Version 67 of Google Chrome enabled site isolation by default in an effort to protect users against Spectre-based attacks. What is site isolation, and how does it defend against Spectre?
Ever since Spectre (CVE-2017-5753 and CVE-2017-5715) was discovered at the start of 2018, the industry has been looking at ways to protect users and data from potential attacks. Unlike most conventional vulnerabilities, Spectre exploits how modern processors manage performance-enhancing features. So, a fix is not as straightforward as just issuing a software patch.
By tricking the processor into speculatively executing instruction sequences that should not actually execute during correct program execution, Spectre can access data stored in the memory address space of other programs running in the same process address space. By using timing attacks, the attacker can discover the values stored in that memory. Thus, Spectre completely breaks the protection that should be provided by memory isolation.
As web browsers often run code from different websites in the same process, they are an obvious target for hackers looking to exploit Spectre. For example, a malicious site could steal information from other sites a user has open in their browser at the same time.
The basic idea behind site isolation is to avoid having data worth stealing in the same process by limiting each renderer process to documents from a single domain. This is a major change to how Chrome has previously worked.
In practice, this means cross-site frames and cross-site pop-ups will now be put into a different process to their parent frame, and navigations to cross-site documents will cause a tab to switch processes. The result is a single page may be generated across multiple processes, which allows the operating system to prevent attacks between processes and, thus, between sites.
Chrome site isolation has been enabled for 99% of users on Windows, Mac, Linux and Chrome OS, but Android support is still a work in progress at the time of this writing. Although users won’t really notice any difference, the added protection causes Chrome to create more renderer processes, requiring more system resources.
Even with site isolation, there are still ways an attacker’s page could access and leak information from cross-site URLs by requesting images or scripts as subresources. Although any requested data would not be displayed on the page, it would still be inside the renderer process, where a Spectre attack might access it.
To mitigate this, site isolation includes a feature called Cross-Origin Read Blocking (CORB), an algorithm that can identify and block dubious cross-origin resource loads in web browsers before they reach the webpage. To get the most protection from site isolation and CORB, website developers must ensure resources are served with the right Multipurpose Internet Mail Extension (MIME) type and with the X-Content-Type-Options response HTTP header set to nosniff. These two steps prevent content sniffing by instructing the browser not to override the response content type and prevent an attacker from transforming nonexecutable MIME types into executable MIME types.
Google is planning additional updates to the site isolation project to further reduce the threat posed by Spectre, so Chrome can eventually treat the entire renderer process as untrusted. Experimental enterprise policies for enabling site isolation will be available in Chrome 68 for Android, and it can be enabled manually on Android using chrome://flags/#enable-site-per-process.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)