Posted on Wednesday, December 11 2019 @ 10:53 CET by Thomas De Maesschalck
Linux kernel maintainer Greg Kroah-Hartman recently advised to disable Intel's Hyper-Threading to solve some of the issues but Schlaeger said this is simply not an option at AWS as disabling Hyper-Threading results in a 30-40 percent hit. Schlaeger notes they have in-memory databases that are scaled to max out the box. If they take away 30-40 percent performance, this will kill the application of clients. As such, Amazon has no other option than to have a large team of security professionals working on nothing else than dealing with the fallout of the CPU vulnerabilities:
"That's where you need to look at the fine print of these [vulnerabilities]. They come with a lot of detail. Even the detail that Intel provides is often not enough to understand what is going on, and in which particular situation you are or are not affected by. So the past two years I have a large team of security experts that do nothing else but deal with the fallout. They make sure that in our environment, we are still able to keep it safe without turning off hyper-threading."AWS has tried to get its in-house patches to the Linux community, but enthusiasm was reportedly limited because the patches were designed for the narrow use case of AWS services. You can read it over here
Schlaeger added: "It is a daily battle we have to fight. In our environment we well know what we are doing, how we use the hypervisor, how the guests are allocated to the physical cores. We have found a way to keep things safe so there are no side-channels for the existing [issues].
