Spectre and Meltdown impact on ArangoDB

48 views
Skip to first unread message

k...@ismart.fr

unread,
Jan 12, 2018, 5:29:32 AM1/12/18
to ArangoDB


Hello all,

Regarding to the recent events on security and processor performances, I'm surprise that no informations are given from the ArangoDB team.  ( I might have missed it. )

Do spectre and meltdown affect arangoDB ? (I think they do because most of the data in ArangoBD are in memory.)
Is there something to do to protect our data beside updating the OS. Is there a patch planned ?
At which performance cost come the potential security ( updating OS) ?

Sincerely,

an ArangoDB users

Simran Brucherseifer

unread,
Jan 12, 2018, 8:34:07 AM1/12/18
to ArangoDB
Dear user,

we are still benchmarking and evaluating what the impact of KPTI is on ArangoDB.

Please bear in mind that the Linux kernel 4.15 including the Meltdown/Spectre fixes has not been released yet (nor the final release candidate).

ArangoDB is no different from any other type of program in the sense that it uses memory, registers etc.
A "mostly-memory" database system is at the same risk as any other database system or other program.
Exploiting the x86 microarchitecture as described by the attacks titled Meltdown and Spectre can potentially access any data.
These types of attacks do not attempt to read directly from a system's main memory however.
But even if they did - the data handled any kind of database system passes the main memory and/or a CPU cache at some point, where it is at risk.

If we find a drop in performance with KPTI enabled, there are already ideas what can be done to improve it again.
Regarding security, you should obviously update your OS. There may also be microcode updates for your CPU, but Intel seem to have stopped the distribution because of some systems rebooting unexpectedly after updating.
I'm not sure about the status of Google's Retpoline to mitigate Spectre attacks in software using patched compilers to trap speculative execution. We will let you know as soon as we get to know more.

Best,
an ArangoDB support member

Jan Stücke

unread,
Jan 12, 2018, 8:52:52 AM1/12/18
to aran...@googlegroups.com

Quick Status update on our Spectre/Meltdown patch benchmarking.

We are currently testing the latest ArangoDB release with mmfile and rocksdb engine. These tests are time intensive and might take us definitely until next week to finish. Please note that single performance tests are highly volatile and we have to repeat them many times to publish valid findings. Hope for your understanding. 

I will let you know as soon as we published our benchmark results.



--
You received this message because you are subscribed to the Google Groups "ArangoDB" group.
To unsubscribe from this group and stop receiving emails from it, send an email to arangodb+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--

Jan Stücke
Head of Communications

Simran Brucherseifer

unread,
Apr 8, 2018, 3:23:52 PM4/8/18
to ArangoDB
Reply all
Reply to author
Forward
0 new messages