Google’s Fix For Spectre And Meltdown Won’t Cause Significant Slowdowns

A couple of days ago, Google along with a few other security researchers conceded that almost all the CPUs currently functioning across the world are susceptible to a major security breach. The company released two white papers chronicling the two main ways through which the CPUs can be affected, called Meltdown and Spectre.

It now appears that Google has a fix for this flaw and it might not cause a significant slowdown as well. In a blog post, Google said that it has shared a new fix, called Retpoline which fixes one of the Spectre vulnerabilities (CVE-2017-5715). Along with that, the company also deployed a Kernel Page Table Isolation (KPTI) fix that protects against the Meltdown (CVE-2017-5754) vulnerability.

There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance.

However, Google has maintained that it doesn’t guarantee that there won’t be any slowdowns.

In our own testing, we have found that microbenchmarks can show an exaggerated impact. Of course, Google recommends thorough testing in your environment before deployment; we cannot guarantee any particular performance or operational impact.

Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include passwords stored in a password manager or browser, personal photos, emails, instant messages and even business-critical documents.