1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

Google researchers say software patches will never fully protect against Spectre-like...

By Polycount ยท 11 replies
Feb 25, 2019
Post New Reply
  1. We've discussed said flaws in more detail in the past, but the gist is that virtually all modern processors take advantage of a technique called "speculative execution" to boost performance and speed up calculations.

    Unfortunately, that has come at a cost: Meltdown and Spectre (and their many known or unknown variants) theoretically allow attackers to swipe personal data stored in browsers, password managers, and other parts of a given machine without leaving any evidence behind.

    Patches have rolled out for these flaws, but they aren't ideal. A research paper published by Google's security team (spotted by Ars Technica) explains precisely why that's the case.

    Researchers say that software-based fixes simply aren't enough to protect users against all Spectre and Meltdown variants. To prove their point, they developed their own Spectre attack that has no known patches or solutions.

    Part of the reason software alone isn't enough to address all Spectre variants is the lack of consistency. Some fixes only address certain variants, meaning additional mitigation measures have to be taken for more comprehensive protection.

    Unfortunately, when those measures are implemented, you can start to see some pretty hefty performance hits, which makes using this mixed-technique approach impractical.

    Short of ditching speculative execution outright -- which CPU makers probably won't do for performance reasons -- there likely won't be a single fix-all approach to Spectre mitigation for years.

    We'll need to see a significant leap forward in processor technology, or a similarly-impactful innovation in the security community; and neither of those possibilities seem all that likely to occur anytime soon.

    Permalink to story.

     
  2. seeprime

    seeprime TS Guru Posts: 382   +410

    Google is developing a new OS, currently called Fusica. I expect that they'll also develop a processor for it that will eliminate specter vulnerabilities. After all, Apple is doing it, why shouldn't Google? If they can be the first with a truly secure CPU and OS, they could win over the consumer market once Intel chips running Windows or MacOS start getting compromised in ways that cannot be undone. This will be interesting times for OS's and processors, in the next few years.
     
    Charles Olson likes this.
  3. TheBigT42

    TheBigT42 TS Maniac Posts: 322   +220

    The only truly secure computer....is encased in concrete and placed at bottom of the ocean.
     
    erickmendes likes this.
  4. xxLCxx

    xxLCxx TS Addict Posts: 231   +153

    Are we calling them 'flaws' now? Did Voikswagen's Diesel have a little 'flaw' as well?
    They are faulty. They knew what they were doing, when they ignored half the things for the sake of a "lean" speculative execution engine.
     
    Charles Olson and PEnnn like this.
  5. veLa

    veLa TS Evangelist Posts: 854   +301

    Surprise surprise.
     
  6. Evernessince

    Evernessince TS Evangelist Posts: 4,006   +3,491

    Google would also reap all the issues with making it's own chips as well, like potential security flaws and crappy performance. In my opinion it'd be a dumb idea for google to make it's own chips.

    The only company that's done it well so far has been Apple but then again they only sell consumer products on fixed sets of hardware. That's nothing compared to the complexity of windows, let alone a google server environment.

    That a problem with a lot of big companies, they get a ton of money, start making a lot of products, and loose the focus and passion they had when they were smaller.
     
  7. xxLCxx

    xxLCxx TS Addict Posts: 231   +153

    Keep in mind that Android is continuously vulnerable. The media server, in particular, is nothing but a Swiss cheese.
    I don't know where the rumor comes from that Google has particularly good programmers. So far, they've proven the exact opposite. Their Anroid API was an agenda full of U-turns, where it was obvious that they didn't know in which direction they were heading.
    Google can only do one thing really well - monitoring you.
     
    Sausagemeat likes this.
  8. picka

    picka TS Booster Posts: 42   +32

    I'm sure Google had some of the best programmers in the world. The problem with any large project such as Android is the sheer amount of complexity involved and the number of people working on it. Android works on thousands on devices from mobile to cars to TVs to watches, it's a modern wonder that it works as well as it does.

    Compare it to iOS and the issues that keep coming up even though it's on a small amount of devices, while Apple controls the hardware too.

    Modern Operation Systems are extremely complex beasts.
     
  9. xxLCxx

    xxLCxx TS Addict Posts: 231   +153

    Errm, no. Most of the MediaServer vulnerabilities are 'portable' ones. That is, the code is not tailored to a multitude of systems, but is simply bogus by itself. The seem to be unable to tame their crap code, as MediaServer vulnerabilities have become a recurring pattern, much like Flash.
    Anroid is a resource hog. To this very day, people still remind us that 'the interface runs smooth' in their reviews. Why do they do that? Because, despite 4-8+ cores and Gigabytes of memory, Android may still be unable to follow your finger. ;-)
     
  10. xxLCxx

    xxLCxx TS Addict Posts: 231   +153

    The => they, smooth => smoothly
     
  11. mailpup

    mailpup TS Special Forces Posts: 7,401   +627

    Consider editing your post instead of creating a new one. Switch to forum mode to do so.
     
  12. xxLCxx

    xxLCxx TS Addict Posts: 231   +153

    I tried that before, but it somehow didn't let me (no permission).
     

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...