Site isolation

From HandWiki
Short description: Security feature in web browsers

Site isolation is a feature in certain web browsers that allow cross-origin sites to be isolated from each other. The feature was originally proposed by Reis et al. in 2009, with subsequent iterations from Microsoft, in the form of their implementation of the feature in the Gazelle research browser. However, the feature failed to gain traction due to issues surrounding its implementation and performance concerns.

In 2018, following the release of the Spectre and Meltdown vulnerabilities to the public, Google started work on adding site isolation in Chrome eventually culminating in a 2019 release of the feature. In 2021, Firefox also launched their own version of site isolation which they had been working on under the codename Project Fission.

Despite the security benefits of this feature, researchers have also found security issues surrounding various aspects of this feature. These include issues with the perceived protection against transient attacks such as Spectre and Meltdown, as well as new timing and resource exhaustion attacks enabled by this feature.

Background

Until 2017, the predominant security architecture of major browsers adhered to the process-per-instance model. This entailed the browser comprising distinct sandboxed processes, including the browser process, GPU process, networking process, and rendering process. The singular rendering process would engage with other privileged services when necessary to execute elevated actions when viewing a web page.[1][2]

Although this model successfully prevented problems associated with malicious Javascript gaining access to the operating system, it lacked the capability to isolate websites from each other adequately.[3] Despite these concerns, the adoption of a more robust model faced limited traction due to perceived issues with newer models, particularly those related to performance and memory.[2][4]

In 2017, the disclosure of Spectre and Meltdown exploits, however, altered this landscape. While previously accessing restricted memory was a relatively involved process requiring a compromised renderer, the Spectre vulnerability made it much easier to access arbitrary memory. This exposed the issues of the process-per-instance security model, as using Javascript, the website could read almost all memory in the rendering process, including memory storing potentially sensitive information from previously rendered cross-origin pages. Consequently, a new security architecture that allowed the separation of the rendering of different web pages into entirely isolated processes was required.[5][6]

History

Over the years, multiple versions of the site isolation architecture have been proposed. In 2009, Reis et al. proposed the first version of the process-per-site model to isolate web pages based on the page's web origin.[1] This was subsequently improved upon by the Gazelle research browser, which separated specific document frames based on their web principal, a security barrier that corresponded with the specific document that was being loaded.[7] Around the same time, work was also being done on the OP (which would later become the OP2 browser), IBOS, Tahoma and the SubOS browser all of which proposed different paradigms to solve the issue of process separation amongst sites.[8][2]

Modern implementation

In 2019, Google Chrome released a conference paper in USENIX Security 2019 that detailed changes to their existing browser security model in response to the recent research proving that the Spectre attack could be used inside the rendering process of the browser. The paper proposed changes to the model that borrowed heavily from Reis et al.'s work in 2009. Chrome's implementation of site isolation would use web origins as a primary differentiator of a 'site' at a process level.[9][10] Additionally, the Chrome team also implemented the idea of websites frames being executed out of process, a feature that had been suggested by the Gazelle web browser, as well as the OP and OP2 web browsers. This required a significant re-engineering of Chrome's process handling code, requiring over 4000 commits over a period of 5 years from 320 contributors.[8]

Chrome's implementation of site isolation allowed them to eliminate multiple universal cross-site scripting (uXSS) attacks, which allowed attackers to compromise the same-origin policy. The Chrome team found that all 94 uXSS attacks reported in between 2014 and 2018 would be rendered ineffective by the deployment on Site Isolation.[11][12] In addition to this, the Chrome team also claimed that their implementation of site isolation would be effective at preventing various variations of the Spectre and Meltdown group of timing attacks that relied on the victim address space being on the same process as the attacker process.[8]

In March 2021, Firefox announced that they would also roll out their implementation of site isolation. This feature had been in development for multiple months under the codename Project Fission.[13] Firefox's implementation iterated on a few of the flaws that had been found in Chrome's implementation namely the fact that similar web pages were still vulnerable to uXSS attacks.[14][11] Similar to Chrome, the project also required a rewrite of the process handling code in Firefox.[15]

Reception

Historically, site isolation has only been implemented by research browsers. This was because the approach was considered to be resource and memory intensive due to duplication in the amount of space taken up per memory process.[4][16] This was reflected in real world implementations as well.[17] Chrome's implementation of site isolation on average took one to two cores more than the same without site isolation.[4] Additionally, engineers working on the site isolation project observed a 10 to 13 percent increase in memory usage when site isolation was used.[18][1]

Chrome was the industry's first major web browser to adopt site isolation as a defense against uXSS and transient execution attacks. To do this, they overcame multiple performance and compatibility hurdles, and in doing so, they kickstarted an industry-wide effort to improve browser security. However, despite this, site isolation is not considered a silver bullet. In particular, site isolation's ability to defend against timing attacks has been found to be incomplete.[19] In 2021, Agarwal et al. were able to develop a exploit, called Spook.js that was able to break Chrome's Spectre defenses and exfiltrate data across web page in different origins.[20] In the same year, researchers at Microsoft, were able to leverage site isolation to perform a variety of timing attacks that allowed them to leak cross-origin information by careful manipulation of the inter-process communication protocols employed by site isolation.[19]

In 2023, researchers at Ruhr University Bochum showed that they were able to leverage the process architecture required by site isolation to exhaust system resources and also perform advanced attacks like DNS poisoning.[21]

References

  1. 1.0 1.1 1.2 Reis, Charles; Gribble, Steven D. (April 2009). "Isolating web programs in modern browser architectures" (in en). Proceedings of the 4th ACM European conference on Computer systems. ACM. pp. 219–232. doi:10.1145/1519065.1519090. ISBN 978-1-60558-482-9. https://dl.acm.org/doi/10.1145/1519065.1519090. Retrieved 2023-12-24. 
  2. 2.0 2.1 2.2 Dong, Xinshu; Hu, Hong; Saxena, Prateek; Liang, Zhenkai (2013). Crampton, Jason; Jajodia, Sushil; Mayes, Keith. eds (in en). A Quantitative Evaluation of Privilege Separation in Web Browser Designs. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer. pp. 75–93. doi:10.1007/978-3-642-40203-6_5. ISBN 978-3-642-40203-6. https://link.springer.com/chapter/10.1007/978-3-642-40203-6_5. Retrieved 2023-12-29. 
  3. Jia, Yaoqi; Chua, Zheng Leong; Hu, Hong; Chen, Shuo; Saxena, Prateek; Liang, Zhenkai (2016-10-24). ""The Web/Local" Boundary is Fuzzy: A Security Study of Chrome's Process-based Sandboxing". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS '16. New York, NY, USA: Association for Computing Machinery. pp. 791–804. doi:10.1145/2976749.2978414. ISBN 978-1-4503-4139-4. https://doi.org/10.1145/2976749.2978414. 
  4. 4.0 4.1 4.2 Zhu, Yongye; Wei, Shijia; Tiwari, Mohit (2022). "Revisiting Browser Performance Benchmarking From an Architectural Perspective". IEEE Computer Architecture Letters 21 (2): 113–116. doi:10.1109/LCA.2022.3210483. https://ieeexplore.ieee.org/document/9905900. Retrieved 2023-12-24. 
  5. Rogowski, Roman; Morton, Micah; Li, Forrest; Monrose, Fabian; Snow, Kevin Z.; Polychronakis, Michalis (2017). "Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses". 2017 IEEE European Symposium on Security and Privacy (EuroS&P). pp. 366–381. doi:10.1109/EuroSP.2017.39. ISBN 978-1-5090-5762-7. https://ieeexplore.ieee.org/document/7961991. Retrieved 2023-12-24. 
  6. "A Spectre proof-of-concept for a Spectre-proof web" (in en). https://security.googleblog.com/2021/03/a-spectre-proof-of-concept-for-spectre.html. 
  7. Wang, Helen; Grier, Chris; Moshchuk, Alexander; King, Samuel T.; Choudhury, Piali; Venter, Herman; King, Sam (2009-02-19). "The Multi-Principal OS Construction of the Gazelle Web Browser" (in en-US). SSYM'09: Proceedings of the 18th Conference on USENIX Security Symposium. https://www.microsoft.com/en-us/research/publication/the-multi-principal-os-construction-of-the-gazelle-web-browser/. Retrieved 2023-12-29. 
  8. 8.0 8.1 8.2 Reis, Charles; Moshchuk, Alexander; Oskov, Nasko (2019) (in en). Site Isolation: Process Separation for Web Sites within the Browser. pp. 1661–1678. ISBN 978-1-939133-06-9. https://www.usenix.org/conference/usenixsecurity19/presentation/reis. Retrieved 2023-12-24. 
  9. Bishop, Douglas L. (2021). Improvements of User's Security and Privacy in a Web Browser (Thesis). University of Dayton. Archived from the original on 2023-12-24. Retrieved 2023-12-24.
  10. Rokicki, Thomas; Maurice, Clémentine; Laperdrix, Pierre (2021). "SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers". 2021 IEEE European Symposium on Security and Privacy (EuroS&P). pp. 472–486. doi:10.1109/EuroSP51992.2021.00039. ISBN 978-1-6654-1491-3. https://ieeexplore.ieee.org/document/9581218. Retrieved 2023-12-24. 
  11. 11.0 11.1 Kokatsu, Jun (2020-11-10). "Deep Dive into Site Isolation (Part 1)" (in en). https://microsoftedge.github.io/edgevr/posts/deep-dive-into-site-isolation-part-1/. 
  12. Kim, Young Min; Lee, Byoungyoung (2023) (in en). Extending a Hand to Attackers: Browser Privilege Escalation Attacks via Extensions. pp. 7055–7071. ISBN 978-1-939133-37-3. https://www.usenix.org/conference/usenixsecurity23/presentation/kim-young-min. Retrieved 2023-12-24. 
  13. "Firefox to get a 'site isolation' feature, similar to Chrome" (in en). https://www.zdnet.com/article/firefox-to-get-a-site-isolation-feature-similar-to-chrome/. 
  14. Narayan, Shravan; Disselkoen, Craig; Garfinkel, Tal; Froyd, Nathan; Rahm, Eric; Lerner, Sorin; Shacham, Hovav; Stefan, Deian (2020) (in en). Retrofitting Fine Grain Isolation in the Firefox Renderer. pp. 699–716. ISBN 978-1-939133-17-5. https://www.usenix.org/conference/usenixsecurity20/presentation/narayan. Retrieved 2023-12-24. 
  15. "NIKA:\fission-news-1\>". https://mystor.github.io/fission-news-1.html. 
  16. Reis, Charles; Gribble, Steven D. (2009-04-01). "Isolating web programs in modern browser architectures". Proceedings of the 4th ACM European conference on Computer systems. EuroSys '09. New York, NY, USA: Association for Computing Machinery. pp. 219–232. doi:10.1145/1519065.1519090. ISBN 978-1-60558-482-9. https://doi.org/10.1145/1519065.1519090. 
  17. Wang, Helen; Grier, Chris; Moshchuk, Alexander; King, Samuel T.; Choudhury, Piali; Venter, Herman; King, Sam (2009-02-19). "The Multi-Principal OS Construction of the Gazelle Web Browser" (in en-US). USENIX Security Symposium '09. https://www.microsoft.com/en-us/research/publication/the-multi-principal-os-construction-of-the-gazelle-web-browser/. Retrieved 2023-12-29. 
  18. Warren, Tom (2018-07-12). "Chrome now uses more RAM because of Spectre security fixes" (in en). https://www.theverge.com/2018/7/12/17564064/google-chrome-ram-usage-memory-increase-spectre-fixes. 
  19. 19.0 19.1 Jin, Zihao; Kong, Ziqiao; Chen, Shuo; Duan, Haixin (2022). "Timing-Based Browsing Privacy Vulnerabilities Via Site Isolation". 2022 IEEE Symposium on Security and Privacy (SP). pp. 1525–1539. doi:10.1109/SP46214.2022.9833710. ISBN 978-1-6654-1316-9. https://ieeexplore.ieee.org/document/9833710. Retrieved 2023-12-24. 
  20. Agarwal, Ayush; o'Connell, Sioli; Kim, Jason; Yehezkel, Shaked; Genkin, Daniel; Ronen, Eyal; Yarom, Yuval (2022). "Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution". 2022 IEEE Symposium on Security and Privacy (SP). pp. 699–715. doi:10.1109/SP46214.2022.9833711. ISBN 978-1-6654-1316-9. https://ieeexplore.ieee.org/document/9833711. Retrieved 2023-12-24. 
  21. Gierlings, Matthias; Brinkmann, Marcus; Schwenk, Jörg (2023) (in en). Isolated and Exhausted: Attacking Operating Systems via Site Isolation in the Browser. pp. 7037–7054. ISBN 978-1-939133-37-3. https://www.usenix.org/conference/usenixsecurity23/presentation/gierlings. Retrieved 2023-12-24. 
This article is part of a series on
Information security
Related security categories
Threats
Defenses



Retrieved from "https://handwiki.org/wiki/index.php?title=Site_isolation&oldid=3375878"