Google has implemented a new ‘Site Isolation’ feature in the latest version of its Chrome browser that the company says will help organizations better protect against attacks of the sort enabled by the Spectre processor flaws disclosed earlier this year.
The feature has been available on an experimental basis to enterprises since Chrome 63 but has been enabled by default for almost all desktop users with the release of the new Chrome 67.
Site Isolation represents a substantial under-the-hood change in Chrome’s behavior, said Charlie Reis a Google engineer in a blog July 11. While most users should not see any visible changes when using Chrome, the new feature does impose a 10 percent to 13 percent memory overhead, Reis noted. Google is trying to address this so issue so new versions of Chrome are optimized both for performance and security, he said.
Spectre and Meltdown are fundamental hardware level issues impacting nearly every modern microprocessor. They enable a kind of attack known as a speculative execution side-channel that essentially allows attackers to access data in memory that they normally should not be able to access.
Researchers from Google’s Project Zero were among the first to disclose the vulnerabilities, which many have described as potentially catastrophic in scope. In the browser context Spectre gives attackers a way to use an open browser tab on a user’s desktop to read or access data in another open browser tab. In theory at least, the owner of a malicious web site could exploit Spectre to steal information from other websites, Reis said.
All major browsers—including Chrome—have already implemented fixes that address this threat. According to Reis, Site Isolation is the best approach because it ensures that content from different websites run in completely separate processes on users’ desktop. The idea is to ensure that pages from one domain that may be open in a user’s browser remains completely separate from pages from another domain that’s open at the same time.
“When Site Isolation is enabled, each renderer process contains documents from at most one site,” Reis explained. “This means all navigations to cross-site documents cause a tab to switch processes.”
In other words even if there was malware running on an open browser tab, it would not be able to impact data from other websites that might be open in other open tabs on the user desktop. The goal is to mitigate the damage an attacker would be able to via a side-channel attack, Reis said.
Because Site Isolation causes Chrome to create more processes for rendering pages, there is a certain performance trade off that comes with the feature Reis said. Though Google has tried to minimize the performance impact, Site Isolation still comes with a certain memory overhead when running real workloads, he said.
Site Isolation has been enabled for 99 percent of users on Windows, Mac, Linux and the Chrome OS. Google is currently exploring how to implement the feature in Android as well.