Google says it can mitigate Spectre with "negligible" effect

Originally published at: https://boingboing.net/2018/01/05/damp-squids.html

…

So let me get this straight: this is something that has been known for months, but was only announced yesterday to make everybody panic, and today is just a trivial fix. Couldn’t have they waited a couple of days to make it public? Do they enjoy scaring people that much?

It wasn’t intentional.

Meltdown and Spectre were supposed to be revealed to the public on the 9th January, presumably with the fixes needed, but it was leaked to the press on the 2nd.

Wonderful, just wonderful. As if we do not have enough things to worry, and even panic, about.

I was not panicking as such, just swearing a lot about how I would have to bring a planned hardware upgrade forward by around six months and having to buy a lot more than I planned.

Between this and Phoronixes benchmarks saying that the performance hit is minor, it looks like I won’t have to do that now.

This is all based on someone potentially developing a hack sometime in the future.
Which as far as Im concerned will become news in and of itself. Giving me time to worry about it when I need to.
Im more concerned about unavoidable patches causing significant slowdowns just because some people have bad browsing habits.

Google’s fix doesn’t fix it everywhere.

And yes, perhaps the initial reaction is going to look overblown in hindsight but I wouldn’t let that sigh of relief out just yet. I think there’s still a long way to go before we can say the risk is negligible, especially with the Spectre flaw which is much more subtle and unable to solved with a straightforward solution the way Meltdown can be.

I guess for home users the next browser patches will address the most likely vector for a Spectre exploit by making some adjustments to their JavaScript engines.

I think this just proves to me that any system which is Turing complete cannot be inherently secure in terms of its final computational state. Especially just about everything can set it on a course contrary to its intended design.

For Chrome users, go to chrome://flags/#enable-site-per-process and switch on the strict site isolation. That should at least help. (See for example here)

At least there’s an box shaped upper bound imposed on our panic.

It sort of reminds me of the early days in aviation. Stability was considered paramount, to the point where aircraft couldn’t really be controlled in the air, just sort of pointed and launched.

It took a lot of rethinking the problem before planes were made variably unstable, capable of adapting to shifting air.

In a similar sort of way, computer security is confounded by contradictions in human agenda. Like poor HAL in 2K1ASO, our computers really only know how to be secure when they’re not trying to solve human problems.

Honestly I don’t see this getting any better until humans come up with a better paradigm of ownership. Clock cycles have gotten so cheap they should probably be free as in oxygen, but this economy can only handle free as in speech or free as in beer.

That covers Google Cloud, but what about Android and Chrome?

Where is this fabled free beer? Unless it’s Budweiser. It’s probably Budweiser.

Intel doesn’t make mobile chips sets as far as i know.

Meltdown is the one that’s specific to Intel CPUs. Spectre also catches AMD and Arm chips. (And it can be run in Google’s V8 Javascript engine, which Chrome uses.)

1. Core i5 or i7
2. Intel Pentium 4405Y – Intel Core m3-6Y30
3. Intel Core m3-6Y30
4. Intel Celeron N2840
5. Intel Celeron – Core i5

In the click through google says android is harder to exploit but even so they have already released the android patch. They’ve also released a patch for Chrome OS.

We weren’t warned of a 30% impact in the sources you quoted the other day, they stated a 0-30% impact depending on the type of computation being executed, which is still true, because it that is an unchanging fact based on the processor architecture. What is unknown until actually implemented is where in that range most things will be impacted. Even in the sources you quoted the other day they stated that very few systems would be hit with a 30% slowdown. Some things like in memory databases are hit exceptionally hard, but most things aren’t.

Google didn’t announce the impact to their systems until they knew what they were because they had to implement and measure it, it isn’t a simple task to predict ahead of time.

So this isn’t new news, it didn’t go from 30% to negligible, the range of impact hasn’t changed. just one company announcing how much they were impacted.

It’s been known for months, but became public in the process of releasing patches to some major applications, notably the Linux kernel. But I wouldn’t pin too many hopes on this specific patch. Attacks like these have a way of flaring up when we thought they were patched.

Meltdown is patched. This is the one that has perf impact due to changes in how kernel page tables are accessed. The patched and safer method introduces performance penalties.

Google’s response here is actually incredibly weaselly and non-specific:

So, it’s negligible, except for when it’s not!

For any application that calls out to the kernel a lot, you’re going to see slowdowns. This means applications that are highly network dependent, or file system dependent are likely to be hit pretty hard. Other things won’t show much perf impact. Games, for instance, are considered to be largely unaffected since they are often much less kernel dependent.

Spectre on the other hand is not mitigated. Intel will be issuing microcode updates for some chips, and will be offering guidance that can mitigate Spectre in some circumstances, but compared to Meltdown, Spectre is still a giant clusterfuck.

well stated. thanks for helping dispel some of the confusion.