First, Google's Project Zero researchers found the CPU-level security vulnerabilities known as Meltdown and Spectre. Now, they've found the cure... or, at least, a more efficient workaround,
as reported in The Verge:
Google just gave chipmakers some much needed good news.
In a post on the company’s Online Security Blog,
two Google engineers described a novel chip-level patch that has been
deployed across the company’s entire infrastructure, resulting in only
minor declines in performance in most cases. The company has also posted
details of the new technique,
called ReptOnline,
in the hopes that other companies will be able to follow the same
technique. If the claims hold, it would mean Intel and others have
avoided the catastrophic slowdowns that many had predicted.
“There has been speculation that the deployment of KPTI
causes significant performance slowdowns,” the post reads, referring to
the company’s “Kernel Page Table Isolation” technique. “Performance can
vary, as the impact of the KPTI mitigations depends on the rate of
system calls made by an application. On most of our workloads, including
our cloud infrastructure, we see negligible impact on performance.”
[...]
That assessment is consistent with early reports from
Intel, which had said slowdowns would be “highly workload-dependent and,
for the average computer user, should not be significant.” Those claims
were met with skepticism, with many seeing them as an effort by Intel
to downplay the impact of the newly public vulnerabilities. At the same
time, some early benchmarks saw slowdowns
as high as 17 percent.
More recently, Intel announced it had deployed patches that
would render chips immune
to the new attacks, and restated that the performance impact was not
significant. It’s difficult to confirm Google and Intel’s claims until
the patches are deployed, but it’s significant that Google has joined
the chipmaker in reporting minimal slowdowns.
As someone who met Intel's early minimal-impact claims with skepticism, I can honestly say to all Core i5 users that I'm glad to learn that the picture is looking less grim than first thought. I'm still glad to be an AMD man, though, and even more glad that Google were awake at the switch for this one. People give Google a lot of grief for sometimes acting like they've forgotten their original mission statement, but this, folks, is what they meant by "don't be evil." Not only were they not evil, they used their powers for good, and are extending help to anyone who needs it, for free.
Intel, meanwhile, is claiming to have
finished patches for 90% of their products released in the past five years, which sounds a little weaksauce considering that Meltdown affects Intel products released in the last
ten years, much like the firmware issue that was reported a few months ago. And there's also the small matter of Intel, who were notified about Meltdown and Spectre back in June, being led by a CEO who sold off a bunch of stock in October, before either flaw became public knowledge,
as reported by MP1st, among others:
Suspiciously, Intel CEO Brian Krzanich sold off $24 million worth of
stock late last year before the vulnerabilities became public knowledge.
An Intel spokesperson said the stock trade was “unrelated” despite
Intel knowing about the issue for five months.
Oops! I predict that the SEC will be investigating that piece of business.
Intel's stock price has, naturally, dropped as a result of all this news, while AMD's has risen, but I suspect that Intel's problems over these problems are only beginning.
UPDATE:
One minor correction: While Jann Horn at Google Project Zero (
GOOGL.O) came to similar conclusions independently, it looks like credit for discovering Meltdown actually goes to an independent researcher named Daniel Grus, whose feat of security research is described in
this article by The Verge:
The 31-year-old information security researcher and post-doctoral
fellow at Austria’s Graz Technical University had just breached the
inner sanctum of his computer’s central processing unit (CPU) and stolen
secrets from it.
Until that moment, Gruss and colleagues Moritz
Lipp and Michael Schwarz had thought such an attack on the processor’s
‘kernel’ memory, which is meant to be inaccessible to users, was only
theoretically possible.
“When
I saw my private website addresses from Firefox being dumped by the
tool I wrote, I was really shocked,” Gruss told Reuters in an email
interview, describing how he had unlocked personal data that should be
secured.
Gruss, Lipp and Schwarz, working from their homes on a
weekend in early December, messaged each other furiously to verify the
result.
“We sat for hours in disbelief until we eliminated any
possibility that this result was wrong,” said Gruss, whose mind kept
racing even after powering down his computer, so he barely caught a wink
of sleep.
Gruss and his colleagues had just confirmed the existence of what he regards as “one of the worst CPU bugs ever found”.
Damn, Daniel! (Sorry, I couldn't resist.) Seriously, though, congratulations to Mr. Gruss for some solid detective work.
UPDATE #2:
Cue the lawsuits!
As reported by Gizmodo:
It’s been just two days since The Register first reported that all Intel x86-64x processors were subject to a severe security vulnerability, and already Intel has been hit with at least three separate class action lawsuits related to the vulnerability.
The Register first reported the news on January 2nd, noting
that the solution to fixing the vulnerability could result in slowdown
of the affected computers. Intel has since claimed that any performance
penalties would be negligible, and today Google, which has implemented a
fix on its affected servers (which host its cloud services, including
Gmail) wrote that, “On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.”
Plaintiffs in three different states disagree. As Law.com first noted, a class action complaint was filed January 3rd in United States District Court for the Northern District of California. Since then Gizmodo has found two additional class action complaints filed today (just eleven minutes apart)—one in the District of Oregon and another in the Southern District of Indiana.
All three complaints cite the security vulnerability as well as Intel’s failure to disclose it in a timely fashion.
That's some fast work, and I have a feeling that there are more to come.