Meltdown and Spectre are Good … for Innovation

So I am still away on family vacation and following a self-imposed online diet, but even then it has been impossible to ignore the monster sized vulnerabilities disclosed today known as Meltdown and Spectre. And just to make sure nobody misreads my post title, these are bad. Downright ugly. They are pervasive, exploitable and a real longterm fix will likely require new hardware (one or more extra hardware bits in the CPU). So how can I possibly claim they are good? Here are four different ways I think these vulnerabilities can give an important boost to innovation.

1. Faster Adoption of (Real) Cloud Computing

One might think that Meltdown and Spectre are terrible for cloud computing as they break through all memory isolation, so that an attacker can see everything that’s in memory on a physical machine (across all the virtual machines). But I believe the opposite will be true if you think of cloud computing as true utility computing for small code chunks as in AWS Lambda, Google Cloud Functions or MongoDB Stitch. This to me has always been the true promise of the cloud, not having to muck with virtual machines or installing libraries. I just want to pass some code to the cloud and have that run. Interesting historic tidbit. The term “utility computing” goes back to a speech given by John McCarthy in, wait for it,  1961. Well, we now finally have it and, properly implemented, it will be secure.

2. Improved Secure Code Execution in the Web Browser

Over the last few years the focus for Javascript execution in browsers has been speed. New browsers tout their speed and with WebAssembly (aka wasm) it became possible to run Unity games in the browser. But speed does nothing for me when I simply want to do a secure transaction, such as make a payment. For years, people had complained about how air travel speed had actually decreased with the retirement of the Concorde. While true, as a criticism it ignores that safety is another important innovation dimension. And with regard to aviation safety, there has been tremendous progress since the 1970s and 2017 was the safest year on record. We need a safety over speed alternative for at least some code on the web and these new vulnerabilities will help with that.

3.  More Secure Operating Systems

Not just the web browser, but operating systems as a whole will benefit from a renewed focus on security. Efforts such as Qubes and Copperhead, while – as far as I know – not immune from the current vulnerabilities, deserve more attention and funding. It may also be time for completely new approaches, although I would prefer something a little less abstruse than Urbit.

4. New Machine Architectures

The fundamentally enabling elements behind both Meltdown and Spectre are the extraordinary steps we have taken to optimize for speed in the Von Neumann  / Harvard architecture. Out of order execution and speculative execution increase utilization but turn out to give code access to memory that it shouldn’t be able to reach. Caches speed up memory access but also allow for side channels. Now we can make software and hardware changes to prevent this, but nonetheless one way to read these vulnerabilities is that we should stop pushing the existing architectures and work more on alternatives. This has of course to a degree already happened with the rise of GPUs and some neuromorphic hardware. And there has been a lot of recent investment into quantum computing. But there are lots of other interesting possibilities out there, such as Memristor based machines.

All in all then while Meltdown and Spectre are a huge bother in the short term, I believe that they will turn out to be good for computing innovation.

PS I highly recommend at least skimming the papers on Meltdown and Spectre, which are very accessible to anyone with a basic understanding of computer architecture.