Two days ago, an industry/academic team released a terrifying alert about a pair of CPU bugs called Spectre and Meltdown that allowed one program to steal data from another, even with the best memory-management and isolation techniques -- news that meant that virtually all the mission-critical computers in the world could no longer be trusted to handle sensitive data securely.
Both bugs attack "speculative execution" -- a performance-enhancing technique used in microprocessors, in which the processor makes shrewd predictions about operations it will be asked to undertake in the near future and does that work pro-actively, discarding the results when it guesses wrong. Because speculative execution is so important to processor speed, the initial news alerts warned that mitigation would impose up to 30% performance-hits on processors.
Yesterday, the Google Security Blog featured an analysis of two new techniques for guarding against Spectre-style speculative execution attacks: "Retpoline" ("a binary modification technique that protects against 'branch target injection' attacks") and "Kernel Page Table Isolation" ("a general purpose technique for better protecting sensitive information in memory from other software running on a machine"), both of which had been deployed to all of Google's worldwide Linux systems, which power the majority of Google's services.
On these systems, the mitigation techniques imposed "negligible impact on performance" -- a far cry from the 30% we were warned of the day before. Google warns that your mileage may vary: since these techniques guard against interference with speculative execution, they may be highly application-specific, so Google advises "thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact."
Google’s Mitigations Against CPU Speculative Execution Attack Methods [Google Help]
More details about mitigations for the CPU Speculative Execution issue [Matt Linton/Google Security Blog]
(via The Verge)
In PrinTracker: Fingerprinting 3D Printers using Commodity Scanners (Scihub mirror), a paper to be presented at the ACM SIGSAC Conference on Computer and Communications Security conference in Toronto this month, a group of U Buffalo and Northeastern researchers present a model for uniquely identifying which 3D printer produced a given manufactured object, which may allow […]
A child reportedly rode through an X-ray baggage scanner last week at the Xiaolan Railway Station in South China. According to the state-owned China Global Television Network, the young’n snuck away from his father and hopped onto the conveyor belt. Apparently he is fine. As you’ll recall, earlier this year a woman in Dongguan, China […]
When security researchers report on the ghastly defects in voting machines, the officials who bought these machines say dismiss their concerns by saying that the tamper-evident seals they put around the machines prevent bad guys from gaining access to their internals.
Speed reading isn’t just an innate skill possessed by a lucky few. Anyone can learn to speed read, and the benefits are endless. The brain can process more information than most people have time to soak up, but you can make that time now with the 2018 Award-Winning Speed Reading Bundle. The first half of […]
Sure, you could use the same old PowerPoint templates for your next business presentation. It’s not like you have bosses or investors to impress. Oh wait, you do? Time to augment that slideshow with Slideshop – the presentation tool that can individualize your pitch while saving you time. Compatible with PowerPoint, Keynote and Google Slides, […]
Multinational companies have used the no-nonsense methodologies of Six Sigma and Lean Six Sigma to oil a smooth-running operation for years. What is it? Six Sigma (and its offshoot, Lean Six Sigma) apply the principles of science to business, teaching managers to methodically target waste, maximize output and streamline the flow from producer to consumer. […]