Chrome users get Site Isolation by default to ward off Spectre attacks

Site Isolation, the optional security feature added to Chrome 63 late last year to serve as protection against Spectre information disclosure attacks, has been enabled by default for all desktop Chrome users who upgraded to Chrome 67.

How Site Isolation mitigates risk of Spectre attacks

“In January, Google Project Zero disclosed a set of speculative execution side-channel attacks that became publicly known as Spectre and Meltdown. An additional variant of Spectre was disclosed in May. These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory. This is particularly relevant for web browsers, since browsers run potentially malicious JavaScript code from multiple websites, often in the same process,” Google software engineer Charlie Reis explained.

All major browsers have already deployed some mitigations for Spectre, including reducing timer granularity and changing their JavaScript compilers to make the attacks less likely to succeed. However, we believe the most effective mitigation is offered by approaches like Site Isolation, which try to avoid having data worth stealing in the same process, even if a Spectre attack occurs.”

Chrome 67 Spectre protection

Site Isolation limits each renderer process to documents from a single site, so that attacks between sites (i.e., domains) are prevented.

“This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using “out-of-process iframes,'” Reis added.

Site Isolation has also been designed to include a feature called Cross-Origin Read Blocking (CORB), which tries to transparently block cross-site HTML, XML, and JSON responses from the renderer process, so that an attacker’s page can’t access and leak information from cross-site URLs by requesting them as subresources (e.g., images or scripts).

Performance tradeoff

This change in Chrome architecture is pretty substantial, and comes, for the moment, with a 10-13% total memory overhead in real workloads due to the larger number of processes.

But, aside from that, users shouldn’t even notice that the feature is working under the hood.

Site Isolation has been enabled for 99% of users on Windows, Mac, Linux and Chrome OS, but not for users of Chrome for Android (for performance reasons).

Google is also trying to motivate bug hunters to search for vulnerabilities in Site Isolation by temporarily increasing reward amounts for those specific bugs.