<div dir="auto">Docker claims to have patches which have no degradation in performance:<div dir="auto"><a href="https://success.docker.com/article/how-does-spectre-meltdown-affect-my-docker-installs" target="_blank" rel="noreferrer">https://success.docker.com/article/how-does-spectre-meltdown-affect-my-docker-installs</a><br></div><div dir="auto">Here is an interesting video about making a simple container and what that container might do:</div><div dir="auto"><a href="https://m.youtube.com/watch?v=Utf-A4rODH8&t=900s">https://m.youtube.com/watch?v=Utf-A4rODH8&t=900s</a><br></div><div dir="auto">I am not saying this solves any issue. It is only a current software direction. It could be significant because there is a low level exchange of information to these vulnerabilities, in the video (she does not use docker by the way) she basically tells her OS to lie about the contents of her directory.</div><div dir="auto">It is a direction of interesting development. You could for example isolate a job within a container which carries all sorts of fakery.</div><div dir="auto">Jonathan</div></div><br><div class="gmail_quote"><div dir="ltr">On Mon, Jul 16, 2018, 6:09 PM Chris Samuel <<a href="mailto:chris@csamuel.org" target="_blank" rel="noreferrer">chris@csamuel.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi all,<br>
<br>
This is a few days old now, but it passed me by until now.<br>
<br>
<a href="https://www.tomshardware.com/news/intel-arm-new-spectre-flaws,37436.html" rel="noreferrer noreferrer noreferrer" target="_blank">https://www.tomshardware.com/news/intel-arm-new-spectre-flaws,37436.html</a><br>
<br>
The things that caught my eye were:<br>
<br>
> The researchers noted in their paper that currently no effective static<br>
> analysis or compiler instrumentation can even detect or mitigate Spectre<br>
> 1.1.<br>
<br>
and<br>
<br>
> What the researchers are actually implying is first that software<br>
> mitigations largely depend on app developers to implement them, which means<br>
> that most applications won’t be protected, if history is any guide; second,<br>
> hardware changes will be necessary for true long-term fixes that can stop<br>
> Spectre flaws from appearing.<br>
<br>
I will be interesting to see what happens around this one, as they say that if <br>
we don't get hardware fixes we could face decades of different variations on <br>
this as software folks play whack-a-mole.<br>
<br>
So the two HPC related issues that come to mind will be:<br>
<br>
1) It'll be interesting to see what performance impacts hardware fixes for this <br>
class of attacks will be, and whether we see vendors decide that the only way <br>
to really avoid them is to drop speculative execution. Perhaps if that <br>
penalty is large then would vendors look to have separate processor lines, one <br>
set with speculative execution for performance (but without protection) and <br>
one for security instead?<br>
<br>
2) Will people start to look at delaying purchasing decisions until it becomes <br>
clearer how the chip vendors are going to deal with this?<br>
<br>
This might be a more pressing concern for the cloud crowd given the higher <br>
immediate exposure, but even in HPC we can't avoid the need to address this in <br>
some way (even if it's just "we did a risk assessment and we judge it to be a <br>
low risk").<br>
<br>
Currently these new vulnerabilities are demonstrated on Intel & ARM, it will <br>
be interesting to see if AMD is also vulnerable (I would guess so).<br>
<br>
cheers!<br>
Chris<br>
-- <br>
Chris Samuel : <a href="http://www.csamuel.org/" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.csamuel.org/</a> : Melbourne, VIC<br>
<br>
_______________________________________________<br>
Beowulf mailing list, <a href="mailto:Beowulf@beowulf.org" rel="noreferrer noreferrer" target="_blank">Beowulf@beowulf.org</a> sponsored by Penguin Computing<br>
To change your subscription (digest mode or unsubscribe) visit <a href="http://www.beowulf.org/mailman/listinfo/beowulf" rel="noreferrer noreferrer noreferrer" target="_blank">http://www.beowulf.org/mailman/listinfo/beowulf</a><br>
</blockquote></div>