Google debates re-engineering Chrome in wake of Spectre

Google has indicated it could undertake a substantial code overhaul of its Chrome browser in order to protect users against speculative side channel attacks (SSCAs) stemming from hardware design flaws in modern processors.

SSCAs such as Spectre and Meltdown have led to a rethink of browser security, with the assumption now being that any active code can read any data that's in the same memory address space of the host process.

The practical consequences of this is that attackers can exploit Spectre flaws to bypass native code exploit mitigation.

This includes address space layout randomisation (ASLR) that is used to make it harder for attackers to guess where in a computer's memory data is stored, and stack and heap meta-data "canaries" to detect buffer overflows.

Google security engineers are currently debating what can be done to prevent Spectre-style information stealing attacks.

Developers working on the Chrome V8 JavaScript engine are "increasingly convinced that there is no viable alternative to Site Isolation" to mitigate against exploits.

Site Isolation (SI) makes it harder for untrusted websites to access or steal user information. The security feature ensures that pages from different websites are always put into different processes that each run in an isolated sandbox.

SI also blocks processes from receiving certain types of sensitive data from other sites.

While the security feature is deemed as the first order solution to get cross-origin data out of a Spectre attacker's address space, SI is still buggy and not turned on by default in Chrome. 

As of Chrome M63-M65, the cross-origin read blocking (CORB) feature that SI depends on protects HTML, JSON and XML responses from web servers. 

The desktop variant of Chrome is expected to get SI in the M67 or M68 versions, the latter of which is due to be released in the June-July time frame.

Chrome on Android will not get SI by then. Google's security engineers noted that while on desktop Chrome SI increases memory usage by around 10 percent, on Android it can be more than that, and that such an additional cost can make it prohibitive.

Other browser vendors such as Microsoft and Apple are working on implementing SI in some form, and Google is collaborating with them to persuade site operators to opt in and use isolation.

Apart from SI, Google is also considering asking users for their express consent when personally identifiable information (PII), credentials and credit card details are loaded into a browser page renderer process, and potentially exposing them to Spectre attacks.