Following the recent discovery of vulnerabilities in Intel, AMD and ARM CPUs, Google engineers developed a new chip-level patch that specifically addresses one of the three issues, namely the “Branch target injection” that’s also referred to as “Spectre”.
Dubbed “Retpoline”, which is derived from “return” and “trampoline”, Google’s software construct is supposed to isolate indirect branches from speculative execution, effectively protecting select binary files – that belong to the operating system or the hypervisor – from Spectre-powered attacks.
“It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly,” reads the Google post. “If it brings you any amusement: imagine speculative execution as an overly energetic 7-year old that we must now build a warehouse of trampolines around.”
Countering speculation that installing security fixes for this issue might seriously downgrade CPU performance, Google’s technique allegedly has a “negligible impact on performance”. This should excite businesses and Google Cloud customers, as some of them feared poor performance and higher costs. While Intel said performance penalties will likely differ based on workloads, Google’s announcement offers a breath of hope – at least to their customers – as they don’t seem to be very affected.
The technique has already been applied to Google Cloud, and it’s their belief that other companies can follow in their footsteps to patch at least the Spectre vulnerability without using the Retpoline technique to avoid any significant slowdowns. Testing the patch is recommended before fully deploying it in your infrastructure, as it’s likely performance penalties will vary for each use case.
To fully prevent any of the reported vulnerabilities from being exploited, it’s recommended to install the latest patches from your CPU manufacturer, to ensure cybercriminals can’t exploit either “Meltdown” or “Spectre” vulnerabilities. The same advice serves both