In the fallout of the discovery of Spectre and Meltdown, companies have been racing to patch vulnerabilities. Along with these patches comes the expectation of performance hits, and yesterday, Intel shared some benchmarks to show relative performance for a handful of recent Core i7 CPUs after its patches for Spectre and Meltdown were applied. While the performance decreases were mild in a lot of cases, some things like CPU responsiveness took a larger hit.
This kind of slowdown is assumed to be an unavoidable downside to patching Spectre and Meltdown, but today we’re learning that it may not have to be that way. Google has detailed its process for patching its own cloud services like Gmail and Google Drive against Spectre and Meltdown, and it says that it managed to protect against those vulnerabilities without any hit to performance.
In all, there are three main attacks associated with these vulnerabilities. The first and third Variants, which belong to Spectre and Meltdown respectively, were patched way back in September with no resulting performance loss and even no downtime as Google applied the fix. The second Variant, which again is part of Spectre, proved much more difficult to patch, as Google was specifically trying to avoid a hit to performance.
For some time, Google says “it appeared that disabling the vulnerable CPU features would be the only option for protecting all our workloads against Variant 2.” While that would fix the issue, it would also require disabling “performance-boosting CPU features” that are at the core of Google’s cloud services. That, as you can probably guess, means slowdown for end-users would be inevitable.
Then Google decided to attempt a “moonshot” solution, trying to find a way to solve the problems presented by Variant 2 without patching hardware. Google turned to Retpoline, which is described as “a novel software binary modification technique that prevents branch-target-injection.” Retpoline was created by Google’s own Paul Turner, who works with the company’s Technical Infrastructure team.
By using Reptoline, Google was able to modify programs directly, meaning that it didn’t need to modify hardware and could therefore avoid the slowdown that would come with those modifications. Google says that in testing Reptoline, it found that it was able to patch against Spectre Variant 2 with “almost no performance loss.”
Even better news is that Google has open-sourced Reptoline so that other companies can take advantage of it in their own Spectre fixes. It closes today’s blog post by stating its belief that Reptoline is currently the best solution for patching against Variant 2, so hopefully now that Google has made it available to its industry partners, we’ll see wide-scale roll out.