Welcome Guest | My Membership | Login

From the Inside January/February 2018


Spectre and Meltdown
By now, you have probably heard all about the major bugs in Intel, ARM, and AMD processors. Since this vulnerability affects just about all processor types, you will probably need to update your phone, your tablet, your PC, and all of your servers in the coming weeks. Why and how does it affect everything?
What is this Bug About?
I hope everyone has been trying to keep up with the details of this bug, but in case you are not completely sure what it is, I'll cover the key points.
Modern (since the early 2000s) processors use what's known as "out-of-order" execution. This is somewhat similar to the way databases will read-ahead on the disk to improve performance. The CPU will execute a series of instructions before the first one has been completed.
Unfortunately, an attacker can pass code that will fail and, using some trickery and the magic of caches, build and steal (at up to 500 kb/s ) all of the kernel memory. This means things like passwords, that are normally secured in kernel memory, can be stolen very easily by an attacker.
Should I Patch?
This is a deadly serious bug, that is easy to exploit. Patching the problem has been more complex than originally thought. Make sure you go through your normal test cycle with patch validation. None of the patches provided have gone through major testing so there may be issues that crop up over the next year.
Here is a good comprehensive listing of patches, provided by Allan Hirt of SQLHA. Yes, I know, it's an SQL site, but he did a really good job putting together the most comprehensive reference I've seen so far.
Will this affect my VMWare guest?
Actually, this bug means that it can be used to read information across guest boundaries. So if one guest is running code using this exploit, its able to access information that another guest was using.
Will This Impact My Performance?
Probably YES!
We are only just now figuring out how big of a hit we will take on speed of execution. I've talked to the MultiValue Database providers to see what their thoughts are. As of this writing, they are still evaluating. It really depends on the file types that are being used, and how your database is setup to cache frames and groups in memory. Check with your database providers to find out your options.
If you are running on virtual hardware, then there is a large chance that you will see more of an impact than databases running on bare metal.
In order to help with performance, Microsoft is offering a registry option to not include the microcode fixes. The advantage being that the patch would become optional, but in the longer term, if you are audited, you may be out of compliance.
All this will get better over time as software patches are released and databases are altered to run fewer kernel calls. (This is something that jBase is currently doing with their Dynamic Files).
Ultimately, the CPU chips will be fixed. Intel has already committed to a fixed chip set by the end of the year. Personally I would wait until they have had enough of these chips running before upgrading since I believe this will be a bigger issues to resolve than they are letting on. We have already seen lots of "rush job" patches come out of Intel, which they withdrew within 24 hours of release.
You should also read more here:


# # #          # # #          # # #


Related Articles

  • Spotlight: 4GL

    Company: HDWP

    We're going to kick off a series of spotlight articles on various 4GLs by offering a crash course on why you want a 4GL. Whether your challenge is integrating with new technologies, accelerating development time, embracing RAD, or working with bigger teams, 4GLs can help you build bigger, better, and faster applications.

  • Using OWIN Security with MultiValue Data - Part 1

    OWIN is the latest iteration of Identity Management for .NET. It can be a powerful tool for MutliValue developers, not just for web applications, but for all .NET projects. This is Part 1 in a series of articles which will guide you through a detailed example of adapting Owin to your projects.

  • Business Tech: UI/UX Part V

    Company: HDWP

    In the final part of our series on UI/UX, we examine ways to extend the concepts beyond software and into other aspects of your work.

  • Compressing Traffic for UniObjects

    Company: Brian Leach Consulting, ltd

    Modern technology solutions are often a matter of cobbling together bits and pieces that weren't originally designed to fit together. Compression is easy. Data transmission is easy. Making UniVerse's data transmittable as a compressed stream which can be used by some other system, that's easy - or hard - depending on the entire tech stack on each end. The addition of Python to U2 as created new options for completing complex tasks.

  • From The Inside Jan/Feb 2011

    Company: International Spectrum

    New Year, New Features, New Resources, New Formats… We have a lot of new things and changes happening this year; one is the magazine. One of the big pushes this year is to make the magazine more digital friendly. As a start, you'll see QR Codes on each article. 1

Return to top