Intel recently disclosed vulnerabilities related to its Microarchitectural Data Sampling technique (another speculative execution attack vector) and Apple has rolled out an advisory that full mitigation of MDS may reduce performance by up to 40% in some cases. While hardware level mitigation is present in 8th Generation Intel processors and above - this does spell trouble for security conscious users running 7th gen hardware and below.
Intel 8th Generation and higher processors have hardware-level mitigation for MDS with no performance deterioration
Intel Hyper Threading is the feature most closely associated with the MDS attack vector and while turning it off wont keep you safe from all speculative execution attack vectors, it will protect you from this particular variant. Here is what Apple had to say about the situation:
Intel has disclosed vulnerabilities called Microarchitectural Data Sampling (MDS) that apply to desktop and notebook computers with Intel CPUs, including all modern Mac computers.
Although there are no known exploits affecting customers at the time of this writing, customers who believe their computer is at heightened risk of attack can use the Terminal app to enable an additional CPU instruction and disable hyper-threading processing technology, which provides full protection from these security issues.
This option is available for macOS Mojave, High Sierra and Sierra and may have a significant impact on the performance of your computer.
Testing conducted by Apple in May 2019 showed as much as a 40 percent reduction in performance with tests that include multithreaded workloads and public benchmarks. Performance tests are conducted using specific Mac computers. Actual results will vary based on model, configuration, usage, and other factors.
We reached out to Intel to get their official response and this is what they had to say about the matter:
Microarchitectural Data Sampling (MDS) is already addressed at the hardware level in many of our recent 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® Scalable Processor Family. For other affected products, mitigation is available through microcode updates, coupled with corresponding updates to operating system and hypervisor software that are available starting today.
When these mitigations are enabled, minimal performance impacts are expected for the majority of PC client application based benchmarks. Performance or resource utilization on some data center workloads may be affected and may vary accordingly.
Once these updates are applied, it may be appropriate for some customers to consider additional steps. This includes customers who cannot guarantee that trusted software is running on their system(s) and are using Simultaneous Multi-Threading (SMT). In these cases, customers should consider how they utilize SMT for their particular workload(s), guidance from their OS and VMM software providers, and the security threat model for their particular environment. Because these factors will vary considerably by customer, Intel is not recommending that Intel® HT be disabled, and it’s important to understand that doing so does not alone provide protection against MDS.
We’ve provided more information on our website and continue to encourage everyone to keep their systems up to date, as its one of the best ways to stay protected. Let me know if you have any follow-up questions.
So as it stands right now, if you are in the security conscious camp, you have two choices. You can either upgrade to an Intel 8th Generation or higher processor or you can turn off hyper threading. Unfortunately however, since turning off hyper threading will not protect you against the rest of the speculative execution related threads, there is no real point in doing so and earning the performance cost.
Ever since the Meltdown and Spectre reveals, a brand new branch of attacks has been opened for security researchers to exploit in modern processors and it will take a couple of generations before the semiconductor industry can iron out the kinks and roll out hardware level mitigations for these. Interestingly, almost all of these attacks have to do with processors guessing how a certain instruction is going to end in advance and if the veracity of these attacks is anything to go by - they are pretty good at it!
