Google has implemented a new feature in its Chrome browser that can help protect users against advanced attacks such as Spectre and Meltdown by limiting the number of sites that each process can read data from. Work on the mechanism has been going on for several years, long before Spectre and Meltdown were discovered, and Google has now rolled it out to nearly all Chrome users.
The new protection is called Site Isolation and it’s a behind-the-scenes feature that has the ability to defeat speculative execution attacks. Spectre and Meltdown are the two most well-known variants of such attacks, though there are others that have been discovered recently, as well. Speculative execution attacks take advantage of specific features of modern processors to try and gain access to restricted portions of memory. Such attacks can be quite difficult to pull off, but researchers have shown that they’re nowhere near impossible. An attacker could use a speculative execution attack to steal sensitive information across tabs in a browser.
To help defeat these attacks, Google engineers have been working on Site Isolation as a way of stopping an attacker from gaining access to that sensitive data across processes.
“When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using "out-of-process iframes." Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre,” Charlie Reis, a software engineer at Google, wrote in a post explaining the new feature.
“Site Isolation is a significant change to Chrome's behavior under the hood."
“Site Isolation is a significant change to Chrome's behavior under the hood, but it generally shouldn't cause visible changes for most users or web developers (beyond a few known issues). It simply offers more protection between websites behind the scenes.”
The emergence of practical speculative execution attacks has driven security teams at hardware and software vendors to look for new defensive mechanisms to address them. But Google has been working on site isolation for some time, well before public disclosures of any of the new attacks. And the work is still ongoing. Reis said Google is looking at whether Site Isolation will work in Chrome on Android and there also are other avenues of investigation for defending against malicious browser processes.
“We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes. These additional enforcements will let us reach the original motivating goals for Site Isolation, where Chrome can effectively treat the entire renderer process as untrusted,” Reis said.
Site Isolation is enabled in Chrome 67, the current version of the browser, on macOS, Windows, Chrome OS, and Linux.