2018 started off with a bang as the world was introduced to a new class of hardware vulnerability which became known as Meltdown and Spectre. New classes of vulnerabilities are exceedingly rare and this one came with ramifications for the security boundaries that web browsers, operating systems, and cloud providers rely on for isolation to protect customer data. Now, rewind back to the summer of 2017. This disclosure and the industry response were months in the making. A new class of vulnerability comes with challenges rarely mounted and the need to pull back to examine our thinking.
In this presentation, we will describe Microsoft's approach to researching and mitigating speculative execution side channel vulnerabilities. This approach involved bringing experts from across Microsoft, hiring an industry expert to accelerate our understanding of the issues, and collaborating across the industry in a way not done previously. This team presentation between Microsoft and G DATA will provide a firsthand account of the engineering centric work done and the collaboration necessary to mitigate these issues. We will describe the taxonomy and framework we created which provided the industry foundation for reasoning about this new vulnerability class. This work built on the initial researcher reports and expanded into a larger understanding of the issues. Using this foundation, we will describe the mitigations that Microsoft developed and the impact they have on Spectre and Meltdown.