Mozilla’s Site Isolation Coming to Firefox, First Milestone in February

Mozilla’s Project Fission team is working on implementing a site isolation Firefox security feature similar to the one implemented by Google in version 67 of its Chrome web browser to mitigate speculative side-channel attacks launched by malicious websites.

The security flaws that Project Fission wants to defend Firefox users from have been publicly disclosed by Google’s Project Zero on January 3, 2018.

They have been called Spectre (variants 1 and 2) and Meltdown (variant 3) and they allow potential attackers to abuse CPU data cache timing “to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts.”

While the security issues mentioned above were immediately mitigated by Mozilla’s Firefox JS and Security teams, new speculative side-channel attacks could potentially impact Firefox users when visiting a maliciously crafted web page.

According to Nika Layzell, the Project Tech Lead for Mozilla’s Project Fission:

We aim to build a browser which isn’t just secure against known security vulnerabilities, but also has layers of built-in defense against potential future vulnerabilities. To accomplish this, we need to revamp the architecture of Firefox and support full Site Isolation.

We call this next step in the evolution of Firefox’s process model “Project Fission”. While Electrolysis split our browser into Content and Chrome, with Fission, we will “split the atom”, splitting cross-site iframes into different processes than their parent frame.

The Project Fission Team worked on building a new infrastructure for the Firefox web browser, resistant to future speculative side-channel attacks, which adds an extra separation layer allowing “multiple processes to render distinct subframes, meaning that each tab has multiple connected processes.”

At this moment, Firefox uses a more simple process separation strategy, creating a wall between the process which renders the user interface (the parent process) and the one which renders the web content (the content process).

If the Firefox site isolation feature the Project Fission team is working now is similar to the one Google has implemented in Chrome, it would seriously decrease the threat posed by Spectre-like attacks.

“This means that even if a Spectre attack were to occur in a malicious web page, data from other websites would generally not be loaded into the same process, and so there would be much less data available to the attacker,” according to Google’s Charlie Reis.

The first Project Fission milestone should come at the end of February 2019 and it will encompass multiple contributions such as “basic out-of-process iframe rendering behind a pref,” “native JS Window Actor APIs to migrate FrameScripts,” and “support for BrowsingContext fields to be synchronized between multiple content processes.”