Site isolation explained
Site isolation is a web browser security feature that groups websites into sandboxed processes by their associated origins. This technique enables the process sandbox to block cross-origin bypasses that would otherwise be exposed by exploitable vulnerabilities in the sandboxed process.
The feature was first proposed publicly by Charles Reis and others, although Microsoft was independently working on implementation in the Gazelle research browser at the same time. The approach initially failed to gain traction due to the large engineering effort required to implement it in a fully featured browser, and concerns around the real-world performance impact of potentially unbounded process use.
In May 2013 a member of Google Chrome's Site Isolation Team announced on the chromium-dev mailing list that they would begin landing code for out-of-process i-frames (OOPIF).[1] This was followed by a Site Isolation Summit at BlinkOn in January 2015, which introduced the eight-engineer team and described the motivation, goals, architecture, proposed schedule, and progress made so far. The presentation also included a demo of Chrome running with an early prototype of site isolation.[2]
In 2018, following the discovery of the Spectre and Meltdown vulnerabilities to the public, Google accelerated the work, culminating in a 2019 release of the feature. In 2021, Firefox also launched their own version of site isolation which they had been working on under the codename Project Fission.
Despite the security benefits of this feature, it does have limitations and tradeoffs. While it provides a baseline protection against side channel attacks such as Spectre and Meltdown, full protection against such attacks requires developers to explicitly enable certain advanced browser protections.
The main tradeoff of site isolation involves the added resource consumption necessitated by the additional processes it requires. This limits its effectiveness on some classes of devices, and can be abused in some cases to enable resource exhaustion attacks.
Background
Until 2017, the predominant security architecture of major browsers adhered to the process-per-browsing-instance model. This entailed the browser comprising distinct sandboxed processes, including the browser process, GPU process, networking process, and rendering process. The rendering process would engage with other privileged services when necessary to execute elevated actions when viewing a web page.
Although this model successfully prevented problems associated with malicious JavaScript gaining access to the operating system, it lacked the capability to isolate websites from each other adequately. Despite these concerns, the adoption of a more robust model faced limited traction due to perceived issues with newer models, particularly those related to performance and memory.
In 2017, the disclosure of Spectre and Meltdown exploits, however, altered this landscape. Previously accessing arbitrary memory was complicated requiring a compromised renderer. However, with Spectre, attacks were developed that abused Javascript features to read almost all memory in the rendering process, including memory storing potentially sensitive information from previously rendered cross-origin pages. This exposed the issues of the process-per-instance security model. Consequently, a new security architecture that allowed the separation of the rendering of different web pages into entirely isolated processes was required.
History
In 2009, Reis et al. proposed the first version of the process-per-site model to isolate web pages based on the page's web origin. This was improved upon in 2009 by the Gazelle research browser, which separated specific document frames based on their web principal, a security barrier that corresponded with the specific document that was being loaded. Around the same time, work was also being done on the OP (which would later become the OP2 browser), IBOS, Tahoma and the SubOS browsers all of which proposed different paradigms to solve the issue of process separation amongst sites.
Modern implementation
In 2019, Reis, et al. of the Google Chrome project presented a paper at USENIX Security that detailed changes to their existing browser security model in response to the recent research proving that the Spectre attack could be used inside the rendering process of the browser. The paper proposed changes to the model that borrowed from Reis et al.'s work in 2009. Chrome's implementation of site isolation would use web origins as a primary differentiator of a 'site' at a process level. Additionally, the Chrome team also implemented the idea of website frames being executed out of process, a feature that had been suggested by the authors of the Gazelle web browser, as well as the OP and OP2 web browsers. This required a significant re-engineering of Chrome's process handling code, involving to more than 4000 commits from 320 contributors over a period of 5 years.
Chrome's implementation of site isolation allowed it to eliminate multiple universal cross-site scripting (uXSS) attacks. uXSS attacks allow attackers to compromise the same-origin policy, granting unrestricted access to inject and load attacker controlled javascript on other website. The Chrome team found that all 94 uXSS attacks reported between 2014 and 2018 would be rendered ineffective by the deployment of site isolation. In addition to this, the Chrome team also claimed that their implementation of site isolation would be effective at preventing variations of the Spectre and Meltdown group of timing attacks that relied on the victim address space being on the same process as the attacker process.
In March 2021, the Firefox development team announced that they would also roll out their implementation of site isolation. This feature had been in development for multiple months under the codename Project Fission. Firefox's implementation fixed a few of the flaws that had been found in Chrome's implementation namely the fact that similar web pages were still vulnerable to uXSS attacks. The project also required a rewrite of the process handling code in Firefox.
Reception
Before 2019, site isolation had only been implemented by research browsers. Site isolation was considered to be resource intensive due to an increase in the amount of memory space taken up by the processes. This performance overhead was reflected in real world implementations as well. Chrome's implementation of site isolation on average took one to two cores more than the same without site isolation. Additionally, engineers working on the site isolation project observed a 10 to 13 percent increase in memory usage when site isolation was used.
Chrome was the industry's first major web browser to adopt site isolation as a defense against uXSS and transient execution attacks. To do this, they overcame multiple performance and compatibility hurdles, and in doing so, they kickstarted an industry-wide effort to improve browser security. However, despite this, certain aspects of Spectre's defenses have been found lacking. In particular, site isolation's ability to defend against timing attacks has been found to be incomplete. In 2021, Agarwal et al. were able to develop an exploit called Spook.js that was able to break Chrome's Spectre defenses and exfiltrate data across web page in different origins. In the same year, researchers at Microsoft, were able to leverage site isolation to perform a variety of timing attacks that allowed them to leak cross-origin information by careful manipulation of the inter-process communication protocols employed by site isolation.
In 2023, researchers at Ruhr University Bochum showed that they were able to leverage the process architecture required by site isolation to exhaust system resources and also perform advanced attacks like DNS poisoning.
References
Sources
- Book: Reis . Charles . Gribble . Steven D. . Isolating web programs in modern browser architectures . April 2009 . Proceedings of the 4th ACM European conference on Computer systems . https://dl.acm.org/doi/10.1145/1519065.1519090 . en . ACM . 219–232 . 10.1145/1519065.1519090 . 978-1-60558-482-9 . 8028056 . 2023-12-24 . 2023-12-24 . https://web.archive.org/web/20231224201956/https://dl.acm.org/doi/10.1145/1519065.1519090 . live .
- Book: 2017 IEEE European Symposium on Security and Privacy (EuroS&P) . https://ieeexplore.ieee.org/document/7961991 . 2023-12-24 . 10.1109/EuroSP.2017.39 . 7325479 . Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses . 2017 . Rogowski . Roman . Morton . Micah . Li . Forrest . Monrose . Fabian . Snow . Kevin Z. . Polychronakis . Michalis . 366–381 . 978-1-5090-5762-7 . 2020-02-10 . https://web.archive.org/web/20200210154740/https://ieeexplore.ieee.org/document/7961991/ . live .
- Web site: A Spectre proof-of-concept for a Spectre-proof web . Stephen. Röttger. Artur. Janc. 2023-12-24 . Google Online Security Blog . en . 2023-12-24 . https://web.archive.org/web/20231224165739/https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html . live .
- Book: Dong . Xinshu . Hu . Hong . Saxena . Prateek . Liang . Zhenkai . 2013 . Crampton . Jason . Jajodia . Sushil . Mayes . Keith . A Quantitative Evaluation of Privilege Separation in Web Browser Designs . Lecture Notes in Computer Science . en . Berlin, Heidelberg . Springer . 75–93 . 10.1007/978-3-642-40203-6_5 . 978-3-642-40203-6 . 2023-12-29 . 2023-12-29 . https://web.archive.org/web/20231229194806/https://link.springer.com/chapter/10.1007/978-3-642-40203-6_5 . live .
- Web site: Warren . Tom . 2018-07-12 . Chrome now uses more RAM because of Spectre security fixes . 2023-12-30 . The Verge . en . 2022-10-25 . https://web.archive.org/web/20221025222516/https://www.theverge.com/2018/7/12/17564064/google-chrome-ram-usage-memory-increase-spectre-fixes . live .
- Book: Reis . Charles . Site Isolation: Process Separation for Web Sites within the Browser . Moshchuk . Alexander . Oskov . Nasko . 2019 . 978-1-939133-06-9 . 1661–1678 . en . 2023-12-24 . 2023-11-28 . https://web.archive.org/web/20231128040322/https://www.usenix.org/conference/usenixsecurity19/presentation/reis . live .
- Zhu . Yongye . Wei . Shijia . Tiwari . Mohit . 2022 . Revisiting Browser Performance Benchmarking From an Architectural Perspective . IEEE Computer Architecture Letters . 21 . 2 . 113–116 . 10.1109/LCA.2022.3210483 . 252641754 . 2023-12-24 . 2023-07-30 . https://web.archive.org/web/20230730071806/https://ieeexplore.ieee.org/document/9905900/ . live .
- Web site: Paul . Ryan . 2009-07-10 . Inside Gazelle, Microsoft Research's "browser OS" . 2024-03-07 . Ars Technica . en-us.
- Book: 2022 IEEE Symposium on Security and Privacy (SP) . https://ieeexplore.ieee.org/document/9833710 . 2023-12-24 . 10.1109/SP46214.2022.9833710 . 247570554 . Timing-Based Browsing Privacy Vulnerabilities Via Site Isolation . 2022 . Jin . Zihao . Kong . Ziqiao . Chen . Shuo . Duan . Haixin . 1525–1539 . 978-1-6654-1316-9 . 2022-07-28 . https://web.archive.org/web/20220728025450/https://ieeexplore.ieee.org/document/9833710/ . live .
- Web site: Nika . Layzell. NIKA:\fission-news-1\> . 2023-12-30. 2019-02-04 . mystor.github.io . 2023-12-29 . https://web.archive.org/web/20231229194828/https://mystor.github.io/fission-news-1.html . live .
- Book: 2022 IEEE Symposium on Security and Privacy (SP) . https://ieeexplore.ieee.org/document/9833711 . 2023-12-24 . 10.1109/SP46214.2022.9833711 . 251140823 . Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution . 2022 . Agarwal . Ayush . o'Connell . Sioli . Kim . Jason . Yehezkel . Shaked . Genkin . Daniel . Ronen . Eyal . Yarom . Yuval . 699–715 . 978-1-6654-1316-9 . 2022-10-27 . https://web.archive.org/web/20221027040212/https://ieeexplore.ieee.org/document/9833711/ . live .
- Book: 2021 IEEE European Symposium on Security and Privacy (EuroS&P) . https://ieeexplore.ieee.org/document/9581218 . 2023-12-24 . 10.1109/EuroSP51992.2021.00039 . 263897590 . SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers . 2021 . Rokicki . Thomas . Maurice . Clémentine . Laperdrix . Pierre . 472–486 . 978-1-6654-1491-3 . 2022-12-17 . https://web.archive.org/web/20221217235323/https://hal.inria.fr/hal-03215569/file/eurosp21_rokicki.pdf . live .
- Wang . Helen . Grier . Chris . Moshchuk . Alexander . King . Samuel T. . Choudhury . Piali . Venter . Herman . King . Sam . 2009-02-19 . The Multi-Principal OS Construction of the Gazelle Web Browser . SSYM'09: Proceedings of the 18th Conference on USENIX Security Symposium . en-US . 2023-12-29 . 2023-09-04 . https://web.archive.org/web/20230904184816/https://www.microsoft.com/en-us/research/publication/the-multi-principal-os-construction-of-the-gazelle-web-browser/ . live .
- Book: Jia . Yaoqi . Chua . Zheng Leong . Hu . Hong . Chen . Shuo . Saxena . Prateek . Liang . Zhenkai . "The Web/Local" Boundary is Fuzzy: A Security Study of Chrome's Process-based Sandboxing . 2016-10-24 . Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security . https://doi.org/10.1145/2976749.2978414 . CCS '16 . New York, NY, USA . Association for Computing Machinery . 791–804 . 10.1145/2976749.2978414 . 978-1-4503-4139-4. 7573477 .
- Improvements of User's Security and Privacy in a Web Browser . University of Dayton . 2021 . en . Douglas L. . Bishop . 2023-12-24 . 2023-12-24 . https://web.archive.org/web/20231224201956/https://etd.ohiolink.edu/acprod/odb_etd/etd/r/1501/10?clear=10&p10_accession_num=dayton1639246469786975 . live .
- Web site: Catalin. Cimpanu. 2019-02-06. Firefox to get a 'site isolation' feature, similar to Chrome . 2023-12-29 . ZDNET . en . 2023-12-29 . https://web.archive.org/web/20231229194806/https://www.zdnet.com/article/firefox-to-get-a-site-isolation-feature-similar-to-chrome/ . live .
- Book: Narayan . Shravan . Disselkoen . Craig . Garfinkel . Tal . Froyd . Nathan . Rahm . Eric . Lerner . Sorin . Shacham . Hovav . Stefan . Deian . 2020 . Retrofitting Fine Grain Isolation in the Firefox Renderer . en . 699–716 . 978-1-939133-17-5 . 2023-12-24 . 2023-12-24 . https://web.archive.org/web/20231224201956/https://www.usenix.org/conference/usenixsecurity20/presentation/narayan . live .
- Book: Gierlings . Matthias . Brinkmann . Marcus . Schwenk . Jörg . 2023 . Isolated and Exhausted: Attacking Operating Systems via Site Isolation in the Browser . en . 7037–7054 . 978-1-939133-37-3 . 2023-12-24 . 2023-12-24 . https://web.archive.org/web/20231224201956/https://www.usenix.org/conference/usenixsecurity23/presentation/gierlings . live .
- Web site: Kokatsu . Jun . 2020-11-10 . Deep Dive into Site Isolation (Part 1) . live . https://web.archive.org/web/20231224201956/https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-1/ . 2023-12-24 . 2023-12-24 . Microsoft Browser Vulnerability Research . en.
- Book: Kim . Young Min . Lee . Byoungyoung . 2023 . Extending a Hand to Attackers: Browser Privilege Escalation Attacks via Extensions . en . 7055–7071 . 978-1-939133-37-3 . 2023-12-24 . 2023-12-24 . https://web.archive.org/web/20231224201957/https://www.usenix.org/conference/usenixsecurity23/presentation/kim-young-min . live .
- Kocher . Paul . Horn . Jann . Fogh . Anders . Genkin . Daniel . Gruss . Daniel . Haas . Werner . Hamburg . Mike . Lipp . Moritz . Mangard . Stefan . Prescher . Thomas . Schwarz . Michael . Yarom . Yuval . 2020-06-18 . Spectre attacks: exploiting speculative execution . Communications of the ACM . 63 . 7 . 93–101 . 10.1145/3399742 . 373888 . 0001-0782.
- Book: Kim . Sunwoo . Kim . Young Min . Hur . Jaewon . Song . Suhwan . Lee . Gwangmu . Lee . Byoungyoung . 2022 . : Detecting vulnerabilities in Browsers through Origin Fuzzing . en . 1008–1023 . 978-1-939133-31-1.
Notes and References
- PSA: Tracking changes for out-of-process iframes. Oskov. Nasko. Nasko Oskov. chromium-dev. 1 May 2013. 30 August 2024.
- Site Isolation Summit. YouTube. 29 January 2015. 30 August 2024.