New CPU side-channel attack takes aim at Chrome’s Site Isolation feature


Level 68
Thread author
Top poster
Mar 29, 2018
A team of academics from universities in Australia, Israel, and the US has successfully mounted CPU side-channel attacks that recover data from Google Chrome and Chromium-based browsers protected by the Site Isolation feature. Named Spook.js, the discovery is related to the Meltdown and Spectre attacks disclosed in January 2018, two CPU design flaws that could allow malicious code running on a processor to retrieve data from other apps or from secure areas of a CPU. While only demonstrated at a theoretical level, both attacks showed that the current design of modern CPUs did not take security seriously. While Intel and AMD committed to altering their future CPU designs to incorporate more security features, software vendors also responded by hardening their applications in order to prevent easy exploitation. Among the first to do so was Google, which chose to add a new feature inside Chrome named Site Isolation. This feature works by separating JavaScript code on a per-domain basis in order to prevent malicious sites from running a JavaScript-based Spectre attack and steal information from the user’s other opened tabs.

However, the Spook.js team realized that the current Site Isolation feature does not go far enough. Researchers said that while Site Isolation separates domains like from, it does not separate subdomains, such as from Spook.js exploits this hole in the Site Isolation design, which apparently Google knows, but about which it also can’t do anything about, since separating JavaScript code at the subdomain level would also cripple about 13.4% of all internet sites.

Spook.js demonstrated in several scenarios
... (edited) ...

Google implements Site Isolation for extensions

The researchers said they notified all the affected companies whose products they tested during their research, which included Intel, AMD, Google, Tumblr, LastPass, and Atlassian. Google was the one who took the team’s findings the most seriously, and recognizing the danger of a Spook.js attack on its extensions ecosystem, announced in July that it would implement the Site Isolation feature at the extension level, separating each extension’s JavaScript code from each other. “This blocks the extension variant of our attack (Section 6), but does not help with other cases,” Daniel Genkin, one of the academics behind Spook.js, told The Record in an email this week. “We appreciate the work of the research community, and recently made changes to Site Isolation that help us protect against this type of attack,” a Google spokesperson told The Record when inquired about the researchers’ findings.

Asked about the importance of their findings and Site Isolation, Genkin had the following to say:

I would not say Spook.js breaks site isolation. If anything, it does not, as sites that are properly isolated remain out of reach. Instead, what we show is that in some cases, the way Chrome implements strict site isolation has issues. In particular, the fact that all pages in a domain are considered mutually trusting is problematic, as one page can still attack another, which results in information leakage. We demonstrate exactly such scenarios in Section 5.
Additional details will be available later today on the Spook.js website and in a research paper titled “Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution.”

Article updated with Google’s statement.

Read the entire article here: