New Spectre variant 4: Our patches cause up to 8% performance hit, warns Intel

Intel's Spectre variant 4 patch will be off by default, but users who turn it on are likely to see slower performance.
Written by Liam Tung, Contributing Writer

Intel's upcoming microcode updates to address the just-revealed Spectre variant 4 attack are likely to put a significant drain on CPU performance.

Intel has anticipated questions about performance this time around by confirming upfront that its combined software and firmware microcode updates to mitigate Spectre variant 4 will cause a performance impact of up to eight percent.

"If enabled, we've observed a performance impact of approximately two to eight percent based on overall scores for benchmarks like SYSmark® 2014 SE and SPEC integer rate on client and server test systems," wrote Intel executive vice president Leslie Culbertson.

Spectre variant 4 is a new subclass of speculative execution attacks discovered by Jann Horn of Google Project Zero and Microsoft's Ken Johnson.

See: Cyberwar: A guide to the frightening future of online conflict

Intel calls the Spectre attack a Speculative Store Bypass and calls its mitigation Speculative Store Bypass Disable (SSBD), which is delivered as a microcode update to operating system vendors, equipment manufacturers, and other ecosystem partners.

Intel in January was less forthcoming in its communications about the performance impact caused by its mitigations for Spectre variant 2, only saying it would vary depending on the workload. However, Google found the impact to be significant and developed its own Retpoline software alternative.

Intel's current benchmarking to test the impact of SSBD was run on unspecified Intel reference hardware and an 8th Generation Intel Core desktop microprocessor.

The performance impact is four percent in the SYSmark 2014 SE overall score, two percent under the SPECint_rate_base2006 (n copy) total score, and eight percent in the SPECint_rate_base2006 (1 copy) total score.

The impact on a Skylake architecture Xeon processor is similar under these benchmarks.

See: Special report: Cybersecurity in an IoT and mobile world (free PDF)

But unlike Intel's updates for variant 2, the updates for Spectre variant 4, which is rated as a 'moderate'-severity issue and closely related to Spectre variant 1, will be optional and will by-default set to off. In this state, there is no impact on performance.

"We've already delivered the microcode update for variant 4 in beta form to OEM system manufacturers and system software vendors, and we expect it will be released into production BIOS and software updates over the coming weeks," wrote Culbertson.

"This mitigation will be set to off by default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option. In this configuration, we have observed no performance impact."

As Intel notes in its advisory, "SSBD provides additional protection by providing a means for system software to completely inhibit a Speculative Store Bypass from occurring if desired."

In other words, if consumers and OEMs want their hardware to be extra secure they can choose that option at the expense of performance.

Intel also notes that already-released browser mitigations against Spectre variant 1 do help mitigate variant 4. AMD similarly recommends leaving SSBD disabled.

Previous and related coverage

Spectre chip security vulnerability strikes again; patches incoming

A Google developer discovered a new way that a 'Spectre'-style check can be used to attack any computer running any operating system.

Are 8 new 'Spectre-class' flaws in Intel CPUs about to be exposed?

Reports are emerging of eight new 'Spectre-class' security CPU vulnerabilities.

Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets

A new variant of Spectre can expose the contents of memory that normally can't be accessed by the OS kernel.

Microsoft to Windows users: Here are new critical Intel security updates for Spectre v2

Microsoft releases new Windows updates to address the Spectre variant 2 flaw affecting Intel chips.

Windows 10 on AMD? This new update plus Microsoft's patch block Spectre attacks

AMD has released microcode updates for Spectre variant 2 that require Microsoft's latest Windows 10 patch.

Intel: We now won't ever patch Spectre variant 2 flaw in these chips

A handful of CPU families that Intel was due to patch will now forever remain vulnerable.

Windows 7 Meltdown patch opens worse vulnerability: Install March updates now

Microsoft's Meltdown fix opened a gaping hole in Windows 7 security, warns researcher.

Intel's new Spectre fix: Skylake, Kaby Lake, Coffee Lake chips get stable microcode

Intel makes progress on reissuing stable microcode updates against the Spectre attack.

Got an old PC? Find out whether you will get Intel's latest Spectre patch TechRepublic

Intel has listed a range of CPUs released between 2007 and 2011 that will not receive a firmware update to help guard against Spectre-related exploits.

Class-action suits over Intel Spectre, Meltdown flaws surge CNET

Since the beginning of 2018, the number of cases has risen from three to 32.

Editorial standards