Meltdown and Spectre

Scenario

This product pack assists with managing vulnerability to Meltdown and Spectre.

  • Determine the status of an endpoint – i.e. has the mitigation patch been applied, is it active for either/or Meltdown and Spectre, and does the CPU have microcode support for Spectre and PCID support for Meltdown?
  • Capture endpoint performance both before and after the patch is applied and visualize it, thus making it quick and easy to see if a patched endpoint has issues after the patch.

Product Pack notes:

Meltdown: What is the status of the Meltdown patch on target devices

The patch status instruction returns six columns:

  • Whether the patch for Meltdown/Spectre has been installed
  • Whether or not the endpoint is fully protected against Meltdown and Spectre. If the value is FALSE, then the columns for Meltdown protection and Spectre protection indicate the protection status for each independently
  • Whether the updated CPU microcode to mitigate against Spectre is available to the endpoint.
  • Whether the CPU supports the PCID/INVPCID instructions that optimise TLB flushes and minimise the overhead of the Meltdown patch

The patch status instruction uses a PowerShell script, check.ps1, which in turn wraps an executable, scheck.exe, that retrieves the patch statuses. This executable uses the same APIs that the Microsoft PowerShell get-speculationcontrolsettings cmdlet uses.

Performance: Capture performance snapshot over 30 minutes
  • The performance instructions use the command-line interface (logman) to the performance monitoring subsystem.
  • The performance capture instruction starts performance logging on the endpoint(s). The performance counters which are captured are as specified in the ‘default.config’ file which is included in the instruction resources. You can amend this file to capture additional counters or to change the counters collected. Note that you need to also modify the performance display instruction if you do this.
  • The contents of this file, as shipped, are
    • “\Processor(_Total)\% Privileged Time”
    • “\Processor(_Total)\% Processor Time”
    • “\System\Context Switches/sec”
    • “\System\Processor Queue Length”
  • The performance counters are collected with a sample interval of 1 minute for 30 minutes. You can change this by amending the ‘startlogging.ps1’ script which is a resource in this instruction. Performance data is saved to a CSV file on the endpoint, timestamped (i.e there is an additional column with a timestamp for each row).
Note:
  • Be aware that if you do change the configuration file or the data collection interval or total time, and want to visualise (i.e, graph) the collected results that visualisation currently cannot handle less than 1 minute aggregation bins for timestamped data and that charts cannot display more than 90 points per data series. Therefore, plan your data collection to fit within these constraints.
  • You also cannot visualise data series where the series row identifier is not a timestamp, if you want to preserve series ordering. Series ordered by anything other than a timestamp will be automatically sorted by Tachyon’s visualisation processing.
Performance: Display captured performance snapshot
  • The performance display instruction retrieves the most recent CSV file captured. If performance capture is still running, capture is stopped when this instruction is run. You can run the instruction multiple times; it will always retrieve the most recent capture.
  • The ‘mapping.txt’ file is used to convert the column headers in the CSV to simpler text descriptions that can be managed by Tachyon. You should change this file, and the associated ‘process.ps1’ PowerShell script resource, to match any performance counters that you add or change in the capture instruction.
  • The contents of this file, as shipped, are
    • TimeStamp
    • PrivTime
    • CPUTime
    • ContextSwSec
    • QueueLength
Note:
  • The PowerShell script assumes that a column named ‘timestamp’ needs additional processing, because the captured timestamps appear to be in US locale format and can’t be serialised to ISO8601 format without some processing
  • The QueueLength result is not currently visualised.
  • When editing this instruction, the visualisation JSON can be edited by selecting Templates using the TIMS tool.
  • Tachyon visualisation requires that all columns to be visualised are aggregated. You can see the aggregation specification by selecting Aggregation while editing this instruction in TIMS
  • You do not have to visualise performance results. If you wish, you can modify this instruction to return raw data by removing the visualisation template JSON.

See https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in for more information

You must log in to submit a review.