It is not the first time that a security notice has highlighted PC and server vulnerability. In the case of Meltdown and Spectre, however, lots of respected IT experts are talking of a security calamity. This is because, while it is and will be possible to set limits to the risks, the consequences cannot yet be estimated. The difference to previous security problems is that, with Meltdown and Spectre, it is not about eliminating an ꞌannoyingꞌ programming error. Instead, it is a fundamental flaw in the architecture, namely the processor design.
Calculation steps that the processor executes on an optional and predictive basis are not as securely and comprehensively protected as the ꞌofficialꞌ programming code is. To not lose time on intermediate results, most modern multi-core processors press right ahead in calculating possible results. They exhibit ꞌanticipatory obedience,ꞌ so to speak. What is not needed is taken out. What is necessary is then already presented and ready. Unfortunately, this anticipatory obedience takes place in the processorꞌs ꞌNo Man’s Landꞌ, where real results do emerge but these results exclude security measures.
Future analyses will show the degree to which the repair of Meltdown and Spectre becomes urgent and necessary, because this security calamity can, at least in theory, be used in numerous criminal ways . Yet a wholly different question arises for a Hana application user: will the eventual fix influence the Hana databaseꞌs performance?
Meltdown, Spectre, Performance?
Deductions can be made on the basis of knowledge in the public domain about Meltdown and Spectre, and the solutions directed at eliminating this weakness, either at BIOS or operating system level. So it can be recognized that processor performance will certainly be reduced. The highly respected c’t Magazine has already been able to conduct some tests, published in the January 20 edition this year. In summary, on simple Office functions the users are unlikely to detect a significant decrease in performance. A problem can arise for computer games, but rarely. However, for highly intensive input/output operations, which tend to dominate the database environment, users can observe clear and not insubstantial decreases in performance.
Hana is an in-memory-computing database that is mostly dependent on the processor’s speed and on the size and speed of the caches and the main memory. So, theoretically repair measures (patches) at processor level, including at BIOS (Basic Input/Output System) and operating system level (Linux by Suse and Red Hat), can significantly influence the Hana database’s overall performance capability. If the Hana database runs in a virtualized system environment (Hypervisor), the measures taken in a VMware system are also critical, of course.
Therefore the Hana customer is expected to find answers on the SAP service marketplace, drawn up by SAP together with its partners, Intel, IBM, Suse, Red Hat and VMware. To our surprise, at the time of the writing of this article, there was no helpful response available from either SAP or IBM. In the place where customers first look for guidance and help, SAP is alarmingly silent. Does SAP not know or does it not wish to say anything? How endangered are the Hana systems? Why are Intel and IBM, on whose processors Hana runs, remaining so silent? Their silence becomes even more surprising when you look at Red Hat and Suse who demonstrate a more open approach to communicating the problem. Intel has stated that their new generation of chips will at least offer some built-in protection later in 2018.
At present the state of knowledge is that Meltdown and Spectre will have consequences for all in-memory computing databases. Primarily this means that Hana (on-premise and cloud) is affected by this security calamity. The current situation is highly unpleasant and worrying for all customers.
Meanwhile, SAP is seemingly trying to shift the responsibility onto the certified Hana server manufacturers and OS suppliers, as shown in SAP Note 2586312 (V3, dated January 19, 2018) that states: Contact the operating system distributor. Install the required patches and reboot your host. These updates may impact the system’s performance.
A vague but also sobering statement considering one of Hana’s biggest selling points is performance.