We’ve talked a bit about Meltdown and Spectre already, so if you aren’t familiar, you can catch up with our older article on the subject.
In quick terms, these two exploits are what Google call two of the most complex flaws in the past decade.
Those are tough words.
With so many of Google’s services being driven by servers running on Intel chips, this type of exploit is not something that Google could afford to take lightly. As a matter of fact, they have already patched their servers and most users probably never even took note.
With the standard fix to both Meltdown and Spectre involving some pretty significant workarounds that cause up to 30% hits in performance, Google was looking down the barrel of a very serious issue for services like Google Drive, Gmail, or Google Cloud Services.
What To Do?
Instead of taking the hit and possibly sacrificing performance across its services, the folks at Google dug in and put hundreds of engineers on solving the issue. Keep in mind, before these exploits became public knowledge, they were found out months before and fixes have been in the works ever since.
The solution for Meltdown and the first variant of Spectre were patched months ago, and no one really noticed at all.
But what about that second Spectre variant? The one that proves so tricky to fully guard against? For this vulnerability to be fully fixed, it was initially thought a requirement to switch off the CPU features that made the chips vulnerable to attackers, slowing down processes significantly.
However, as Google began to explore more expanded ideas around a solution, Google Senior Staff Engineer Paul Turner came up with a solution called Retpoline, which “modifies programs to ensure that execution cannot be influenced by an attacker.”
Reptoline allowed Google to patch against the second, more difficult variant of Spectre with no ill effects on performance. The update happened in December, and Google claims they have had no issue since the fix was rolled out.
Google Being The Good Guys
Probably my favorite part of this whole story is the fact that Google isn’t keeping Reptoline to itself. From The Keyword:
In sharing our research publicly, we hope that this can be universally deployed to improve the cloud experience industry-wide.
With many large players in the cloud computing game like Amazon, Microsoft, IBM and Google, you could easily imagine a scenario where Google kept Retpoline to itself as a competitive advantage. Instead, they’ve chosen the high road and the entire industry will be better off for it.
If you recall, in my original article, I supposed that there would eventually be some brilliant individuals who would come up with a permanent and proper fix for all this. It seems, at least for the cloud portion of the equation, Google has done just that.
With so much of what we do daily on our Chromebooks revolving around a properly-functioning cloud system, I for one am very glad to see that this is the case.
Well done, Google.