the Chromium logo

The Chromium Projects

Mitigating Side-Channel Attacks

At the beginning of 2018, researchers from Google's Project Zero disclosed a series of new attack techniques against speculative execution optimizations used by modern CPUs. Security researchers will continue to find new variations of these and other side-channel attacks. Such techniques have implications for products and services that execute third-party code, including Chrome and other browsers with support for features like JavaScript and WebAssembly.

The Chrome Security Team has written a document covering the variety of defense techniques available.

Protecting users with Site Isolation

Chrome has been working on a feature called Site Isolation which provides extensive mitigation against exploitation of these types of vulnerabilities. With Site Isolation enabled, the amount of data exposed to side-channel attacks is reduced as Chrome renders content for each website in a separate process. This allows websites to be protected from each other by the security guarantees provided by the operating system on which Chrome is running.

Site Isolation is enabled by default on Windows, Mac, Linux, and Chrome OS since Chrome 67, and can also can be controlled via enterprise policies or with chrome://flags. More details can be found in our blog post Mitigating Spectre with Site Isolation in Chrome.

Site Isolation is most effective when website developers follow modern security best practices:

Where possible cookies should use
[SameSite](https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7)
and[ HTTPOnly](https://www.owasp.org/index.php/HttpOnly) attributes and
pages should avoid reading from document.cookie.

Make sure [MIME types are
correct](/Home/chromium-security/site-isolation#TOC-Recommendations-for-Web-Developers)
and specify an X-Content-Type-Options: nosniff response header for any URLs
with user-specific or sensitive content, to take full advantage of
[Cross-Origin Read
Blocking](https://chromium.googlesource.com/chromium/src/+/HEAD/services/network/cross_origin_read_blocking_explainer.md)
(CORB).

Web developers should also see the Meltdown/Spectre WebFundamentals post.

Spectre and Meltdown

The attacks known as Spectre and Meltdown, originally disclosed by Project Zero, have implications for Chrome. For information about other Google products and services, including Chrome OS please see the Google Online Security Blog.

These attacks are mitigated by Site Isolation. Additionally, staring in Chrome 64, Chrome's JavaScript engine V8 has included further mitigations which provide protection on platforms where Site Isolation is not enabled.

In line with other browsers' response to Spectre and Meltdown, Chrome disabled SharedArrayBuffer in Chrome 63 starting on Jan 5th 2018, and modified the behavior of other APIs such as performance.now to help reduce the efficacy of side-channel attacks.

SharedArrayBuffer is now re-enabled in Chrome versions where Site Isolation is on by default.

GLitch

Researchers from Vrije Universiteit Amsterdam disclosed details of the GLitch attack. Part of the attack uses high-precision GPU timers available in WebGL to obtain information that is then used to perform a Rowhammer-style bit-flip attack.

Starting in Chrome 65, the EXT_disjoint_timer_query and EXT_disjoint_timer_query_webgl2 WebGL extensions have been disabled, and the behaviour of clientWaitSync and other *Sync functions has been changed to reduce their effective precision as clocks.

Although the GLitch attack is unrelated to Spectre and Meltdown, EXT_disjoint_timer_query and EXT_disjoint_timer_query_webgl2 could also be used to mount Spectre and Meltdown attacks. Accordingly, they will remain disabled in Chrome until Site Isolation is on by default, at which point they will be re-enabled with sufficiently reduced precision to mitigate GLitch attacks.

Also see more details about GLitch and Chrome OS.