& cplSiteName &

Google Cloud Offers Updates on Spectre & Meltdown Flaws

Scott Ferguson
1/15/2018
50%
50%

While the recently disclosed Spectre and Meltdown vulnerabilities found in x86 microprocessors has sent Intel and its fellow chip makers scrambling to address the issues, the big cloud providers, especially Google, have managed to weather the storm better.

When these CPU flaws were first discovered earlier this month, the big public cloud players -- Amazon Web Services Inc. , Microsoft Azure and Google Cloud Platform -- all launched software patches to try and protect custom data residing in their cloud. (See Intel Chip Vulnerability Sends Cloud Providers Into Patching Overdrive.)

In those initial patches, Google noted that its Project Zero team had begun looking at and addressing some of the issues related to the Spectre and Meltdown issues in 2017.

On January 11, the Google Cloud team published a lengthier post detailing some of the additional steps the company has taken to address the issue since December. For customers, the good news is that almost no one noticed what Google did under-the-hood.

(Source: Pixabay)
(Source: Pixabay)

"By December, all Google Cloud Platform (GCP) services had protections in place for all known variants of the vulnerability," according to the post. "During the entire update process, nobody noticed: we received no customer support tickets related to the updates."

The flaws that became known as Spectre and Meltdown were first detailed in research paper published by Graz University of Technology in Austria. The research found that by manipulating pre-executed commands within the chip, which help make data available faster, hackers can gain access to the content of the kernel memory. (See New Intel Vulnerability Hits Almost Everyone.)

The security is that this flaw can allow a hacker to gain access to encryption keys and other authentication details of whatever system the CPU is running in.

As many has noted, this flaw has been known for about 20 years. The issue, however, is that chips cannot be patched and the correction as to be done through software and the operating system, which includes Windows, Linux and the macOS. In turn, this has caused shutdown and performance issues in different devices. (See 'Spectre' & 'Meltdown' – What Cloud Users Need to Know.)

The Google Cloud team was looking to avoid all that.


Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.


Especially with the Spectre flaw, the vulnerability meant that different applications utilizing the CPU could "see" each other's private memory. This could expose data in one app to the other and allows a hacker to see that information. There are about three variants to this particular flaw and Google's engineers worried most about Variant 2.

However, Paul Turner, a software engineer who is part of the Technical Infrastructure group came up with an approach called Retpoline, a binary modification technique that prevents branch-target-injection. This allowed key performance issues to continue and ensured that an attacker could not take advantage of the flaw by manipulating the execution commands.

As Google explained:

With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.

With Retpoline in place, Google rolled out the patches almost unnoticed through its cloud infrastructure in December before news spread of vulnerability in early January.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

(1)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Educational Resources
sponsor supplied content
Educational Resources Archive
More Blogs from Scott Ferguson
From its roots in industrial farm machinery and other equipment, John Deere has always looked for a technological edge. About 20 years ago, it was GPS and then 4G LTE. Now it's turning its attention to AI, machine learning and IoT.
Artificial intelligence and automation will become more integral to the enterprise, and 90% of all apps will have integrated AI capabilities by 2020, according to Oracle CEO Mark Hurd.
IBM is now offering access to Nvidia's Tesla V100 GPUs through its cloud offerings to help accelerate AI, HPC and other high-throughput workloads.
CIO Rhonda Gass is spearheading an effort to bring more automation and IoT to the factories making Stanley Black & Decker tools and other equipment.
Workday is looking to build out its machine learning and artificial intelligence capabilities with the acquisition of startup SkipFlag.
Featured Video
From The Founder
John Chambers is still as passionate about business and innovation as he ever was at Cisco, finds Steve Saunders.
Flash Poll
Upcoming Live Events
June 26, 2018, Nice, France
September 12, 2018, Los Angeles, CA
September 24-26, 2018, Westin Westminster, Denver
October 9, 2018, The Westin Times Square, New York
October 17, 2018, Chicago, Illinois
October 23, 2018, Georgia World Congress Centre, Atlanta, GA
November 7-8, 2018, London, United Kingdom
November 8, 2018, The Montcalm by Marble Arch, London
November 15, 2018, The Westin Times Square, New York
December 4-6, 2018, Lisbon, Portugal
All Upcoming Live Events
Hot Topics
NFV Is Down but Not Out
Iain Morris, News Editor, 5/22/2018
What VeloCloud Cost VMware
Phil Harvey, US News Editor, 5/21/2018
Trump Denies ZTE Deal, Faces Senate Backlash
Dan Jones, Mobile Editor, 5/22/2018
5G in the USA: A Post-BCE Update
Dan Jones, Mobile Editor, 5/23/2018
Here Comes DOCSIS 4.0
Alan Breznick, Cable/Video Practice Leader, Light Reading, 5/22/2018
Animals with Phones
Live Digital Audio

A CSP's digital transformation involves so much more than technology. Crucial – and often most challenging – is the cultural transformation that goes along with it. As Sigma's Chief Technology Officer, Catherine Michel has extensive experience with technology as she leads the company's entire product portfolio and strategy. But she's also no stranger to merging technology and culture, having taken a company — Tribold — from inception to acquisition (by Sigma in 2013), and she continues to advise service providers on how to drive their own transformations. This impressive female leader and vocal advocate for other women in the industry will join Women in Comms for a live radio show to discuss all things digital transformation, including the cultural transformation that goes along with it.

Like Us on Facebook
Twitter Feed