The Spectre and Meltdown vulnerabilities have cast a long shadow over the security industry as engineers and researchers look for new ways to mitigate the risk that speculative side-channel attacks like these pose. In the months following the disclosure of those bugs, people on Google’s Chromium team have been working on a number of different potential methods to address them, and one that may be arriving sooner than later is site isolation.
Spectre and Meltdown are two examples of side-channel attacks on problems with speculative execution in some processors. The techniques take advantage of the fact that processors use speculative execution to anticipate what a program is going to do and then execute some instructions ahead of time. In some cases attackers can take advantage of the way processors handle speculative execution in order to access sensitive data from memory that should be protected. Web browsers are the most obvious target for speculative side-channel attacks, and both the browser vendors and chip manufacturers have been releasing patches that help mitigate such attacks.
But there is a separate conversation that’s happening among security teams at technology vendors as they try to work out how to defend against Spectre-like attacks long term. The big issue for browsers is that some web code can get to protected data in a given process.
“We must assume that active web content (JavaScript, WebAssembly, Native Client, Flash, PDFium, …) will be able to read any and all data in the address space of the process that hosts it. Multiple independent parties have developed proof-of-concept exploits that illustrate the effectiveness and reliability of Spectre-style attacks. The loss of cross-origin confidentiality inside a single process is thus not merely theoretical,” members of the Google Chromium team said in a post outlining their approach to defending against Spectre-type attacks.
“The first order solution is to simply get cross-origin data out of the Spectre attacker’s address space."
With that kind of exploit in hand, an attacker would have the ability to bypass many of the exploit mitigations that vendors have put in place, including ASLR (address space layout randomization). That’s what’s possible right now. Attacks always get better, not worse, and Google’s engineers are working with that axiom in mind to find some near-term and long-term defenses. The mitigation that is closest on the horizon right now is site isolation, a method for preventing one site from accessing data from another site inside the browser. Google is planning to have site isolation enabled in Chrome on the desktop and Android soon, with desktop protection coming first.
“The first order solution is to simply get cross-origin data out of the Spectre attacker’s address space. Site Isolation (SI) more closely aligns the web security model (the same-origin policy) with the underlying platform’s security model (separate address spaces and privilege reduction),” Google said.
“SI still has some bugs that need to be ironed out before we can turn it on by default, both on Desktop and on Android. As of May 2018 we believe we can turn it on by default, on Desktop (but not Android yet) in M67 or M68.”
One drawback of site isolation is that Chrome tends to use more memory when SI is enabled, and the Google team said that could be an issue on Android devices, where memory is more precious than on desktops.
Another approach Google is considering is a method to reduce an attacker’s ability to generate the code gadgets that are needed to exploit the Spectre vulnerability.
“By exerting more control over how we generate machine code from JavaScript, and over where we place objects in memory relative to each other, we can reduce the prevalence and utility of these gadgets. Of the known attacks, we believe it’s currently only feasible to try to mitigate variant 1 with code changes in C++. We will need the toolchain and/or platform support to mitigate other types of speculation attacks,” Google said.