Sponsored By

Google Cloud Offers Updates on Spectre & Meltdown Flaws

For the most part, Google Cloud has been able to mitigate the fallout from the Spectre and Meltdown flaws found in Intel's x86 processors, which says something about the resiliency of the cloud.

Scott Ferguson

January 15, 2018

3 Min Read
Google Cloud Offers Updates on Spectre & Meltdown Flaws

While the recently disclosed Spectre and Meltdown vulnerabilities found in x86 microprocessors has sent Intel and its fellow chip makers scrambling to address the issues, the big cloud providers, especially Google, have managed to weather the storm better.

When these CPU flaws were first discovered earlier this month, the big public cloud players -- Amazon Web Services Inc. , Microsoft Azure and Google Cloud -- all launched software patches to try and protect custom data residing in their cloud. (See Intel Chip Vulnerability Sends Cloud Providers Into Patching Overdrive.)

In those initial patches, Google noted that its Project Zero team had begun looking at and addressing some of the issues related to the Spectre and Meltdown issues in 2017.

On January 11, the Google Cloud team published a lengthier post detailing some of the additional steps the company has taken to address the issue since December. For customers, the good news is that almost no one noticed what Google did under-the-hood.

Figure 1: (Source: Pixabay) (Source: Pixabay)

"By December, all Google Cloud Platform (GCP) services had protections in place for all known variants of the vulnerability," according to the post. "During the entire update process, nobody noticed: we received no customer support tickets related to the updates."

The flaws that became known as Spectre and Meltdown were first detailed in research paper published by Graz University of Technology in Austria. The research found that by manipulating pre-executed commands within the chip, which help make data available faster, hackers can gain access to the content of the kernel memory. (See New Intel Vulnerability Hits Almost Everyone.)

The security is that this flaw can allow a hacker to gain access to encryption keys and other authentication details of whatever system the CPU is running in.

As many has noted, this flaw has been known for about 20 years. The issue, however, is that chips cannot be patched and the correction as to be done through software and the operating system, which includes Windows, Linux and the macOS. In turn, this has caused shutdown and performance issues in different devices. (See 'Spectre' & 'Meltdown' – What Cloud Users Need to Know.)

The Google Cloud team was looking to avoid all that.

Keep up with the latest enterprise cloud news and insights. Sign up for the weekly Enterprise Cloud News newsletter.

Especially with the Spectre flaw, the vulnerability meant that different applications utilizing the CPU could "see" each other's private memory. This could expose data in one app to the other and allows a hacker to see that information. There are about three variants to this particular flaw and Google's engineers worried most about Variant 2.

However, Paul Turner, a software engineer who is part of the Technical Infrastructure group came up with an approach called Retpoline, a binary modification technique that prevents branch-target-injection. This allowed key performance issues to continue and ensured that an attacker could not take advantage of the flaw by manipulating the execution commands.

As Google explained:

With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.

With Retpoline in place, Google rolled out the patches almost unnoticed through its cloud infrastructure in December before news spread of vulnerability in early January.

Related posts:

— Scott Ferguson, Editor, Enterprise Cloud News. Follow him on Twitter @sferguson_LR.

About the Author(s)

Scott Ferguson

Managing Editor, Light Reading

Prior to joining Enterprise Cloud News, he was director of audience development for InformationWeek, where he oversaw the publications' newsletters, editorial content, email and content marketing initiatives. Before that, he served as editor-in-chief of eWEEK, overseeing both the website and the print edition of the magazine. For more than a decade, Scott has covered the IT enterprise industry with a focus on cloud computing, datacenter technologies, virtualization, IoT and microprocessors, as well as PCs and mobile. Before covering tech, he was a staff writer at the Asbury Park Press and the Herald News, both located in New Jersey. Scott has degrees in journalism and history from William Paterson University, and is based in Greater New York.

Subscribe and receive the latest news from the industry.
Join 62,000+ members. Yes it's completely free.

You May Also Like