We know the story by now: researchers find a new side-channel attack and disclose it under embargo. Vendors build patches and ship them. We read about it on $TechSite and move on.
But what happens if you show up after the party's over and want to understand and mitigate these problems in your own codebase? That's the problem faced by the Fuchsia team at Google, which is building a new open-source operating system based on a microkernel called Zircon. Fuchsia needs to handle user, kernel, and hypervisor attacks across x86 and ARM processors.
In this talk, we will walk through how the Fuchsia team enumerated existing CPU side-channels, explored how they are mitigated in well-known operating systems, and undertook the engineering work of applying these mitigations to Fuchsia. We will also describe how Fuchsia is testing those mitigations to make sure they keep working.