Technology

Google Chrome Can Keep Spectre Hackers Away, But It Wants Something In Return

Google Chrome, Spectre vulnerabilities, Site Isolation
geralt / Pixabay

Google Chrome will now use more RAM in a bid to fix the Spectre issues that surfaced earlier this year. Spectre vulnerabilities were related to the issues with the chips including from Intel and AMD. Software updates are needed to patch the security issues, and hence, the need for more space.

Site Isolation to patch Spectre vulnerabilities

In a blog post, the search engine giant stated that the Spectre mitigation is to be blamed for the performance issues on the systems, adding that it has enabled a new feature – called Site Isolation – in Chrome to prevent Spectra-like attacks.

Although Site Isolation is a major change to Chrome’s performance, it would not be visible for most of the users or web developers, Google said, adding it would offer more protection between the websites under the hood. Site Isolations create more rendered processes that come with their own pros and cons.

“On the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes,” Google says.

Talking of how the fix works, Google says that when “Site Isolation is enabled, each renderer process contains documents from at most one site. This means all navigations to cross-site documents cause a tab to switch processes.” Google Chrome now splits a single page across multiple processes, the company says, adding that its security team was working on it even before Spectre was unearthed in January.

In a tweet, Justin Schuh, Google’s head of Chrome Security, revealed that the Chrome team has in fact been working on the Site Isolation for the past six years.

Eric Lawrence, who earlier worked as senior software engineer at Google and is currently with Microsoft, seemed pretty impressed with Google’s achievement. “Google invested many engineer-years in a feature that initially seemed hopelessly out of whack from cost/benefit POV [point-of-view]. And then, suddenly, it wasn’t just a nice-to-have DiD [defense-in-depth], but instead an essential defense against a class of attack,” Lawrence tweeted.

More work needed

Back in January, after Meltdown and Spectre vulnerabilities came to light, companies like Microsoft and other software platform makers came forward to help Intel distribute the security fixes for these vulnerabilities. The chip maker claims that the upcoming chips would be “immune” to this kind of attack.

Google stated that they had enabled the safeguard for 99% of Chrome users on the Windows, Linux, Max and Chrome OS. The remaining 1% is being monitored for further improving the performance. Users will be able to verify if the Site Isolation is activated or not in Chrome 68 by typing chrome://process-internals into the address bar. However, Chrome 67 has no such facility.

According to Google, the Site Isolation would be a part of Chrome 68 for Android and the desktop version will be packed with more functionality.

“We’re also working on additional security checks in the browser process, which will let Site Isolation mitigate not just Spectre attacks but also attacks from fully compromized renderer processes,” the search giant said.

Separately, Schuh tweeted that the current version prevents only against leakage attacks, while the team is still working on the protection against compromised renderers. Schuh also noted that the fix had not been sent to Android yet because the team is still working on resource consumption issues.

You can’t neglect this Google Chrome fix

Notching up the protection against Spectre vulnerabilities is a welcome change for the users, but they will not appreciate the increased use of the memory as they already complain about the amount of RAM it needs, especially for the devices with 4GB RAM or less. Google, however, assured the users that the team is looking to improve this behavior to retain the speed and security of Google Chrome.

Explaining the purpose of the fix, Google says the update makes sure that hackers do not extract more data from the users. Earlier, concerns were raised that the Spectre vulnerabilities would give a gateway to hackers to steal user data from computers without the user’s knowledge. The Site Isolation fix, however, would prevent data from multiple sites to be loaded in the same process. It implies that even if a shady web page triggers a Spectre attack, the data in other pages would not be compromised.

So, this means that whether or not you like the new Google Chrome fix, you will need to install it for your own (data) safety.