Mitigating Spectre with Site Isolation in Chrome

[cageymaru]

The Google Security Blog has showcased a newly enabled Chrome feature that helps to protect against speculative execution side-channel attacks like Spectre. Site Isolation limits each renderer process to documents from a single site. To put this in context, previously Chrome allowed cross-site popups and iframes to access and stay in the same process as the page that created them. The cost of this enhanced security is 10% to 13% more memory usage.
It is good to see enhanced security features being enabled in Chrome, but I've been fighting the extra memory usage while doing the news. I'm glad to see that the Google Chrome development team is optimizing this new feature and porting it to Android.

In January, Google Project Zero disclosed a set of speculative execution side-channel attacks that became publicly known as Spectre and Meltdown. An additional variant of Spectre was disclosed in May. These attacks use the speculative execution features of most CPUs to access parts of memory that should be off-limits to a piece of code, and then use timing attacks to discover the values stored in that memory. Effectively, this means that untrustworthy code may be able to read any memory in its process's address space.

 

[Z3r0k3wl]

Glad I went with 32GB of ram on my new build.

 

[M76]

Doggie doggie what now? The whole problem with speculative execution is that processes could access memory outside their address space, no? If all it took to mitigate the risk is to isolate the process in it's own memory, then we wouldn't need all these microcode upgrades would we?

 

[cageymaru]

Doggie doggie what now? The whole problem with speculative execution is that processes could access memory outside their address space, no? If all it took to mitigate the risk is to isolate the process in it's own memory, then we wouldn't need all these microcode upgrades would we?

I think that we've just begun with Spectre / Meltdown patches and mitigation. I like the idea of placing things into their own container within the browser. But I feel as if it is just a matter of time before the octopus figures out how to climb out of one tank and enter into another with all the tasty fish in it.

 

[dgz]

Yeah, that page is unusable without JS. They need it to display simple articles now? Gonna look elsewhere..

Found an alternative (or close enough) link: https://developers.google.com/web/updates/2018/02/meltdown-spectre

 

[Deleted member 214115]

It is always mentioned Chrome 67 has it enabled by default instead of mentioning the major.minor.patches. I have Version 67.0.3396.99 (Official Build) (64-bit) and if i check it is disabled. The way some give information can be pissy, at times. Like, for example, with Chrome 67.shit.spyedition.1b, which is now released and will update on all systems, has this now enabled by default. Would that not be more (properly) informative?

 

[katanaD]

one could always not visit questionable websites...

 

[Chupachup]

The current build of Chrome (67.0.3396.99) broke in-video pop ads for YouTube. I watched several videos last night only to realise that where the should be an ad popping, only an broken link, report and close icons were visible. This is NOT a complaint!