Two days ago, an industry/academic team released a terrifying alert about a pair of CPU bugs called Spectre and Meltdown that allowed one program to steal data from another, even with the best memory-management and isolation techniques -- news that meant that virtually all the mission-critical computers in the world could no longer be trusted to handle sensitive data securely.
Both bugs attack "speculative execution" -- a performance-enhancing technique used in microprocessors, in which the processor makes shrewd predictions about operations it will be asked to undertake in the near future and does that work pro-actively, discarding the results when it guesses wrong. Because speculative execution is so important to processor speed, the initial news alerts warned that mitigation would impose up to 30% performance-hits on processors.
Yesterday, the Google Security Blog featured an analysis of two new techniques for guarding against Spectre-style speculative execution attacks: "Retpoline" ("a binary modification technique that protects against 'branch target injection' attacks") and "Kernel Page Table Isolation" ("a general purpose technique for better protecting sensitive information in memory from other software running on a machine"), both of which had been deployed to all of Google's worldwide Linux systems, which power the majority of Google's services.
On these systems, the mitigation techniques imposed "negligible impact on performance" -- a far cry from the 30% we were warned of the day before. Google warns that your mileage may vary: since these techniques guard against interference with speculative execution, they may be highly application-specific, so Google advises "thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact."
Google’s Mitigations Against CPU Speculative Execution Attack Methods [Google Help]
More details about mitigations for the CPU Speculative Execution issue [Matt Linton/Google Security Blog]
(via The Verge)
Remember when Malcolm Turnbull, the goddamned idiot who was briefly Prime Minister of Australia, was told that the laws of mathematics mean that there was no way to make a cryptography system that was weak enough that the cops could use to spy on bad guys, but strong enough that the bad guys couldn't use […]
Peter writes, "ThingsCon, our Berlin-based non-profit for a more responsible IoT, launches a trustmark for IoT - the Trustable Technology Mark. Cory gave some input to it a while back already, and finally it's launch day: We want to highlight the best work in IoT, the best/most respectful of users' rights, privacy and security. It's […]
How bad is the Marriott/Starwood breach disclosed today? “Unauthorized access to the Starwood network since 2014 … For approximately 327M of these guests, the info includes some combination of name, mailing address, phone number, email address, passport number.” Marriott says information from as many as 500 million people has been compromised, and credit card numbers […]
Take a scroll through any app marketplace and you’ll see that the doors are wide open for any game these days – and any game developer. Like any creation, virtual or analog, it all starts with an idea. And if you’ve got one of those, the Complete Unity Game Developer Bundle can walk you the […]
At the rate the world is shrinking, you don’t need to be a globetrotter for a second language to be a useful skill. And if you’re looking to learn that second language (or a third, or fourth), uTalk Language Education is the learning program that makes progression not only easy but fun. If you can’t […]
Smokers on the go can breathe a little easier. With an innovative, easy-loading spiral design, the Twisty Glass Blunt offered a smoother, more consistent draw than conventional pipes. Now the Twisty Glass Mini delivers the benefits of its heavy-duty sister pipe in a more discreet package. For those that haven’t already made the Twisty Glass […]