Earlier when most web browsers were designed, the web pages were simple and hence were rendered in the same process, to keep resource usage low.
However, with the growing technology, there has been a significant shift in the active web page content. Ranging from pages designed using JavaScript to make the web pages interactive and create richer user interfaces with reduced server load to Flash, a technology used by Adobe to show animation on web pages, web-pages nowadays are full of “web apps”. Browsers that keep all the running apps in one process may face real challenges related to security, responsiveness and robustness.
Hence the browser must keep different apps isolated from each other to avoid any loopholes.
Google Chrome has always had a multi-process architecture, where different tabs are assigned different renderer processes.
This allows Google Chrome to have its own Task Manager that lets you track the resource usage of each web app and plug-in rather than the entire browser as a whole. It also enables you to kill the process of any web app that is not responding or appears malicious without having to restart the entire browser.
Also, when a given tab is navigated to a new site, it is switched to a different process.
Furthermore, the security policy ensured by legitimate and authenticated web pages allows users to visit the webpage without worrying about the security of the data and computer safety.
Despite of isolating the web apps from each other by providing separate processes, attackers have devised ways to share the process of their malicious website with victim’s other web pages.
For example, cross-site iframes and cross-site pop-ups that allows external web page to be embedded in an HTML document anywhere within a web page layout allowing online advertising and multimedia, typically stays in the same process as the page where they are created. This would allow a successful Meltdown & Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.
Meltdown & Spectre attacks exploited this cross-site iframes and cross-site pop-ups vulnerability in the software processors to pose security risks for web browsers. Such attacks could be used to steal login information or confidential data from other websites that are open in the browser.
In order to combat this vulnerability in multi-processor architecture, Google has announced a Security feature called Site Isolation for Chrome Version 67 and above on windows, MAC, Linux and Android OS.
Site Isolation allows splitting the code of each domain into a separate process.
However, the sub-domains within the site would stay in the same process. For instance, https://google.co.uk would be a site or a main domain, and sub-domains like https://maps.google.co.uk would stay in the same process.
Hence, all navigation to cross- site documents iframes are put into a different process, using “out-of-process iframes”. Hence, any attack that occurs on a malicious web page would be limited to a separate process restricting the data from the other sites to be loaded in the same process. This does not allow the data from the other sites to be compromised.
Splitting a single page across multiple processes is a major change to Chrome’s architecture.
Site Isolation has been optionally available since Chrome 63 as an experimental enterprise policy, but by default this feature was disabled. Users had to manually enable this feature by changing the Chrome flag in their browsers.
Steps to follow to enable Site Isolation feature:
Method 1: Via Chrome Flag
Method 2: Via Command Line Flag
The feature is now enabled by default in 99% of Chrome desktop user base and Android will follow soon.
However, these changes come with performance trade- off. Increase in the number of processes has an impact on memory consumption that increases by 10-13%.To overcome this, Chrome is planning to re- enable precise timers and features like SharedArrayBuffer that was disabled to combat Spectre and Meltdown attacks initially.
Hits: 63
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.