Google has taken to its official blog to highlight some of the efforts it is currently making to mitigate the threat presented by two newly discovered kernel-level vulnerabilities found in nearly every modern technological architecture. The threats in question are, of course, Meltdown and Spectre, which involve illicit access to user data via a CPU feature referred to as speculative execution. The discussion surrounding those vulnerabilities has been going on for days and has been relatively well covered.
The news out of Google, meanwhile, is good. According to the company, its internal team – known as Project Zero – recently noted three variants on the security issue that would each need to be dealt with on an individual basis. Following that, and taking a proactive approach to the problems represented by the vulnerabilities, the company has reportedly developed a new mitigation method which it calls “Retpoline.” The search giant has already shared the development with other industry leaders and Retpoline is said to alleviate at least part of the issue by using binary modification to protect against branch target injections. Better still, Retpoline is claimed to have a minimal negative impact on performance after having been applied to Google’s own systems. Going further still, the company has now confirmed that it has deployed a more general fix in the form of Kernel Page Table Isolation across the entirety of its servers responsible for backing Google Search, Gmail, YouTube, and its Cloud Platform. Happily, the company also reports a negligible amount of performance degradation in that case as well. There had previously been some concern about whether or not performance be affected based on system calls made by a given application but Google also now reports that speculation was overblown.
It should be said that these new fixes and patches are not necessarily the end of the problem. Fixing the issue completely is going to depend almost wholly on the build-out of new architectures and new hardware designs based on those. Meanwhile, there has been a huge effort on behalf of the world’s tech giant’s to address the problems – with the most recent coming from Mozilla. But there are still plenty of patches to be applied across effectively every portion of the industry. With any luck, Google and other tech companies will continue to tackle the problem head-on and to share their respective findings with others in the industry to further the endeavor.