Google just gave chipmakers some much needed good news. In a post on the company’s Online Security Blog, two Google engineers described a novel chip-level patch that has been deployed across the company’s entire infrastructure, resulting in only minor declines in performance in most cases. The company has also posted details of the new technique, called ReptOnline, in the hopes that other companies will be able to follow the same technique. If the claims hold, it would mean Intel and others have avoided the catastrophic slowdowns that many had predicted.
“There has been speculation that the deployment of KPTI causes significant performance slowdowns,” the post reads, referring to the company’s “Kernel Page Table Isolation” technique. “Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”
[...]
That assessment is consistent with early reports from Intel, which had said slowdowns would be “highly workload-dependent and, for the average computer user, should not be significant.” Those claims were met with skepticism, with many seeing them as an effort by Intel to downplay the impact of the newly public vulnerabilities. At the same time, some early benchmarks saw slowdowns as high as 17 percent.
As someone who met Intel's early minimal-impact claims with skepticism, I can honestly say to all Core i5 users that I'm glad to learn that the picture is looking less grim than first thought. I'm still glad to be an AMD man, though, and even more glad that Google were awake at the switch for this one. People give Google a lot of grief for sometimes acting like they've forgotten their original mission statement, but this, folks, is what they meant by "don't be evil." Not only were they not evil, they used their powers for good, and are extending help to anyone who needs it, for free.More recently, Intel announced it had deployed patches that would render chips immune to the new attacks, and restated that the performance impact was not significant. It’s difficult to confirm Google and Intel’s claims until the patches are deployed, but it’s significant that Google has joined the chipmaker in reporting minimal slowdowns.
Intel, meanwhile, is claiming to have finished patches for 90% of their products released in the past five years, which sounds a little weaksauce considering that Meltdown affects Intel products released in the last ten years, much like the firmware issue that was reported a few months ago. And there's also the small matter of Intel, who were notified about Meltdown and Spectre back in June, being led by a CEO who sold off a bunch of stock in October, before either flaw became public knowledge, as reported by MP1st, among others:
Suspiciously, Intel CEO Brian Krzanich sold off $24 million worth of stock late last year before the vulnerabilities became public knowledge. An Intel spokesperson said the stock trade was “unrelated” despite Intel knowing about the issue for five months.Oops! I predict that the SEC will be investigating that piece of business.
Intel's stock price has, naturally, dropped as a result of all this news, while AMD's has risen, but I suspect that Intel's problems over these problems are only beginning.
UPDATE:
One minor correction: While Jann Horn at Google Project Zero (GOOGL.O) came to similar conclusions independently, it looks like credit for discovering Meltdown actually goes to an independent researcher named Daniel Grus, whose feat of security research is described in this article by The Verge:The 31-year-old information security researcher and post-doctoral fellow at Austria’s Graz Technical University had just breached the inner sanctum of his computer’s central processing unit (CPU) and stolen secrets from it.
Until that moment, Gruss and colleagues Moritz Lipp and Michael Schwarz had thought such an attack on the processor’s ‘kernel’ memory, which is meant to be inaccessible to users, was only theoretically possible.
“When I saw my private website addresses from Firefox being dumped by the tool I wrote, I was really shocked,” Gruss told Reuters in an email interview, describing how he had unlocked personal data that should be secured.
Gruss, Lipp and Schwarz, working from their homes on a weekend in early December, messaged each other furiously to verify the result.
“We sat for hours in disbelief until we eliminated any possibility that this result was wrong,” said Gruss, whose mind kept racing even after powering down his computer, so he barely caught a wink of sleep.
Gruss and his colleagues had just confirmed the existence of what he regards as “one of the worst CPU bugs ever found”.Damn, Daniel! (Sorry, I couldn't resist.) Seriously, though, congratulations to Mr. Gruss for some solid detective work.
UPDATE #2:
Cue the lawsuits! As reported by Gizmodo:It’s been just two days since The Register first reported that all Intel x86-64x processors were subject to a severe security vulnerability, and already Intel has been hit with at least three separate class action lawsuits related to the vulnerability.
The Register first reported the news on January 2nd, noting that the solution to fixing the vulnerability could result in slowdown of the affected computers. Intel has since claimed that any performance penalties would be negligible, and today Google, which has implemented a fix on its affected servers (which host its cloud services, including Gmail) wrote that, “On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”
Plaintiffs in three different states disagree. As Law.com first noted, a class action complaint was filed January 3rd in United States District Court for the Northern District of California. Since then Gizmodo has found two additional class action complaints filed today (just eleven minutes apart)—one in the District of Oregon and another in the Southern District of Indiana.
All three complaints cite the security vulnerability as well as Intel’s failure to disclose it in a timely fashion.That's some fast work, and I have a feeling that there are more to come.