Re: OK, I'll bite
Not only are the fixes through software, hardware fixes wouldn’t work anyway.
So, here’s the choices :
1) Get security at the cost of performance by properly flushing the pipelines between task switches.
2) Disable predictive branch execution slowing stuff down MUCH more... as in make the cores as slow as the ARM cores in the Raspberry Pi (which is awesome, but SLOW)
3) Implement something similar to an IPS in software to keep malicious code from running on the device. This is more than antivirus or anti malware. This would need to be an integral component of web browsers, operating systems, etc... compiled code can be a struggle because finding patterns to exploit the pipeline would require something similar to recompiling the code to perform full analysis on it before it is run. Things like Windows Smart Screen does this by blocking unknown or unverified code from running without explicit permission. JIT developers for web browsers can protect against these attacks by refusing to generate code which makes these types of attacks possible.
The second option is a stupid idea and should be ignored. AMDs solution which is to encrypt memory between processes is useless in a modern environment where threads are replacing processes in multitenancy. Hardware patches are not a reasonable option. Intel has actually not done anything wrong here.
The first solution is necessary. But it will take time before OS developer do their jobs properly and maybe even implement ring 1 or ring 2 finally to properly support multi-level memory and process protection as they should have 25 years ago. On the other hand, the system call interface is long overdue for modernization. Real-time operating systems (and generally microkernels) have always been slower than Windows or Linux... but they all have optimized the task switch for these purposes far better than other systems. It’s a hit in performance we should have taken in the late 90’s before expectations became unrealistic.
The third option is the best solution. All OS and browser vendors have gods of counting clock cycles on staff. I know a few of them and even named my son after one as I spent so much time with him and grew to like his name. These guys will alter their JITs to handle this properly. It will almost certainly actually improve their code as well.
I’m pretty sure Microsoft and Apple will also do an admirable job updating their prescreening systems. As for Linux... their lack of decent anti-malware will be an issue. And VMware is doomed as their kernel will not support proper fixes for these problems... they’ll simply have to flush the pipeline. Of course, if they ever implement paravirtualization like a company with a clue would do, they could probably mitigate the problems and also save their customers billions on RAM and CPU.
Biting the hand that feeds IT
