Service Provider Cloud

Google Cloud Offers Updates on Spectre & Meltdown Flaws

While the recently disclosed Spectre and Meltdown vulnerabilities found in x86 microprocessors has sent Intel and its fellow chip makers scrambling to address the issues, the big cloud providers, especially Google, have managed to weather the storm better.

When these CPU flaws were first discovered earlier this month, the big public cloud players -- Amazon Web Services Inc. , Microsoft Azure and Google Cloud -- all launched software patches to try and protect custom data residing in their cloud. (See Intel Chip Vulnerability Sends Cloud Providers Into Patching Overdrive.)

In those initial patches, Google noted that its Project Zero team had begun looking at and addressing some of the issues related to the Spectre and Meltdown issues in 2017.

On January 11, the Google Cloud team published a lengthier post detailing some of the additional steps the company has taken to address the issue since December. For customers, the good news is that almost no one noticed what Google did under-the-hood.

(Source: Pixabay)
(Source: Pixabay)

"By December, all Google Cloud Platform (GCP) services had protections in place for all known variants of the vulnerability," according to the post. "During the entire update process, nobody noticed: we received no customer support tickets related to the updates."

The flaws that became known as Spectre and Meltdown were first detailed in research paper published by Graz University of Technology in Austria. The research found that by manipulating pre-executed commands within the chip, which help make data available faster, hackers can gain access to the content of the kernel memory. (See New Intel Vulnerability Hits Almost Everyone.)

The security is that this flaw can allow a hacker to gain access to encryption keys and other authentication details of whatever system the CPU is running in.

As many has noted, this flaw has been known for about 20 years. The issue, however, is that chips cannot be patched and the correction as to be done through software and the operating system, which includes Windows, Linux and the macOS. In turn, this has caused shutdown and performance issues in different devices. (See 'Spectre' & 'Meltdown' – What Cloud Users Need to Know.)

The Google Cloud team was looking to avoid all that.

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

Especially with the Spectre flaw, the vulnerability meant that different applications utilizing the CPU could "see" each other's private memory. This could expose data in one app to the other and allows a hacker to see that information. There are about three variants to this particular flaw and Google's engineers worried most about Variant 2.

However, Paul Turner, a software engineer who is part of the Technical Infrastructure group came up with an approach called Retpoline, a binary modification technique that prevents branch-target-injection. This allowed key performance issues to continue and ensured that an attacker could not take advantage of the flaw by manipulating the execution commands.

As Google explained:

With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.

With Retpoline in place, Google rolled out the patches almost unnoticed through its cloud infrastructure in December before news spread of vulnerability in early January.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

kq4ym 1/20/2018 | 10:04:05 AM
Successful Updates Google's update letter was indeed a lengthy one for which I'm not sure I understood exactlly how they handled the process. But, at least they and others worked diligently on the problem and Google netes that it's "software branch prediction hints, demonstrated that this protection came with almost no performance loss," while the minimal performance loss wasn't fully explained presumably it was in fact almost none.
Sign In