Spectre and Meltdown Impact on SQL Server

Meltdown - @SeniorDBA

Spectre and Meltdown Vulnerabilities

Modern CPUs that use of speculative execution has led to the vulnerabilities now known as Spectre and Meltdown. “Speculative Execution” means that if the CPU is processing instructions A, B and C, it might execute instruction B before it has the results of instruction A. This vulnerabilities potentially allows malicious software to read what should be protected memory on an unprotected computer system, allowing access to sensitive data such as passwords, encryption keys, or even cached data like the SQL Server buffer pool. Since speculative execution is intended to boost CPU performance, removing this feature will likely impact SQL Server performance by making queries run as much as 30% slower.

It even more difficult to mitigate Spectre and Meltdown because these CPU exploits impact nearly all modern CPUs, which means you might have to apply patches to every computer in your infrastructure. It also becomes really difficult to identify which software might be exploiting this vulnerability.

Patching Guidance

These critical vulnerabilities impact just about every CPU created in the last 10 years. If you are running SQL Server on the hardware, it is probably impacted by these new vulnerabilities. You need to look at patching server BIOS, Operating Systems, Hypervisors, anti-virus clients, SQL Server software, and your internet browser. All of these patches will work together to mitigate the hardware vulnerability. 

Another point to consider is the vendor might not be offering a patch for your system, either because the hardware is no longer supported, the software is no longer supported, or the combination of your hardware and software is not supported. All versions of SQL Server are affected (one exception is SQL Server 2008 on Itanium, but that is fairly uncommon) and Microsoft’s has patched versions going back to 2008, but there’s little reason to believe that earlier versions aren’t affected. If you have an older version of SQL Server, you must upgrade to a newer version or accept that system will always be vulnerable to these new issues.

Microsoft has also released some hardening guidance for their extensibility mechanisms such as SQL Common Language Runtime, xp_cmdshell, R, and Python execution. The SQL Server product team hopes that limiting the possible scope of where exploitable code can be run as a way to limit the impact of the malicious software.

You can’t just assume all cloud-based versions of SQL Server are properly patched and configured either. Verification is important to your long-term employment prospects.

Spectre - @SeniorDBA

Performance Impact

The first thing you need to do is get a performance baseline. You should already have this data as part of your normal administrative baseline efforts, but you have to start somewhere. While you may choose to perform your baselines differently, the minimum recommendations are the following Windows and SQL Server Performance counters:

  • SQLServer:SQL Statistics\Batch Requests/sec
  • SQLServer:SQL Statistics\SQL Compilations/sec
  • SQLServer:SQL Statistics\SQL Re-Compilations/sec
  • Processor(_Total)\% Processor Time
  • System\Processor Queue Length
  • PhysicalDisk(_Total)\Avg. Disk sec/Read
  • PhysicalDisk(_Total)\Avg. Disk sec/Write
  • SQLServer:Buffer Manager\Page life expectancy

Using these counters will help you understand the performance of your SQL Server instance before you make any changes. Once you make re changes recommended by the various vendors to secure your SQL Server instance, you can collect these measurements again to see the actual impact on performance. Once you have measured the actually impact on performance, preferability using a test or QA environment, you’ll be better equipped to announce the overall performance impact. These measurements could justify the decision not to apply a vendor update or help management make a decision to authorize the purchase of a more powerful system.

There is software and scripts that can help you monitor if a system is impacted. You need to decide the best way for you to determine if a system has been properly patched.

Summary

You can’t avoid these vulnerabilities and pretend they don’t exist. By not investigating this security issue you could be putting your entire SQL Server infrastructure and business data at risk. You should begin investigating the impact to your environment today, and make recommendations to your management team before a malicious hacker takes advantage of your indecisiveness.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.