Google Implementing Ambitious Spectre Fix For Chrome

Google Chrome Site Isolation Logical Step

Last year, the theoretical bugs became reality. Dubbed Spectre, the new exploits allowed attackers unprecedented ability to attack users. Bypassing traditional protections, the new bugs opened up a new option for side-channel attacks. On top of system and hardware fixes, Google is rolling out their own fix for Google Chrome. The new patch takes Chrome tabbing to a whole new level with site isolation.

With each new tab, Chrome generally already segregates the process for each. Site isolation now adds a new render process for each new domain. For instance, eTeknix.com resources will use their own process. The social media icons for Facebook.com on the same page will also have their own process. Due to the additional processes and isolation, there is a performance penalty. Having some much more stuff run in the background adds 10 to 13 per cent memory usage. To offset the performance penalty, Google will kill the render process more quickly.

Site Isolation Shifts Weak Points to System

Due to each domain having their own process, data is now isolated, preventing possible cross access. A malicious domain now cannot request resources from a domain like a bank to attack it. Of course, the fix still have to rely on system and hardware fixes for the final barrier. Instead, the fix moves the focus from the browser to the system. Since these processes all run on the same system and CPU, that is still a weak point.

The new fix has been a part of Chrome of a while already. However, it is now largely the default for Chrome 67. Google is opting out 1% of users due to performance concerns. For the same reason, Android Chrome is also not seeing this fix yet. Chrome 68 for Android may see a limited opt in version. Both Mozilla Firefox and Microsoft Edge could see similar fixes. It is unknown if site isolation will become the preferred fix for Spectre. Given the rise of timing attacks, expect more isolation of processes going forward.