Google has announced that its cloud systems have been patched against Meltdown and one variant of Spectre since September, and for a second variant of Spectre since December, and that its cloud systems have not been slowed down. The outcome of Google’s patches are in stark contrast to Amazon’s experience patching AWS, with Amazon acknowledging a slowdown of its offerings.
In a blog post, Ben Treynor Sloss, VP of 24x7 at Google, explained how the company overcame the bottlenecked performance:
“For several months, it appeared that disabling the vulnerable CPU features would be the only option for protecting all our workloads against Variant 2 … With the performance characteristics uncertain, we started looking for a “moonshot” - a way to mitigate Variant 2 without hardware support. Finally, inspiration struck in the form of “Retpoline” - a novel software binary modification technique that prevents branch-target-injection, created by Paul Turner, a software engineer who is part of our Technical Infrastructure group. With Retpoline, we didn't need to disable speculative execution or other hardware features. Instead, this solution modifies programs to ensure that execution cannot be influenced by an attacker. With Retpoline, we could protect our infrastructure at compile-time, with no source-code modifications. Furthermore, testing this feature, particularly when combined with optimisations such as software branch prediction hints, demonstrated that this protection came with almost no performance loss.”
Google believes that Retpoline is the best solution because it fully protects against Spectre's second variant and has a minimal impact on the system’s performance. The firm said that in sharing its research publicly, the solution can be universally deployed to improve the cloud experience industry-wide.