Is there a silver bullet for Foreshadow, Spectre, and Meltdown?
Unfortunately, there are no silver bullets that can address these issues, but that is the nature of the security business’s race with cybercriminals and malware developers. Longer term fixes to processor security architecture should address these specific issues, but they do not eliminate the possibility of new issues arising that exploit yet-as-unknown weaknesses. In the meantime, countermeasures to CPU vulnerabilities are a combination of implementing workarounds from Intel, Microsoft, VMware, and others (depending on what systems you have deployed) and implementing ways to minimize performance impacts to your applications.
One method that we at Solarflare have found to be effective in mitigating performance impacts is to run user-space I/O drivers instead of kernel-based I/O drivers. By doing so, your applications avoid the kernel context switches, avoiding execution of the Spectre and Meltdown patches. Our family of Universal Kernel Bypass (UKB) drivers are a good example of what user-space I/O drivers can accomplish. In our testing, we have found that our ScaleOutOnload driver improved I/O performance by up to 30% when compared to kernel-based drivers. This improvement offsets the performance hit from CPU vulnerability workarounds. While our UKB drivers can’t fix CPU vulnerabilities such as Spectre, Meltdown, and Foreshadow, they do allow organizations to implement vulnerability workarounds and still maintain system and application performance. Find out more how we can help on our website.