Guru3D.com
  • HOME
  • NEWS
    • Channels
    • Archive
  • DOWNLOADS
    • New Downloads
    • Categories
    • Archive
  • GAME REVIEWS
  • ARTICLES
    • Rig of the Month
    • Join ROTM
    • PC Buyers Guide
    • Guru3D VGA Charts
    • Editorials
    • Dated content
  • HARDWARE REVIEWS
    • Videocards
    • Processors
    • Audio
    • Motherboards
    • Memory and Flash
    • SSD Storage
    • Chassis
    • Media Players
    • Power Supply
    • Laptop and Mobile
    • Smartphone
    • Networking
    • Keyboard Mouse
    • Cooling
    • Search articles
    • Knowledgebase
    • More Categories
  • FORUMS
  • NEWSLETTER
  • CONTACT

New Reviews
Intel Core i5 11400F processor review
Corsair Vengeance RGB Pro SL 3600 MHz 32GB review
ASRock Z590 Extreme review
Gigabyte Radeon RX 6700 XT Gaming OC review
Corsair K70 RGB TKL keyboard review
Corsair RM650x (2021) power supply review
be quiet! Silent Loop 2 280mm review
Corsair K55 RGB PRO XT keyboard review
Guru3D Rig of the Month - March 2021
Intel Core i9-11900K processor review

New Downloads
Intel HD graphics Driver Download Version: DCH 27.20.100.9466
CPU-Z download v1.96
GeForce 466.11 WHQL driver download
Guru3D RTSS Rivatuner Statistics Server Download 7.3.2 Beta 2
MSI Afterburner 4.6.4 Beta 2 Download
HWiNFO Download v7.02
Corsair Utility Engine Download (iCUE) Download v4.9.350
Quake II RTX Download 1.5.0
GeForce 465.89 WHQL driver download
AIDA64 Download Version 6.33


New Forum Topics
STALKER 2 presented in a first gameplay teaser trailer Review: Intel Core i5 11400F processor ASRock launches Z590 OC Formula Motherboard GeForce 466.11 WHQL driver download & discussion Confirmed: GeForce RTX 3080 Ti with 12GB Gets Spotted in Transit MS Flight Simulator 2020 update brings more realism to France, Belgium, the Netherlands and Luxembourg NVidia Anti-Aliasing Guide (updated) Epic Games Announces $1 Billion Funding Round ClockTuner for Ryzen (CTR) - and introduction guide and download 4790K+960 SLI Windows XP Retrogaming build




Guru3D.com » News » Chrome version 67 Add on Site Isolation as standard for protection against Spectre

Chrome version 67 Add on Site Isolation as standard for protection against Spectre

by Hilbert Hagedoorn on: 07/15/2018 08:14 AM | source: Google | 41 comment(s)
Chrome version 67 Add on Site Isolation as standard for protection against Spectre

Ever since the Intel processor vulnerabilities got exposed, Google has been working hard to to protect the Chrome browser against security vulnerabilities. The company now achieved a final solution, by implementing a function called Site Isolation.

-- Google -- Speculative execution side-channel attacks like Spectre are a newly discovered security risk for web browsers. A website could use such attacks to steal data or login information from other websites that are open in the browser. To better mitigate these attacks, we're excited to announce that Chrome 67 has enabled a security feature called Site Isolation on Windows, Mac, Linux, and Chrome OS. Site Isolation has been optionally available as an experimental enterprise policy since Chrome 63, but many known issues have been resolved since then, making it practical to enable by default for all desktop Chrome users.

This launch is one phase of our overall Site Isolation project. Stay tuned for additional security updates that will mitigate attacks beyond Spectre (e.g., attacks from fully compromised renderer processes).

What is Spectre?

In January, Google Project Zero disclosed a set of speculative execution side-channel attacks that became publicly known as Spectre and Meltdown. An additional variant of Spectre was disclosed in May. These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory. Effectively, this means that untrustworthy code may be able to read any memory in its process's address space.

This is particularly relevant for web browsers, since browsers run potentially malicious JavaScript code from multiple websites, often in the same process. In theory, a website could use such an attack to steal information from other websites, violating the Same Origin Policy. All major browsers have already deployed some mitigations for Spectre, including reducing timer granularity and changing their JavaScript compilers to make the attacks less likely to succeed. However, we believe the most effective mitigation is offered by approaches like Site Isolation, which try to avoid having data worth stealing in the same process, even if a Spectre attack occurs.


What is Site Isolation?

Site Isolation is a large change to Chrome's architecture that limits each renderer process to documents from a single site. As a result, Chrome can rely on the operating system to prevent attacks between processes, and thus, between sites. Note that Chrome uses a specific definition of "site" that includes just the scheme and registered domain. Thus, https://google.co.uk would be a site, and subdomains like https://maps.google.co.uk would stay in the same process.

Chrome has always had a multi-process architecture where different tabs could use different renderer processes. A given tab could even switch processes when navigating to a new site in some cases. However, it was still possible for an attacker's page to share a process with a victim's page. For example, cross-site iframes and cross-site pop-ups typically stayed in the same process as the page that created them. This would allow a successful Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.

When Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes. It also means all cross-site iframes are put into a different process than their parent frame, using "out-of-process iframes." Splitting a single page across multiple processes is a major change to how Chrome works, and the Chrome Security team has been pursuing this for several years, independently of Spectre. The first uses of out-of-process iframes shipped last year to improve the Chrome extension security model.

In Chrome 67, Site Isolation has been enabled for 99% of users on Windows, Mac, Linux, and Chrome OS. (Given the large scope of this change, we are keeping a 1% holdback for now to monitor and improve performance.) This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker. This significantly reduces the threat posed by Spectre.



Chrome version 67 Add on Site Isolation as standard for protection against Spectre




« Cougar Launches the Cougar Turret · Chrome version 67 Add on Site Isolation as standard for protection against Spectre · Microsoft advocates regulation for facial recognition »

9 pages 1 2 3 4 > »


Carfax
Senior Member



Posts: 2915
Joined: 2010-05-06

#5564987 Posted on: 07/15/2018 08:17 AM
It will be interesting to see what kind of protections Edge and Firefox come up with, to mitigate Spectre and Meltdown. Though I think Chrome's latest protective measure will further reduce its overall efficiency vs Edge, which is easily the most efficient browser out there in terms of resource usage.

HardwareCaps
Senior Member



Posts: 452
Joined: 2018-05-03

#5565008 Posted on: 07/15/2018 09:39 AM
I smell performance/latency losses...

Robbo9999
Senior Member



Posts: 1528
Joined: 2012-10-07

#5565020 Posted on: 07/15/2018 11:07 AM
I smell performance/latency losses...

I've been enabling Strict Site Isolation in Chrome for months using the chrome flags commands, and I didn't notice any difference in performance. I think the implementation is good, not a problem.

apoklyps3
Senior Member



Posts: 230
Joined: 2010-04-29

#5565021 Posted on: 07/15/2018 11:33 AM
How to disable it?

Labyrinth
Senior Member



Posts: 4370
Joined: 2008-07-15

#5565026 Posted on: 07/15/2018 12:15 PM
How to disable it?

chrome://flags/#enable-site-per-process

9 pages 1 2 3 4 > »


Post New Comment
Click here to post a comment for this news story on the message forum.


Guru3D.com © 2021