Industry News

Google’s CPU Patch Builds Software ‘Trampolines’ that ‘Negligibly’ Impact Performance

Following the recent discovery of vulnerabilities in Intel, AMD and ARM CPUs, Google engineers developed a new chip-level patch that specifically addresses one of the three issues, namely the “Branch target injection” that’s also referred to as “Spectre”.

Dubbed “Retpoline”, which is derived from “return” and “trampoline”, Google’s software construct is supposed to isolate indirect branches from speculative execution, effectively protecting select binary files – that belong to the operating system or the hypervisor – from Spectre-powered attacks.

“It is a trampoline construct constructed using return operations which also figuratively ensures that any associated speculative execution will ‘bounce’ endlessly,” reads the Google post. “If it brings you any amusement: imagine speculative execution as an overly energetic 7-year old that we must now build a warehouse of trampolines around.”

Countering speculation that installing security fixes for this issue might seriously downgrade CPU performance, Google’s technique allegedly has a “negligible impact on performance”. This should excite businesses and Google Cloud customers, as some of them feared poor performance and higher costs. While Intel said performance penalties will likely differ based on workloads, Google’s announcement offers a breath of hope – at least to their customers – as they don’t seem to be very affected.

The technique has already been applied to Google Cloud, and it’s their belief that other companies can follow in their footsteps to patch at least the Spectre vulnerability without using the Retpoline technique to avoid any significant slowdowns. Testing the patch is recommended before fully deploying it in your infrastructure, as it’s likely performance penalties will vary for each use case.

To fully prevent any of the reported vulnerabilities from being exploited, it’s recommended to install the latest patches from your CPU manufacturer, to ensure cybercriminals can’t exploit either “Meltdown” or “Spectre” vulnerabilities. The same advice serves both average users and businesses, as the vulnerability can indiscriminately affect anyone using a vulnerable chip.

How to Protect Yourself?

Since every CPU produced in the past 20 years is affected by both “Meltdown” and “Spectre”, everyone from Android users to Windows and Mac owners are equally affected. So here’s what you need to do to protect yourself:

  • Android users will eventually receive the patch, depending on when manufacturers and carriers push it, but Google-branded phones should receive the fixes starting January 5th 2018. Keep an eye on your Android Update notifications to install the latest version that fixes these serious vulnerabilities
  • iPhone and iPad users should already be protected if their OS version is 2 or later, as the fixes were introduced with the December 2nd 2017 update. Otherwise, hit Settings > General > Software Update to download the latest version.
  • Windows users running Windows 10 should check the Settings > Update & security setting to make sure they have no pending security updates. For those running Windows 10 version 1709 (Fall Creators Update), installing the Security Update for Windows (KB4056892) patch should do the trick. Otherwise, you can manually install the patch by checking the Windows Update Catalog page.
    • Firmware Updates cloud also become available from your system’s vendor – as this is a hardware issue – and you might want to check out your laptop’s manufacturer support page for those as well. This shouldn’t conflict with your Windows patch, and it’s best to add as many layers of protection as possible.
  • Macs contain fixes if you’re running the Mac OS High Sierra 10.13.2 update that rolled out December 6th Your iMacs, MacBooks, Mac Pros and Mac Mini should all be updated to the latest OS version, so updating your devices is now more important than ever.
  • Browsers have also claimed to release patches that prevent web-based attacks. Chrome has a Site Isolation feature that enables each tab to run in its own instance instead of a single thread. Write chrome://flags/#enable-site-per-process in your address bar, look for Strict Site Isolation, hit Enable, then hit Relaunch Now. Also, Mozilla, Microsoft, Apple and Firefox stated they’ll release updated versions of their browser to prevent web-based attacks from exploiting these vulnerabilities, so keep an eye out for those as well.

As a side note, any device that has an Intel, AMD or ARM CPU is technically vulnerable, so it’s probably best to check the manufacturer’s page for any software or firmware updates.

About the author

Liviu ARSENE

Liviu Arsene is the proud owner of the secret to the fountain of never-ending energy. That's what's been helping him work his everything off as a passionate tech news editor for the past couple of years. He is the youngest and most restless member of the Bitdefender writer team and he covers mobile malware and security topics with fervor and a twist. His passions revolve around gadgets and technology, and he's always ready to write about what's hot and trendy out there in geek universe.

4 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • So if someone crafted a malware designed to exploit the Intel vulnerability maybe to steal passwords and personal info and transmit it to a C&C, how would AV programs like Bitdefender (Total Security and Gravity Zone for small businesses) be able to disinfect an infected PC if the malware is exploiting hardware level vulnerability which means it can be invisible to the OS. Anti-virus programs running in user mode can only detect malware that the operating system like Windows can see.

    • Having the patch installed will prevent threats from exploiting the vulnerability. With that in mind, regardless of the security solution, even if some malware that's specifically designed to exploit that particular vulnerability makes it through, it should misfire.

  • To confirm, then, manually installing the update won't see Bitdefender bork Windows?

    ps #friendlyheadsup that your twitter is reading:
    http://liviuarsene/

    Think it needs twitter dot com in there somewhere ; )

    • The update comes with new requirements that might break compatibility with specialized applications such as security products. It's recommended that you wait for the automatic update that enables the installation of the fix. Check out this page for more info on the roll out plan: https://www.bitdefender.com/consumer/support/answer/9033/

      Also, thanks for the heads up about the Twitter thing. Fixed!