Google flips switch on Chrome's newest defensive technology

With 'Site Isolation' in use, the browser should be better protected from Spectra-like attacks designed to steal info such as log-on credentials.

Gregg Keizer Jul 13th 2018
google-flips-switch-code_developer_hacker_security_man_using_laptop_by_robinraj_premchand_cc0_via_pixabay-100751417-orig.jpg

Google has switched on a defensive technology in Chrome that will make it much more difficult for Spectra-like attacks to steal information such as log-on credentials.

Called "Site Isolation," the new security technology has a decade-long history. But most recently it's been cited as a shield to guard against threats posed by Spectre, the processor vulnerability sniffed out by Google's own engineers more than year ago. Google unveiled Site Isolation in late 2017 within Chrome 63, making it an option for enterprise IT staff members, who could customize the defense to shield workers from threats harbored on external sites. Company administrators could use Windows GPOs - Group Policy Objects - as well as command-line flags prior to wider deployment via group policies.

Later, in Chrome 66, which launched in April, Google opened the field testing to general users, who could enable Site Isolation via the chrome://flags option. Google made clear that Site Isolation would eventually be made the default in the browser, but the firm first wanted to validate the fixes addressing issues that cropped up earlier testing. Users were able to decline to participate in the trial by changing one of the settings in the options page.

Now, Google has switched on Site Isolation for the vast majority of Chrome users - 99% of them by the search giant's account. "Many known issues have been resolved since (Chrome 63), making it practical to enable by default for all desktop Chrome users," Charlie Reis, a Google software engineer, wrote in a post to a company blog.

Site Isolation, Reis explained, "Is a large change to Chrome's architecture that limits each renderer process to documents from a single site." With Site Isolation enabled, attackers will be prevented from sharing their content in a Chrome process assigned to a website's content.

"When Site Isolation is enabled, each renderer process contains documents from, at most, one site," Reis continued. "This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using 'out-of-process iframes.'" That, Reis added, was a major change to how Chrome works, and one that engineers had been pursuing for several years, long before Spectre was uncovered.

Reis' PhD dissertation of almost decade ago was on the subject, and the Chrome team has been working on it for six years.

Chrome's site isolationGoogle

With Site Isolation on by default in 99% of all Chrome desktop instances, the browser's Task Manager verifies that the defense is up and running. Note the different process numbers for the tab dedicated to streaming SiriusXM music and the subframe below it.

"This is an extremely impressive achievement," tweeted Eric Lawrence, a former senior software engineer at Google but now a principal program manager at rival Microsoft. "Google invested many engineer-years in a feature that initially seemed hopelessly out of whack from cost/benefit POV [point-of-view]. And then, suddenly, it wasn't just a nice-to-have DiD [defense-in-depth], but instead an essential defense against a class of attack."

Others chimed in as well. "The current version defends only against data leakage attacks (e.g. Spectre), but work is under way to protect against attacks from compromised renderers," tweeted Justin Schuh, principle engineer and director on Chrome security. "We also haven't shipped to Android yet, as we're still working on resource consumption issues."

Resource consumption may not be a Google-mandated "issue" with Site Isolation, but there are trade-offs when using the technology, the company acknowledged. "There is about a 10-13% total memory overhead in real workloads due to the larger number of processes," Reis said, then added that engineers are continuing to work on reducing that memory hit.

At least the additional memory load estimate is smaller than before. Back when Chrome 63 debuted with Site Isolation, Google admitted that using it would increase in memory usage by up to 20%.

Users will be able to verify that Site Isolation is turned on - that they're not part of the 1% left out in the cold as part of Google's efforts to "monitor and improve performance" - in Chrome 68 when that launches later this month by typing chrome://process-internals in the address bar. (That doesn't work in Chrome 67 or earlier.) Currently, checking requires more work on the user's part: It's spelled out in this document under the "Verify" subheading. Computerworld used the latter to make sure its instances of Chrome had Site Isolation enabled.

[Note: Site Isolation is enabled for almost all instances of Chrome, even though the item "Strict site isolation" in the chrome://flags settings page reads "Disabled." To turn off Site Isolation, users must instead change the item "Site isolation trial opt-out" to "Opt-out (not recommended)."]

Site Isolation is to be included in Chrome 68 for Android, Reis said. More functionality will also be added to the desktop edition of the browser. "We're also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromised renderer processes," he wrote. "Stay tuned for an update about these enforcements."