Theres no single fix for all three attack variants; each requires protection individually." Most vendors are referring to them by Common Vulnerabilities and Exposures, aka "CVE" labels, which are an industry standard way of identifying vulnerabilities." This variant is the basis behind the discussion around "KPTI," or "Kernel Page Table Isolation."Project Zero described three variants of this new class of speculative execution attack.There are many conflicting reports about patch impacts being publicly discussed. In some cases, people have published results of tests that focus solely on making API calls to the operating system, which does not represent the real-world scenario that customer software will encounter.
Because Google is in full control of our infrastructure from the hardware up to our secure software development practices, its infrastructure is protected against Variant 1.Is Spectre nearly impossible to protect against?There has been a significant concern in particular about "Spectre.Variant 3 (CVE-2017-5754), "rogue data cache load. Some customers may worry that they have not been protected since they were not asked to reboot their instance. A virtualisation component known as a hypervisor connects the physical machine to virtual machines.Customers who use their own operating systems with Google Cloud services should continue to follow security best practices and apply security updates to their images just as they would for any other operating system vulnerability. This variant is currently the basis for concern around Cloud Virtualisation and "Hypervisor Bypass" concerns that affect entire systems. Theres no substitute for testing to determine for yourself what performance you can expect in your actual situation. This hypervisor can be updated to address Variant 2 threats. Via live migration, we can patch our infrastructure without requiring customers to reboot their instances.Am I protected from Spectre and Meltdown? Google’s engineering teams began working to protect customers from these vulnerabilities upon learning of them in June 2017. G Suite and Google Cloud Platform (GCP) are updated to protect against all known attack vectors.
Earlier this week, security vulnerabilities, dubbed ‘Spectre’ and ‘Meltdown’, made news headlines around the world. From the physical premises to the purpose-built servers, networking equipment, and custom security chips to the low-level software stack running on every machine, our entire hardware infrastructure is Google-controlled, -secured, -built and -hardened. Variant 1 and Variant 2 have been referred to as "Spectre. Some of them have even described these two flaws to be not as threatening as the media is portraying.Heres an overview of each variant:Variant 1 (CVE-2017-5753), "bounds check bypass. Google’s cloud infrastructure doesn’t rely on any single technology to make it secure. Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers. Google designed and tested their mitigations for this issue to have a minimal performance impact, and the rollout has been uneventful.As a user of the public cloud, am I more vulnerable to Spectre and Meltdown than others?In many respects, public cloud users are better-protected from security vulnerabilities that are users of traditional datacenter-hosted applications." The use of the name "Spectre" to refer to both Variants 1 and 2 has caused some confusion over whether its "fixed" or not. Our stack builds security through progressive layers that deliver defence in depth." Variant 3 has been referred to as "Meltdown.Is performance impacted?On most of Google’s workloads, including their cloud infrastructure, there’s negligible impact on performance after applying remediations.However, various reports across the Internet have been discussing the issue in different ways and if you are unable to understand what the actual problem was and what does it mean for computers across the world, then Google’s detailed explanation about Spectre and Meltdown should clear out your doubts.Google Cloud instances are protected against all known inter-VM attacks, regardless of the patch status of the guest environments, and attackers do not have access to any other customers’ data as a result of these vulnerabilities.What are "Spectre" and "Meltdown"?Last year, Google’s Project Zero team discovered serious security flaws caused by "speculative execution," a technique used by most modern processors (CPUs) to optimise performance.Variant 2 (CVE-2017-5715), "branch target injection.(With inputs from Google) (Also published on Deccan Chronicle). Each of these activities is aided by the scale and automation that top public cloud providers can offer — for example, few companies maintain a several-hundred-person security research team to find vulnerabilities and patch them before theyre discovered by others or disclosed."
This vulnerability affects specific sequences within compiled applications, which must be China Grinding machine Manufacturers addressed on a per-binary basis.Spectre and Meltdown are new and troubling vulnerabilities, but it’s important to remember that there are many different types of threats that Google (and other cloud providers) protect against every single day. Various manufacturers have since then have rolled out patches to fix the issues.Variant 1 is the basis behind claims that Spectre is nearly impossible to protect against." When an attacker already has the ability to run code on a system, they can access memory which they do not have permission to access.Risks that Variant 1 would pose to the infrastructure underpinning Google Cloud are addressed by the multiple security controls that make up our layered "defence in depth" security posture. The difficulty is that Variant 1 affects individual software binaries, so it must be handled by discovering and addressing exploits within each binary. This variant is currently the basis for concern around browser attacks, Javascript exploitation and vulnerabilities within individual binaries."
This variant may either be fixed by a CPU microcode update from the CPU vendor, or by applying a software protection called "Retpoline" to binaries where concern about information leakage is present.We work continuously to stay ahead of the constantly evolving threat landscape and will continue to roll out additional protections to address potential risks. Solutions exist that introduce minimal performance impact, and expect such techniques will be adopted by software vendors over time. Google Cloud and other public clouds use virtualisation technology to isolate neighbouring customer workloads. Google Cloud has updated its hypervisor using "Retpoline," which addresses all currently known Variant 2 attack methods.Independent researchers separately discovered and named these vulnerabilities "Spectre" and "Meltdown. Security best practices rely on discovering vulnerabilities early and patching them promptly and completely. Having the ability to update millions of servers in days, without causing user disruption or requiring maintenance windows, is a difficult technology to develop but it allows patches and updates to be deployed quickly after they become available, and without user disruption that can damage productivity.