Chrome has a new way to keep Spectre hackers at bay

Google’s Chrome browser logo

Stephen Shankland/Techhnews

By adding new compartmentalization technology, Google’s Chrome browser has taken a step to keep websites from stealing sensitive data.

Since Google first released it publicly in 2008, Chrome has divided work among multiple computing processes. That approach helps keep one tab’s work from interfering with what’s happening in another. Google has been testing a stricter variation of this sort of partitioning to protect against Spectre, a new type of attack that Google and other researchers revealed in January.

Google released the new security feature, called site isolation, to a limited number of Chrome users starting with the Chrome 67 release in May. Now it’s “enabled for 99 percent of users on Windows, Mac, Linux and Chrome OS,” Chrome team member Charlie Reis said in a blog post on Wednesday.

The move shows just how complicated Spectre and the related Meltdown attacks are to thwart. Tech companies that make processors, operating systems and browsers all scrambled to block attackers from using the vulnerabilities to snatch sensitive data like passwords or encryption keys. The problem is severe enough to have risen to the US Congress, where senators griped on Wednesday that they hadn’t heard about Spectre sooner.

Chrome’s site isolation technology partitions some computing processes to make  it harder for attackers using Spectre to snoop for sensitive data.


Uses more memory

Google’s site isolation feature is a major change to Chrome. It affects a core part of the browser called the renderer, which turns website programming code into actual pixels on your phone or laptop screen. With site isolation, Chrome splits renderers into separate computing processes more often to wall off data better.

Unfortunately, that means Chrome needs more memory. The increase is about 10 to 13 percent for people with lots of tabs open, Google said in a project document. The good news, though, is that site isolation lets Google relax earlier restrictions on monitoring precise timing of browser actions it had adopted to make Spectre attacks harder.

“Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure,” Reis said in the blog post. And it’s also working to bring site isolation to Chrome for Android, he said.

Site isolation, a ten-year project

Reis has been working on the site isolation technology for a decade, starting with his Ph.D. research, and the Chrome team began about six years ago, Chrome security leader Justin Schuh tweeted.

Eric Lawrence, a former Chrome security team member who now works on Microsoft’s rival Edge browser, called the move “an extremely impressive achievement.”

“Google invested many engineer-years in a feature that initially seemed hopelessly out of whack from cost/benefit POV [point of view],” he tweeted. Then when Spectre arrived, site isolation suddenly became “an essential defense against a class of attack.”

Source link

Leave a Reply

Subscribe to our newsletter

Join our monthly newsletter and never miss out on new stories and promotions.
Techhnews will use the information you provide on this form to be in touch with you and to provide updates and marketing.

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at We will treat your information with respect.

%d bloggers like this: