Meltdown, Spectre & Hana
This is not the first time that a security advisory has revealed the vulnerability of PCs and servers. In the case of Meltdown and Spectre, however, many serious IT experts are talking about a security GAU because, although containment of the threat is and will be possible, the effects cannot yet be assessed.
The difference to previous security problems: Meltdown and Spectre are not about fixing an "annoying" programming error, but about a fundamental architectural decision of the processor design.
Calculation steps that the processor executes optionally and predictively are not equally secure and comprehensively protected as the "official" program code. So that no time is lost waiting for intermediate results, most modern multi-core processors calculate possible results as a "busywork" in anticipatory obedience.
What is not needed is sorted out. What is necessary is then already ready. Unfortunately, this anticipatory diligence task is carried out in the "no man's land" of the processor, where correct results are produced, but to the exclusion of all safety measures.
Future analyses will show to what extent the repair of Meltdown and Spectre will be urgent and necessary because this Security-GAU can be used by criminal machinations. For a Hana user, on the other hand, a completely different question arises: Will the "repair" affect the performance of the Hana database?
Derived from the public knowledge about Meltdown and Spectre and the solutions to eliminate the vulnerability either on BIOS or operating system level, it can be seen that the processor performance is definitely reduced.
The renowned IT journal "Magazin für Computer-Technik" (c't) has already been able to perform some tests, which were published in the issue of January 20 this year. The result summarized:
You will hardly notice a significant performance drop on the PC in simple office functions, it can rarely happen in computer games, but clear and noticeable performance drops can be observed in very intensive input/output commands, as they primarily occur in the database environment.
Hana is an in-memory computing database that depends predominantly on the speed of the processor and the size and speed of the caches and main memory.
Theoretically, therefore, repair measures (patches) at processor level including BIOS (Basic Input/Output System) and operating system level (Linux from Suse and Red Hat) can significantly influence the overall performance of the Hana database.
If the Hana database runs in a virtualized system environment (hypervisor), the measures in a VMware system are of course also decisive.
The existing Hana customer should therefore find answers on SAP's service marketplace, which SAP has developed together with partners Intel, IBM, Suse, Red Hat and VMware. Wrong - see screenshot.
SAP's silence in the place where the existing customer first looks for advice and help is worrying: Does SAP not know or does SAP not want to say anything about it? How vulnerable are the Hana systems? Why are Intel and IBM, on whose processors Hana runs, silent?
According to current knowledge, Meltdown and Spectre will have an impact on all in-memory computing databases. This means that Hana (on-premise and cloud) is primarily affected by this security disaster.
The current situation is very unpleasant and worrying for all existing customers in this respect, because SAP is trying to shift the responsibility to the certified Hana server manufacturers and operating system suppliers, see text of SAP Note 2586312.
SAP Note: 2586312
Linux: How to protect against speculative execution vulnerabilities? (Version 3 from January 19, 2018)
In early January 2018, a design flaw in modern CPUs was disclosed. By exploiting this design flaw, user mode applications can gain access to any physical memory, even if the memory is mapped in kernel mode only and thus should not be accessible. The design flaw manifests in several bugs, referred to as Common Vulnerabilities and Exposures. These bugs cannot be fixed in the CPUs themselves, but require both microcode and OS kernel updates. Affected are recent and older CPUs from Intel (Xeon) and IBM (Power), among others.
SAP strongly recommends to follow the recommendations and apply the updates provided by the hardware vendors, virtualization vendors and OS distributors as appropriate. These updates may impact the system's performance. In virtualized systems, both host OS as well as guest OS should be patched and both can affect performance. The severity of the performance regression depends on the workload and on the CPU type. In virtualized systems, host OS as well as guest OS can be affected.
Contact the vendor of your server. Look for a BIOS update which includes microcode patches for the actual CPU bug(s). Several servers may require a complete disconnect from power after certain BIOS updates which ship new microcode. Refer to the installation guide for the BIOS update.
Contact the operating system distributor.
Install the required patches and reboot your host.