In A Meltdown And Spectre World Is Digital Privacy Truly Dead?

This Qubes thread is relevant here: https://www.wilderssecurity.com/posts/2730844/

 

For BTI-Spectre, the "Retpoline" approach is discussed with selective application to OS and hypervisor implementations, which it claims is minimal performance impact, and used in Google's data centres rather than the more performance impacting OS+firmware mod. Changes are implemented by modified LVVM and GCC compilers, which implement the indirect branching used in this technique.

https://support.google.com/faqs/answer/7625886

 

Google's data centres probably only use FOSS licensed software and custom written software - they have complete source code for everything. This means they can recompile every library and program binary used by them.
Regular Windows user don't have these abilities, because most user software is closed source. Thus mitigating at OS+firmware level is the only option. Windows is not Gentoo Gnu/Linux

 

Well, there's nothing to stop MS adding these techniques to whatever compilers they use, and protecting their OS, hypervisor and browsers this way.

Over time, I'd expect quite a few compiler switches/instructions to be appearing to support software mitigations of this kind, for Visual Studio too. Plus, hopefully coders will get cuter at minimising the exposure of secrets in RAM - there are already best practices associated with things like zeroing out secrets or using OS facilities to store secure strings etc. and these are likely not universally deployed(!)

 

Even with that a lot of 3-rd party commercial software projects for Windows are going to use old versions of compilers for years.

Microsoft recompiling whole Windows OS and deploying to users? It might be possible with Windows 10 due to its update model, but for Win 7 and 8.1 I can't imagine that.

 

@reasonablePrivacy - I think the notion is to protect particular critical modules or routines, not recompile the whole OS - even if possible, the testing would not be feasible. Probably do hypervisors and browsers too. They could be handled via a standard update or service pack. I agree the problem of orphaned or non-updated software/hardware will be with us for a very long time, the consequences not limited to this debacle. Interpreted languages might be in a better position to update ultimately than the compiled.