS patches to the mix. That's bad news for Intel because now the AMD system takes a 4% lead.


In SYSmark 2018, Intel drops 2.6% in the overall performance score after we enable the patches. But even more telling, Intel loses nearly 6% in the system responsiveness metric, which measures snappiness. This stems directly from sensitivity to storage changes more than the other aspects of the test. These aren't huge changes overall, but it gives AMD a 1% lead in the overall score and a 2% lead in responsiveness.


Now we'll turn to synthetic tests to see just how the patches resulted in the lower performance in the real-world workloads above. CrystalDiskMark (CDM) is a simple file size benchmarking tool that offers plenty of measurements for comparison.


Sequential performance at a queue depth (QD) of 32, which represents a very heavy load you won't see often on a PC, shows no difference in performance with the Meltdown/Spectre patches toggled on and off. But Intel lost 14% of its performance when we tested at a more realistic QD of 1. This means that transfers of a single file will see a significant slowdown. Looking at how the new MDS patches have impacted performance over the previous implementations, we see another 1% reduction in performance.


Unfortunately, 4K random performance is impacted the most. This is, by far, the most common type of file access inside an operating system, like Windows, so it is a disappointing sign. At a high QD of 64, we see an 18% loss in read performance and a 12% loss in write performance, but this heavy load isn't common for a PC. Most PC workloads fall in the QD1-2 range, and workstation users can hit upwards of QD8. When testing at these lower QDs, we see a staggering 41% reduction in read and write performance from enabling the Meltdown/Spectre patches. Adding in the new MDS fixes, we can see an additional 2.5% to 6% performance loss.


In particular, at the request of Intel, we withheld the following details on the original RIDL/MDS disclosure date: TSX Asynchronous Abort (TAA). Intel's TSX hardware feature can be used to efficiently mount a RIDL attack even on allegedly non-vulnerable CPUs (with hardware mitigations). Alignment faults. These can be used to trigger an exception, giving an attacker yet another way of leaking data. This attack vector seems to be fixed in the latest generation of Intel CPUs. Flawed MDS mitigation. The initial mitigations against MDS clear the buffers by writing stale, potentially sensitive, data into these buffers, allowing an attacker to leak information despite mitigations being enabled. The RIDL test suite. We can now release the RIDL test suite at Impact TL;DR: an attacker can mount a RIDL attack despite the in-silicon mitigations/microcode patches published in May 2019 being in place.


It says that it canbe fixed by yum update or update the kernel to the latest version, Whil it is still showing the same vul? I also ran the insights-client just to make sure the status is current.Thanks


For this research, it is important to understand the context and setup for these performance tests. The goal is to understand the impact of the MDS mitigations. In a VDI environment, this means patching at the hardware level, virtualization layer, and guest OS. Because at the time of testing there was no patch available for the hardware we used, we only tested the impact of patching the hypervisor (VMware vSphere) and the guest OS (Windows 10 build 1809).


When the patches are applied to both the hypervisor and the guest OS, we see an increase in both read and write IO, which is not as expected. The average host commands/sec decreases again when enabling SCAv1 but increases again when SCAv2 is enabled. It is interesting to see what the differences are when only the first 20 minutes of the tests are compared, when the host is not saturated in any scenario.


When comparing only the first 20 minutes of the Login VSI tests, the average host commands per seconds increases with 30 to 36%. These results are more representative of the real impact of the MDS patches.


If you want to have the fix applied, just install the latest Windows Updates and make sure the KB created for your Windows version is listed to be installed (Updates will be pushed towards your system if it has been configured this way). For the list of KB patches which should be installed for each specific Windows version, please check -us/security-guidance/advisory/adv190013.


Before getting to the benchmarks looking at the overall impact of the mitigations to date, first is looking at the MDS on/off costs on various systems while keeping Hyper Threading active. These tests were done on Ubuntu 19.04 using its newest stable release updates bringing a patched Linux 5.0 kernel and the new Intel CPU microcode images.


Amazon AWS has reportedly been patched up against the attacks. Server-side workloads are most likely to be at risk and affected by potential exploitative attacks, which could yet again push AMD, which is unaffected by the latest vulnerability, to gain market share from its dominant rivals with EPYC.


Microsoft continues to address this vulnerability involving the windows installer elevation of privilege in Windows operating systems. Similarly to the announcements in recent weeks, a new vulnerability has been discovered. Microsoft has yet to patch this vulnerability.


Microsoft has announced and released its standard monthly security roll-up for May 2018. In it are critical updates for two vulnerabilities that were considered zero-day status until this release. These two specific vulnerabilities are unique in that they are currently being exploited in the wild. In addition, it is noteworthy that there are twenty-one (21) other critical vulnerabilities remedied in this update. As a result, Canon Medical strongly recommends to install these latest security patches to all product systems as soon as possible.


US-CERT advises that the changes to accommodate/remediate this issue could impact one or more of our applications. As patches become available, we will test our applications in their context and provide our customers with any specific cautions or additional instruction.


I expect you to die, Mr Intel, Phoronix has been testing chips to see how bad Spectre and Meltdown patches harmed the performance of CPUs and the news is horrible for Intel.


AMD, in other words, now leads the aggregate performance metrics, moving from 3rd and 4th to 1st and 3rd. The cumulative impact of these patches could result in more tests where Intel and AMD switch rankings because of performance impacts that only hit one vendor. 2ff7e9595c


0 views0 comments

Recent Posts

See All

Comments


bottom of page