How Chrome and other browsers came together to protect you from Spectre

browser developers collaborated on spectre protection google chris palmer

During the Google I/O developer conference, Chris Palmer from the Chrome security team talked about how Google and other browser developers scrambled to protect web surfers from Spectre-based attacks. Of the two processor vulnerabilities reported in January, Spectre can theoretically allow hackers to access sensitive data through a compromised website, requiring a different approach in how browsers must now render your favorite sites. 

As previously reported when Spectre was first revealed, part of a processor’s speed is based on predicting the quickest path to the current task’s end result. It tests the outcome using numerous “if/then” avenues, loading this data in local on-chip memory (aka cache). The problem in Spectre is that for all those avenues not taken, the data remains in the cache and can be seen across privilege levels, processes, and web page origins. 

Based on that leftover data, an attacker could insert code into JavaScript that runs in a loop and eventually gains access to “out of bounds” sensitive information. There were solutions available, but they severely hindered the processor’s performance. There were alternatives, but they required cooperation between browser developers that normally were at odds.

Working together for the safety of the web

The alternative method would require changing how web browsers would render a webpage — and this is where competing browser developers worked together to solve the problem. For instance, a webpage is typically comprised of different parts from different origins and rendered as a single page. But there could also be a “hostile” origin in the mix containing an element that can exploit the Spectre vulnerability using what are called “gadgets.” These gadgets can read data generated by the “safe” origins. 

Google’s first fix in Chrome was to turn off a feature called SharedArrayBuffer, so hackers couldn’t keep track of the timing used when data moves from the processor cache to the system memory. Palmer said this method was the easiest route to exploitation.  

“Other browsers did similar things, and we all collaborated to sort of figure out how we were going to do this in a way that doesn’t hurt the web so that we are all on the same page,” he said. “It’s kinda of a happy story that comes out of this is a really good collaboration between the security teams of a lot of different browser vendors. It’s been a great experience for all of us and I think we’re gonna come out with a much better web thanks to the help of everyone.” 

browser developers collaborated on spectre protection google chris palmer 2

Another “fix” was to turn off processor speculation on a micro-scale and change the way code is compiled to prevent speculation gadgets. This didn’t provide 100 percent protection but gave Google’s team “breathing room” to develop long-term fixes. 

Site isolation, shown above, was another useful tool against Spectre. It essentially isolates “good” from “bad” origins by assigning each origin with its own render process. Thus, origins are isolated from each other and protected against any origin that suddenly becomes evil. That evil origin can only read its own data. 

Unfortunately, site isolation and the accompanying cross-origin read blocking component will require 10 percent more system memory use, he said. 

Computing

New Chrome feature aimed at preventing websites from blocking Incognito Mode

A new Chrome feature will prevent websites from blocking Chrome users as they browse using Incognito Mode. The feature is supposed to fix a known loophole that allows websites to detect and block those using Incognito Mode.
Computing

Chrome is a fantastic browser, but is is still the best among new competitors?

Choosing a web browser for surfing the web can be tough with all the great options available. Here we pit the latest versions of Chrome, Opera, Firefox, Edge, and Vivaldi against one another to find the best browsers for most users.
Gaming

Wage war on a budget with these fun and free first-person shooters

We all know about Halo and Call of Duty by now, but what about quality titles that won't cost you upward of $60? Check out our picks for the best free first-person shooter games from Paladins to Quake Champions.
Computing

These are the 6 best free antivirus apps to help protect your MacBook

Malware protection is more important than ever, even if you eschew Windows in favor of Apple's desktop platform. Thankfully, protecting your machine is as easy as choosing from the best free antivirus apps for Mac suites.
Computing

Don't use streaming apps? Try the best free media players for your local music

Rather than using music-streaming apps, you may want something for playing your local music. Good news! There are some good alternatives. These are the best media players you can download for free on Windows.
Mobile

Need speed? Qualcomm unveils the Snapdragon X55, the world’s fastest 5G modem

Qualcomm is preparing for an even faster future: The silicon giant just unveiled a second generation 5G modem for smartphones, promising blistering download speeds as high as 7Gbps.
Mobile

Barbie’s Corvette ain’t got nothing on Sphero’s fully programmable robot car

Sphero is known for devices like the Sphero Bolt and BB-8 Star Wars toy, but now the company is back with another addition to its lineup -- the Sphero RVR. The RVR is a fully programmable robot car that can be expanding with different…
Photography

Luminar’s libraries gain speed, drop need for you to manually import images

Luminar 3 just got a performance boost. Skylum Luminar 3.0.2 has improved speed over December's update, which added the long-promised libraries feature giving editors a Lightroom alternative.
Computing

Keep your portable computer safe and shiny with the best laptop bags for 2019

Choosing the right laptop bag is no easy feat -- after all, no one likes to second-guess themselves. Here are some of the best laptop bags on the market, from backpacks to sleeves, so you can get it right the first time around.
Computing

Like to be brand loyal? These tech titans make some of our favorite laptops

If you want to buy your next laptop based around a specific brand, it helps to know which the best brands of laptops are. This list will give you a good grounding in the most reliable, quality laptop manufacturers today.
Computing

Protecting your PDF with a password isn't difficult. Just follow these steps

If you need to learn how to password protect a PDF, you have come to the right place. This guide will walk you through the process of protecting your documents step-by-step, whether you're running a MacOS or Windows machine.
Computing

Microsoft extension adds Google Chrome support for Windows Timeline

The Windows Timeline feature is now much more versatile thanks to the added support for Google's Chrome browser. All you need to do to increase its functionality is to download the official Chrome extension.
Computing

Google Earth spills the beans, reveals Taiwan’s secret military bases

Google Earth 3D Maps has spilled the beans on Taiwan's deepest secrets. The locations available in full three-dimensional detail include a facility which houses Patriot missiles and the country's National Security Bureau.
Computing

Qualcomm’s Snapdragon X55 could bring blazing-fast 5G to laptops

While the Snapdragon X55 promises to bring fast data connectivity to the next generation of 5G smartphones, the modem also holds potential in transforming the way Always Connected PCs are used.