Google Cloud Offers Updates on Spectre & Meltdown Flaws

Scott Ferguson
1/15/2018
50%
50%

While the recently disclosed Spectre and Meltdown vulnerabilities found in x86 microprocessors has sent Intel and its fellow chip makers scrambling to address the issues, the big cloud providers, especially Google, have managed to weather the storm better.

When these CPU flaws were first discovered earlier this month, the big public cloud players -- Amazon Web Services Inc. , Microsoft Azure and Google Cloud -- all launched software patches to try and protect custom data residing in their cloud. (See Intel Chip Vulnerability Sends Cloud Providers Into Patching Overdrive.)

In those initial patches, Google noted that its Project Zero team had begun looking at and addressing some of the issues related to the Spectre and Meltdown issues in 2017.

On January 11, the Google Cloud team published a lengthier post detailing some of the additional steps the company has taken to address the issue since December. For customers, the good news is that almost no one noticed what Google did under-the-hood.

(Source: Pixabay)
(Source: Pixabay)

"By December, all Google Cloud Platform (GCP) services had protections in place for all known variants of the vulnerability," according to the post. "During the entire update process, nobody noticed: we received no customer support tickets related to the updates."

The flaws that became known as Spectre and Meltdown were first detailed in research paper published by Graz University of Technology in Austria. The research found that by manipulating pre-executed commands within the chip, which help make data available faster, hackers can gain access to the content of the kernel memory. (See New Intel Vulnerability Hits Almost Everyone.)

The security is that this flaw can allow a hacker to gain access to encryption keys and other authentication details of whatever system the CPU is running in.

As many has noted, this flaw has been known for about 20 years. The issue, however, is that chips cannot be patched and the correction as to be done through software and the operating system, which includes Windows, Linux and the macOS. In turn, this has caused shutdown and performance issues in different devices. (See 'Spectre' & 'Meltdown' – What Cloud Users Need to Know.)

The Google Cloud team was looking to avoid all that.


Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.


Especially with the Spectre flaw, the vulnerability meant that different applications utilizing the CPU could "see" each other's private memory. This could expose data in one app to the other and allows a hacker to see that information. There are about three variants to this particular flaw and Google's engineers worried most about Variant 2.

However, Paul Turner, a software engineer who is part of the Technical Infrastructure group came up with an approach called Retpoline, a binary modification technique that prevents branch-target-injection. This allowed key performance issues to continue and ensured that an attacker could not take advantage of the flaw by manipulating the execution commands.

As Google explained:

With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.

With Retpoline in place, Google rolled out the patches almost unnoticed through its cloud infrastructure in December before news spread of vulnerability in early January.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

(1)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
kq4ym
50%
50%
kq4ym,
User Rank: Light Sabre
1/20/2018 | 10:04:05 AM
Successful Updates
Google's update letter was indeed a lengthy one for which I'm not sure I understood exactlly how they handled the process. But, at least they and others worked diligently on the problem and Google netes that it's "software branch prediction hints, demonstrated that this protection came with almost no performance loss," while the minimal performance loss wasn't fully explained presumably it was in fact almost none.
More Blogs from Scott Ferguson

For the last several years, CIOs and IT professionals have been wrestling with two specific issues as they work toward a cloud-centric future: Agile IT and the rush toward digital transformation. While enterprises want to keep innovating, finding a starting point and knowing which projects to tackle first remain a major obstacle.

To get a better handle on Agile IT and digital transformation, Light Reading Managing Editor Scott Ferguson recently spoke to two experts in these fields: Dan Kearnan, senior director of marketing for cloud at SAP, and Roy Illsley, a distinguished analyst with Ovum.

From its roots in industrial farm machinery and other equipment, John Deere has always looked for a technological edge. About 20 years ago, it was GPS and then 4G LTE. Now it's turning its attention to AI, machine learning and IoT.
Artificial intelligence and automation will become more integral to the enterprise, and 90% of all apps will have integrated AI capabilities by 2020, according to Oracle CEO Mark Hurd.
IBM is now offering access to Nvidia's Tesla V100 GPUs through its cloud offerings to help accelerate AI, HPC and other high-throughput workloads.
CIO Rhonda Gass is spearheading an effort to bring more automation and IoT to the factories making Stanley Black & Decker tools and other equipment.
Featured Video
Upcoming Live Events
September 17-19, 2019, Dallas, Texas
October 1-2, 2019, New Orleans, Louisiana
October 10, 2019, New York, New York
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events