Google details how it protected services like Gmail from Spectre
Google says it already deployed anti-Spectre and Meltdown solutions to protect its products, and users didn’t even notice. The downside of the patches companies are rolling out to fix the CPU vulnerabilities is that they have the potential to slow down systems. For the big G, that means slowdown for huge services like Gmail, Google Drive and Search and its Cloud products. Mountain View had to gather hundreds of engineers working across the company to find a way to protect its products. After a few months, they found a solution for Meltdown and the first variant of Spectre (two of the three vulnerabilities), which they then started rolling out way back in September. Google says it didn’t get any complaint reporting performance degradation after it deployed the fix.
However, the second variant of Spectre proved a lot more problematic. Google’s engineers thought the only way to protect against it was to switch off the CPU features that made the chips vulnerable to attackers. Unfortunately, doing that slowed down applications considerably and caused inconsistent performance, so the tech titan had to look at unusual or “moonshot” solutions. It found the answer in Retpoline, a technique conjured up by Google Senior Staff Engineer Paul Turner, which “modifies programs to ensure that execution cannot be influenced by an attacker.”
Retpoline allowed Google to protect its services from the second variant of Spectre without having to modify source codes or to switch off hardware components. And by December, the company was done rolling our protections against all three variants. Google reiterates that it received no support tickets related to the updates, but then again, people might have attributed their complaints to other things if they didn’t know about the flaws.
Google considers this set of vulnerabilities the “most challenging and hardest to fix” it’s had to deal with in the past decade. That it was able to find solutions for them relatively quickly demonstrates just how powerful the company is. Thankfully, the tech titan isn’t keeping Retpoline a secret: it has shared its research with other tech companies in hopes that it “can be universally deployed to improve the cloud experience industry-wide.”