|
Security Mitigations and SPEC benchmarksSPEC has received questions asking how reported computer security vulnerabilities and their mitigation impact SPEC benchmarks and results. Below, in a question and answer format, is a summary of SPEC's current approach and recommendations. Q1: What is SPEC doing with regard to reported computer security vulnerabilities and their mitigation?As noted on www.spec.org, SPEC is a non-profit corporation formed to establish, maintain and endorse standardized benchmarks and tools to evaluate performance and energy efficiency. SPEC also reviews results as to their compliance with run rules, and, after review, publishes (on www.spec.org) rule compliant results from SPEC benchmark licensees. Note that SPEC does not perform any testing of its own nor does SPEC provide editorial comment/judgement on rule compliant results; thus in the context of security vulnerabilities and their mitigation, SPEC expects:
SPEC is not expecting to provide a summary of performance impacts, nor evaluations of the functionality nor performance impacts of security mitigation provided by various vendors. Q2: What actions has SPEC taken?For certain benchmarks SPEC has required results published on its web site to provide information about mitigation status. The list of benchmark and the general format of this information is described in Q7 below. Q3: Why only the listed SPEC benchmarks?SPEC has chosen not to take action for any of the SPEC benchmarks that have been retired and for which SPEC is no longer accepting submission. For some active SPEC benchmarks, there are no requirements at this point in time. Q4: What are these security vulnerabilities?More information on the security vulnerabilities can be found at the Common Vulnerabilities and Exposures (CVE) website (https://cve.mitre.org) as well as websites like Wikipedia. SPEC is identifying them on the benchmark results disclosure by the CVE identifier (e.g. - CVE-2017-5754) and the colloquial name (e.g. - Meltdown). Q5: Why is SPEC only looking at these vulnerabilities?These are the security vulnerabilities that, in SPEC's view, were/are of most interest to the consumers of SPEC benchmark results. Q6: I plan on running a SPEC benchmark; what should I do about the security issues?If you are planning on running a SPEC benchmark, be aware of the rules for that particular SPEC benchmark. In particular, be aware that for rule compliant runs that the configuration being tested must be recommended for running a class of programs that includes programs other than the SPEC benchmarks. The configuration must also be available, documented and supported. Be aware of what your hardware or software vendors has communicated with regard to patches for these issues; some vendors may require patches to maintain support. Q7: I plan on publishing results measured with a SPEC benchmark, what should I do?As mentioned above, the published results need to be compliant with the SPEC rules at time of publication (and general availability requires availability for a certain period of time after publication). If publishing by submitting to SPEC, you will need to ensure that your run and your method of reporting conform to the benchmark license and rules. In light of the security issues mentioned, SPEC would emphasize the following things:
Additionally, to enable readers of the SPEC website additional information to evaluate the results on the SPEC website, SPEC will require notes of the following general form in the "General Notes" section of the benchmark submission for the following benchmarks: ACCEL, Cloud IaaS 2016, CPU2017, JBB2015, jEnterprise2010, MPI2007, OMP2012, SFS2014, SPEC VIRT_SC 2013
The specific format can be confirmed with SPEC prior/during the submission process. The above documentation requirements may change from time to time. SPEC may add to the above list, or may remove mitigations from the above list if they become ubiquitous. If you apply a patch, but disable it fully or partially, the answer to the corresponding question should be No, not Yes. Answering "No" to any of these questions does not make the result automatically unpublishable but the submitter should expect that SPEC will be asking for more information to verify that the system as tested is supported. Answering "NA" is an assertion that the system as tested is not subject to this security vulnerability. Note that SPEC may request further information in such cases; for example, pointers to public statements from the vendor that assert that the particular CVE is not relevant for that system. To facilitate publication, SPEC may require submitters to actively participate in the SPEC results review process. Some benchmarks allow publication outside the SPEC web site. For such results, the rules still apply and SPEC may ask licensees to provide clarification or additional information. Q8: What will SPEC do with previously published results on the SPEC website?SPEC is not planning to automatically add additional information to existing results. Nor will SPEC automatically indicate that historical results are non-compliant. SPEC believes there is a value in a historical database; SPEC does not automatically take any actions with regard to results as systems are retired by vendors or software is revised. If there is a belief that a result on the SPEC website is non-compliant, SPEC should be contacted with details about the results and the reasoning for the concern. Q9: How should I compare results in light of these patches?Any public comparisons that are made with SPEC benchmarks are expected to follow the SPEC Fair Use rules (https://www.spec.org/fairuse.html). These rules include a requirement about how comparisons should be made (https://www.spec.org/fairuse.html#Comparisons) which includes having a basis for the comparison made. SPEC is expecting that by requiring the additional information mentioned to be in public results people will be able to make informed comparisons. Q10: If I want more information, what should I do?If you have questions about the performance of a specific system in light of the security issues or patches, you should contact the hardware and/or software vendors. If there are questions about the SPEC submission and results process, please contact SPEC at: info@spec.org. |