Google Chrome on Android gets ‘site isolation’ shield against Spectre CPU attacks

  • Liam Tung (CSO Online)
  • 18 October, 2019 07:38

Chrome 77 now includes the Google-developed security feature site isolation, which the company argues is the best defense against attacks like Spectre that exploit CPU vulnerabilities. 

Site isolation was enabled by default on the desktop since Chrome 67 on Windows, Mac, Linux, and Chrome OS as a key defense against web-based speculative side-channel attacks that exploit CPU design flaws to leak sensitive data like passwords. 

The key function is to protect users against malicious sites that may use Spectre-like attacks to exploit the fact that many browsers share the same renderer process for multiple websites, potentially allowing attackers to leak information from one site to another. 

Site isolation aims to prevent this by ‘locking’ each renderer process to a specific site and preventing sensitive data moving across sites that are in the same process. Mozilla has also started to implement site isolation in Firefox and Chromium-based browsers can use Google's technology, including Microsoft's Chromium-based Edge.  

The challenge with bringing site isolation to Chrome on smartphones is that the technique creates some overhead on performance. On the desktop, Google estimates it causes about 10% to 13% higher memory usage when isolating all sites with many tabs open. However it contends there is about a 3% to 5% total memory overhead in ‘real workloads’. 

Since smartphones have less memory than PCs, Google created a ‘lite’ version of site isolation to reduce the extra load on memory. For now, Google has restricted site isolation to “high-value” sites that users log in to with a password, such as bank and e-commerce sites. For less important sites it allows renderer process sharing.

Google estimates on Android with Chrome 77 that the memory overhead is about 3% to 5% when isolating sites that users log into. 

Site isolation on Android is turned on after Chrome detects a password being entered on a site and then all subsequent visits are protected by the feature, ensuring that password site is rendered in its own isolated renderer process. 

Chrome also stores a list of protected sites on the device that will disappear every time a user clears browsing history. The browser also has a crowdsourced list of sites mobile users have frequently entered passwords. 

Another restriction is that site isolation is only enable on Android devices with at least 2GB of RAM. Chrome users also have the option manually enable site isolation for all sites using the chrome://flags/#enable-site-per-process. 

Google has also beefed up site isolation in Chrome 77 on the desktop and claims that beyond Spectre-style attacks, it can protect the browser when the renderer process is fully compromised through, for example a memory corruption Chrome’s rendering engine, Blink.

“Chrome's browser process knows what site the renderer process is dedicated to, so it can restrict which cookies, passwords, and site data the entire process is allowed to receive. This makes it far more difficult for attackers to steal cross-site data,” explain Chrome security team members.