Bottom line: Most web browsers have a reputation of being memory hogs and this certainly won’t help their image. In this instance, however, Google is doing the right thing by sacrificing performance in the name of security. Hopefully, the Chrome team will be able to offset the hit in a future tune-up.
Google recently enabled a new security feature as part of Chrome 67 that aims to mitigate speculative execution side-channel attacks like Spectre. It’s good news for security but as we’ve seen with other fixes, it’ll cost you in terms of system resources.
As you may recall, such attacks use the speculative execution features of most processors to access sections of memory that should be off-limits to a piece of code. From there, timing attacks can be used to uncover the values stored in the memory meaning malicious code may be able to read any memory stored in its process’ address space.
According to Google engineer Charlie Reis, a website could use an attack like this to steal information from other websites which violates the Same Origin Policy.
All major browsers have already deployed some form of mitigations for Spectre but as Reis points out, Google believes the most effective mitigation is offered by approaches like Site Isolation.
With Site Isolation, enabled by default for 99 percent of desktop Chrome users (Windows, Mac, Linux and Chrome OS) running the latest version of Google’s web browser, each rendered process contains documents from one site at most. As a result, Reis notes, Chrome can rely on the operating system to prevent attacks between processes and between sites.
Chrome has always had a multi-process architecture where different tabs could use different renderer processes. A given tab could even switch processes when navigating to a new site in some cases. However, it was still possible for an attacker’s page to share a process with a victim’s page. For example, cross-site iframes and cross-site pop-ups typically stayed in the same process as the page that created them. This would allow a successful Spectre attack to read data (e.g., cookies, passwords, etc.) belonging to other frames or pop-ups in its process.
When enabled, all navigations to cross-site documents cause a tab to switch processes and puts all cross-site iframes into a different process than their parent frame, using “out-of-process iframes.”
Site Isolation is a significant change to how Chrome works under the hood and although each renderer process is smaller, shorter-lived and has less contention internally, it does create a larger number of processes which results in a 10-13 percent total memory overhead in real world workloads.
Reis said it generally shouldn’t cause visible changes for most users or web browsers outside of a few known issues but still, that’s a significant performance penalty, especially on a machine that may already be light in terms of RAM.
Google is working to optimize the security feature to keep Chrome both fast and secure and plans to add experimental enterprise policies for enabling Site Isolation in Chrome 68 for Android.