It’s been a long week since we first learned about the now infamous Spectre and Meltdown chip vulnerabilities. One of the issues with mitigating the danger these vulnerabilities pose is that they could result in serious performance degradation. In a blog post today, Google claimed their solutions resulted in no performance degradation across the different mitigation techniques they have developed.
The company’s Project Zero team discovered the chip vulnerabilities last year as it outlined in a blog post last week. As Google explained it, there are three variants here. The first two are known as Spectre and the third as Meltdown. The spooky nicknames just add to the drama of this entire event.
Every chip has a protected area which prevents one application from seeing what another is doing. This is by design to protect critical security information like usernames, passwords and encryption keys. These vulnerabilities have the potential to leave this information exposed if exploited correctly.
As Google so aptly pointed out, these vulnerabilities have been in place inside modern chips for 20 years. It’s worth noting that there hasn’t been a documented case of anyone exploiting these issues, but security experts point out, it would be difficult to track if it had happened.
With its head start on this issue — a luxury not every vendor had, by the way — the company was able to come up with solutions for Variants 1 and 3 as far back as September. With a large testbed of data, it reports neither customers nor internal users are experiencing any kind of perceptible performance degradation using Google’s platform or software services.
Of course, if your OS, browser or some other piece of the stack is causing slow-downs, it may not be attributable to Google or any cloud vendor, but it could slow you down just the same. Still, in their words, “No GCP customer or internal team has reported any performance degradation.” You don’t get much clearer than that.
Variant 2 proved to be much more challenging for the Google engineering team. For a time, the team believed the only way to protect against this exploit was to shut down speculative execution, the chip technique that was responsible for the problem. Finally, an engineer named Paul Turner from the Technical Infrastructure Group came up with a solution that came to be known as “Retpoline.”
As Google describes this, “With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimizations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.”
To its credit, the company has shared all of its research and solutions publicly, even going so far as open sourcing the Retpoline solution.
Earlier today, Intel announced it discovered some performance hits after implementing its own mitigation solutions at the chip level. The tests were run on Windows 7 and Windows 10, and the performance issues depended on which chip and which type of job you were running. Intel’s stock has taken a big hit since the announcement, in spite of the fact these issues affect almost all modern chips.
Google claims that they have had no performance complaints since implementing these solutions, a big win for customers. The fact they shared the solution publicly could be a big win for the industry at large.