While many companies are working hard to patch Meltdown and Spectre vulnerabilities in their systems, Google says that it has already deployed anti-Spectre and Meltdown solutions to its products, and more interestingly, users didn’t even notice everything happened.
Right now, the downside of the patches companies are issuing to fix CPU vulnerabilities is that they have a high potential to slow down systems. For Google, this would mean that slowdown of services like Gmail, Google Drive, Search and it’s cloud products. So how did Google manage this exactly?
Well, the company gathered hundreds of engineers to find a way to protect its products. After months of trying to find solutions, the company did find a solution for Meltdown and the first variant of Spectre (two of the three vulnerabilities). After finding the solutions, they started rolling out patches back in September. Google says that it didn’t receive any complaint reports of degrading performance post-deployment of the fix.
While Google didn’t notice problems for the first variant of Spectre, the company did find the second variant to be quite problematic. Google’s engineers then thought that the only way to protect against the second variant was to switch off the CPU features that made the chips vulnerable to attacks. The downside of this would be that it would slow down applications considerably and cause inconsistent performance. That’s when Google engineers looked into “moonshot” solutions. The company found the answer in Retpoline, a technique conjured up by Google Senior Staff Engineer Paul Turner, which “modifies programs to ensure that executive cannot be influenced by an attacker.”
The Retpoline technique allowed Google to protect its services from the second variant of Spectre without having to modify source codes or switch off hardware components. By December, Google was done rolling out protections against all three variants of Spectre. Google said that it considered this set of vulnerabilities the “most challenging and hardest to fix” within the past decade.
Fortunately though, Google isn’t keeping the Retpoline technique a secret. The company is sharing its research with other tech companies in hopes that it “can be universally deployed to improve the cloud experience industry-wide.” Needless to say, other tech giants will definitely pick up this Retpoline technique and look into it.
