fbpx
Wikipedia

Site isolation

January 01, 1970

Site isolation is a feature in certain web browsers that allow cross-origin sites to be isolated from each other. The feature was originally proposed by Charles Reis and others, with subsequent iterations from Microsoft, in the form of their implementation of the feature in the Gazelle research browser. However, the feature failed to gain traction due to issues surrounding its implementation and performance concerns.

A depiction of how site isolation separated different websites into different processes

In 2018, following the disclosure of the Spectre and Meltdown vulnerabilities to the public, Google started work on adding site isolation in Chrome eventually culminating in a 2019 release of the feature. In 2021, Firefox also launched their own version of site isolation which they had been working on under the codename Project Fission.

Despite the security benefits of this feature, researchers have also found security issues surrounding various aspects of this feature. These include issues with the perceived protection against transient attacks such as Spectre and Meltdown, as well as new timing and resource exhaustion attacks enabled by this feature.

Background edit

Until 2017, the predominant security architecture of major browsers adhered to the process-per-browsing-instance model. This entailed the browser comprising distinct sandboxed processes, including the browser process, GPU process, networking process, and rendering process. The rendering process would engage with other privileged services when necessary to execute elevated actions when viewing a web page.[1][2]

Although this model successfully prevented problems associated with malicious JavaScript gaining access to the operating system, it lacked the capability to isolate websites from each other adequately.[3] Despite these concerns, the adoption of a more robust model faced limited traction due to perceived issues with newer models, particularly those related to performance and memory.[4][5]

In 2017, the disclosure of Spectre and Meltdown exploits, however, altered this landscape. Previously accessing arbitrary memory was complicated requiring a compromised renderer. However with Spectre, attacks were developed that abused Javascript features to read almost all memory in the rendering process, including memory storing potentially sensitive information from previously rendered cross-origin pages.[6][7] This exposed the issues of the process-per-instance security model. Consequently, a new security architecture that allowed the separation of the rendering of different web pages into entirely isolated processes was required.[8][7]

History edit

In 2009, Reis et al. proposed the first version of the process-per-site model to isolate web pages based on the page's web origin.[9] This was improved upon in 2009 by the Gazelle research browser, which separated specific document frames based on their web principal, a security barrier that corresponded with the specific document that was being loaded.[10][11] Around the same time, work was also being done on the OP (which would later become the OP2 browser), IBOS, Tahoma and the SubOS browsers all of which proposed different paradigms to solve the issue of process separation amongst sites.[12][13]

Modern implementation edit

In 2019, Reis, et al of the Google Chrome project presented a paper at USENIX Security[14] that detailed changes to their existing browser security model in response to the recent research proving that the Spectre attack could be used inside the rendering process of the browser.[15][16] The paper proposed changes to the model that borrowed from Reis et al.'s work in 2009.[17] Chrome's implementation of site isolation would use web origins as a primary differentiator of a 'site' at a process level.[18][19] Additionally, the Chrome team also implemented the idea of website frames being executed out of process, a feature that had been suggested by the authors of the Gazelle web browser, as well as the OP and OP2 web browsers.[12] This required a significant re-engineering of Chrome's process handling code, involving to more than 4000 commits from 320 contributors over a period of 5 years.[20]

Chrome's implementation of site isolation allowed it to eliminate multiple universal cross-site scripting (uXSS) attacks.[21] uXSS attacks allow attackers to compromise the same-origin policy, granting unrestricted access to inject and load attacker controlled javascript on other website.[22] The Chrome team found that all 94 uXSS attacks reported between 2014 and 2018 would be rendered ineffective by the deployment of site isolation.[23] In addition to this, the Chrome team also claimed that their implementation of site isolation would be effective at preventing variations of the Spectre and Meltdown group of timing attacks that relied on the victim address space being on the same process as the attacker process.[16]

In March 2021, the Firefox development team announced that they would also roll out their implementation of site isolation. This feature had been in development for multiple months under the codename Project Fission.[24] Firefox's implementation fixed a few of the flaws that had been found in Chrome's implementation namely the fact that similar web pages were still vulnerable to uXSS attacks.[25][26] The project also required a rewrite of the process handling code in Firefox.[27]

Reception edit

Before 2019, site isolation had only been implemented by research browsers. Site isolation was considered to be resource intensive[5] due to an increase in the amount of memory space taken up by the processes.[28] This performance overhead was reflected in real world implementations as well.[29] Chrome's implementation of site isolation on average took one to two cores more than the same without site isolation.[5] Additionally, engineers working on the site isolation project observed a 10 to 13 percent increase in memory usage when site isolation was used.[30][31]

Chrome was the industry's first major web browser to adopt site isolation as a defense against uXSS and transient execution attacks.[32] To do this, they overcame multiple performance and compatibility hurdles, and in doing so, they kickstarted an industry-wide effort to improve browser security. However, despite this, certain aspects of Spectre's defenses have been found lacking.[6] In particular, site isolation's ability to defend against timing attacks has been found to be incomplete.[33] In 2021, Agarwal et al. were able to develop an exploit called Spook.js that was able to break Chrome's Spectre defenses and exfiltrate data across web page in different origins.[34] In the same year, researchers at Microsoft, were able to leverage site isolation to perform a variety of timing attacks that allowed them to leak cross-origin information by careful manipulation of the inter-process communication protocols employed by site isolation.[35]

In 2023, researchers at Ruhr University Bochum showed that they were able to leverage the process architecture required by site isolation to exhaust system resources and also perform advanced attacks like DNS poisoning.[36]

References edit

Citations edit

  1. ^ Reis & Gribble 2009, pp. 225–226.
  2. ^ Dong et al. 2013, pp. 78–79.
  3. ^ Jia et al. 2016, pp. 791–792.
  4. ^ Dong et al. 2013, p. 89.
  5. ^ a b c Zhu, Wei & Tiwari 2022, p. 114.
  6. ^ a b Jin et al. 2022, p. 1525.
  7. ^ a b Röttger & Janc.
  8. ^ Rogowski et al. 2017, pp. 336–367.
  9. ^ Reis & Gribble 2009, pp. 224–225.
  10. ^ Paul 2009.
  11. ^ Wang et al. 2009, pp. 1–2.
  12. ^ a b Reis, Moshchuk & Oskov 2019, p. 1674.
  13. ^ Dong et al. 2013, p. 80.
  14. ^ Gierlings, Brinkmann & Schwenk 2023, p. 7049.
  15. ^ Kocher et al. 2020, pp. 96–97.
  16. ^ a b Reis, Moshchuk & Oskov 2019, p. 1661.
  17. ^ Reis, Moshchuk & Oskov 2019, pp. 1663, 1664.
  18. ^ Bishop 2021, pp. 25–26.
  19. ^ Rokicki, Maurice & Laperdrix 2021, p. 476.
  20. ^ Reis, Moshchuk & Oskov 2019, p. 1667.
  21. ^ Kim & Lee 2023, p. 757.
  22. ^ Kim et al. 2022, p. 1007.
  23. ^ Reis, Moshchuk & Oskov 2019, p. 1668.
  24. ^ Cimpanu 2019.
  25. ^ Narayan et al. 2020, p. 714.
  26. ^ Kokatsu 2020.
  27. ^ Layzell 2019.
  28. ^ Reis & Gribble 2009, pp. 229–230.
  29. ^ Wang et al. 2009, pp. 12–13.
  30. ^ Warren 2018.
  31. ^ Reis, Moshchuk & Oskov 2019, p. 1671.
  32. ^ Jin et al. 2022, p. 1526.
  33. ^ Jin et al. 2022, p. 1527.
  34. ^ Agarwal et al. 2022, pp. 1529, 1530.
  35. ^ Jin et al. 2022, pp. 1525, 1530.
  36. ^ Gierlings, Brinkmann & Schwenk 2023, pp. 7037–7038.

Sources edit

  • Reis, Charles; Gribble, Steven D. (April 2009). "Isolating web programs in modern browser architectures". Proceedings of the 4th ACM European conference on Computer systems. ACM. pp. 219–232. doi:10.1145/1519065.1519090. ISBN 978-1-60558-482-9. S2CID 8028056. from the original on 2023-12-24. Retrieved 2023-12-24.
  • Rogowski, Roman; Morton, Micah; Li, Forrest; Monrose, Fabian; Snow, Kevin Z.; Polychronakis, Michalis (2017). "Revisiting Browser Security in the Modern Era: New Data-Only Attacks and Defenses". 2017 IEEE European Symposium on Security and Privacy (EuroS&P). pp. 366–381. doi:10.1109/EuroSP.2017.39. ISBN 978-1-5090-5762-7. S2CID 7325479. from the original on 2020-02-10. Retrieved 2023-12-24.
  • Röttger, Stephen; Janc, Artur. "A Spectre proof-of-concept for a Spectre-proof web". Google Online Security Blog. from the original on 2023-12-24. Retrieved 2023-12-24.
  • Dong, Xinshu; Hu, Hong; Saxena, Prateek; Liang, Zhenkai (2013). Crampton, Jason; Jajodia, Sushil; Mayes, Keith (eds.). A Quantitative Evaluation of Privilege Separation in Web Browser Designs. Lecture Notes in Computer Science. Berlin, Heidelberg: Springer. pp. 75–93. doi:10.1007/978-3-642-40203-6_5. ISBN 978-3-642-40203-6. from the original on 2023-12-29. Retrieved 2023-12-29.
  • Warren, Tom (2018-07-12). "Chrome now uses more RAM because of Spectre security fixes". The Verge. from the original on 2022-10-25. Retrieved 2023-12-30.
  • Reis, Charles; Moshchuk, Alexander; Oskov, Nasko (2019). Site Isolation: Process Separation for Web Sites within the Browser. pp. 1661–1678. ISBN 978-1-939133-06-9. from the original on 2023-11-28. Retrieved 2023-12-24.
  • Zhu, Yongye; Wei, Shijia; Tiwari, Mohit (2022). "Revisiting Browser Performance Benchmarking From an Architectural Perspective". IEEE Computer Architecture Letters. 21 (2): 113–116. doi:10.1109/LCA.2022.3210483. S2CID 252641754. from the original on 2023-07-30. Retrieved 2023-12-24.
  • Paul, Ryan (2009-07-10). "Inside Gazelle, Microsoft Research's "browser OS"". Ars Technica. Retrieved 2024-03-07.
  • Jin, Zihao; Kong, Ziqiao; Chen, Shuo; Duan, Haixin (2022). "Timing-Based Browsing Privacy Vulnerabilities Via Site Isolation". 2022 IEEE Symposium on Security and Privacy (SP). pp. 1525–1539. doi:10.1109/SP46214.2022.9833710. ISBN 978-1-6654-1316-9. S2CID 247570554. from the original on 2022-07-28. Retrieved 2023-12-24.
  • Layzell, Nika (2019-02-04). "NIKA:\fission-news-1\>". mystor.github.io. from the original on 2023-12-29. Retrieved 2023-12-30.
  • Agarwal, Ayush; o'Connell, Sioli; Kim, Jason; Yehezkel, Shaked; Genkin, Daniel; Ronen, Eyal; Yarom, Yuval (2022). "Spook.js: Attacking Chrome Strict Site Isolation via Speculative Execution". 2022 IEEE Symposium on Security and Privacy (SP). pp. 699–715. doi:10.1109/SP46214.2022.9833711. ISBN 978-1-6654-1316-9. S2CID 251140823. from the original on 2022-10-27. Retrieved 2023-12-24.
  • Rokicki, Thomas; Maurice, Clémentine; Laperdrix, Pierre (2021). "SoK: In Search of Lost Time: A Review of JavaScript Timers in Browsers". 2021 IEEE European Symposium on Security and Privacy (EuroS&P) (PDF). pp. 472–486. doi:10.1109/EuroSP51992.2021.00039. ISBN 978-1-6654-1491-3. S2CID 263897590. (PDF) from the original on 2022-12-17. Retrieved 2023-12-24.
  • Wang, Helen; Grier, Chris; Moshchuk, Alexander; King, Samuel T.; Choudhury, Piali; Venter, Herman; King, Sam (2009-02-19). "The Multi-Principal OS Construction of the Gazelle Web Browser". SSYM'09: Proceedings of the 18th Conference on USENIX Security Symposium. from the original on 2023-09-04. Retrieved 2023-12-29.
  • Jia, Yaoqi; Chua, Zheng Leong; Hu, Hong; Chen, Shuo; Saxena, Prateek; Liang, Zhenkai (2016-10-24). ""The Web/Local" Boundary is Fuzzy: A Security Study of Chrome's Process-based Sandboxing". Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. CCS '16. New York, NY, USA: Association for Computing Machinery. pp. 791–804. doi:10.1145/2976749.2978414. ISBN 978-1-4503-4139-4. S2CID 7573477.
  • Bishop, Douglas L. (2021). Improvements of User's Security and Privacy in a Web Browser (Thesis). University of Dayton. from the original on 2023-12-24. Retrieved 2023-12-24.
  • Cimpanu, Catalin (2019-02-06). "Firefox to get a 'site isolation' feature, similar to Chrome". ZDNET. from the original on 2023-12-29. Retrieved 2023-12-29.
  • Narayan, Shravan; Disselkoen, Craig; Garfinkel, Tal; Froyd, Nathan; Rahm, Eric; Lerner, Sorin; Shacham, Hovav; Stefan, Deian (2020). Retrofitting Fine Grain Isolation in the Firefox Renderer. pp. 699–716. ISBN 978-1-939133-17-5. from the original on 2023-12-24. Retrieved 2023-12-24.
  • Gierlings, Matthias; Brinkmann, Marcus; Schwenk, Jörg (2023). Isolated and Exhausted: Attacking Operating Systems via Site Isolation in the Browser. pp. 7037–7054. ISBN 978-1-939133-37-3. from the original on 2023-12-24. Retrieved 2023-12-24.
  • Kokatsu, Jun (2020-11-10). "Deep Dive into Site Isolation (Part 1)". Microsoft Browser Vulnerability Research. from the original on 2023-12-24. Retrieved 2023-12-24.
  • Kim, Young Min; Lee, Byoungyoung (2023). Extending a Hand to Attackers: Browser Privilege Escalation Attacks via Extensions. pp. 7055–7071. ISBN 978-1-939133-37-3. from the original on 2023-12-24. Retrieved 2023-12-24.
  • Kocher, Paul; Horn, Jann; Fogh, Anders; Genkin, Daniel; Gruss, Daniel; Haas, Werner; Hamburg, Mike; Lipp, Moritz; Mangard, Stefan; Prescher, Thomas; Schwarz, Michael; Yarom, Yuval (2020-06-18). "Spectre attacks: exploiting speculative execution". Communications of the ACM. 63 (7): 93–101. doi:10.1145/3399742. ISSN 0001-0782. S2CID 373888.
  • Kim, Sunwoo; Kim, Young Min; Hur, Jaewon; Song, Suhwan; Lee, Gwangmu; Lee, Byoungyoung (2022). {FuzzOrigin}: Detecting {UXSS} vulnerabilities in Browsers through Origin Fuzzing. pp. 1008–1023. ISBN 978-1-939133-31-1.


January 01, 1970
site, isolation, feature, certain, browsers, that, allow, cross, origin, sites, isolated, from, each, other, feature, originally, proposed, charles, reis, others, with, subsequent, iterations, from, microsoft, form, their, implementation, feature, gazelle, res. Site isolation is a feature in certain web browsers that allow cross origin sites to be isolated from each other The feature was originally proposed by Charles Reis and others with subsequent iterations from Microsoft in the form of their implementation of the feature in the Gazelle research browser However the feature failed to gain traction due to issues surrounding its implementation and performance concerns A depiction of how site isolation separated different websites into different processes In 2018 following the disclosure of the Spectre and Meltdown vulnerabilities to the public Google started work on adding site isolation in Chrome eventually culminating in a 2019 release of the feature In 2021 Firefox also launched their own version of site isolation which they had been working on under the codename Project Fission Despite the security benefits of this feature researchers have also found security issues surrounding various aspects of this feature These include issues with the perceived protection against transient attacks such as Spectre and Meltdown as well as new timing and resource exhaustion attacks enabled by this feature Contents 1 Background 2 History 3 Modern implementation 4 Reception 5 References 5 1 Citations 5 2 SourcesBackground editUntil 2017 the predominant security architecture of major browsers adhered to the process per browsing instance model This entailed the browser comprising distinct sandboxed processes including the browser process GPU process networking process and rendering process The rendering process would engage with other privileged services when necessary to execute elevated actions when viewing a web page 1 2 Although this model successfully prevented problems associated with malicious JavaScript gaining access to the operating system it lacked the capability to isolate websites from each other adequately 3 Despite these concerns the adoption of a more robust model faced limited traction due to perceived issues with newer models particularly those related to performance and memory 4 5 In 2017 the disclosure of Spectre and Meltdown exploits however altered this landscape Previously accessing arbitrary memory was complicated requiring a compromised renderer However with Spectre attacks were developed that abused Javascript features to read almost all memory in the rendering process including memory storing potentially sensitive information from previously rendered cross origin pages 6 7 This exposed the issues of the process per instance security model Consequently a new security architecture that allowed the separation of the rendering of different web pages into entirely isolated processes was required 8 7 History editIn 2009 Reis et al proposed the first version of the process per site model to isolate web pages based on the page s web origin 9 This was improved upon in 2009 by the Gazelle research browser which separated specific document frames based on their web principal a security barrier that corresponded with the specific document that was being loaded 10 11 Around the same time work was also being done on the OP which would later become the OP2 browser IBOS Tahoma and the SubOS browsers all of which proposed different paradigms to solve the issue of process separation amongst sites 12 13 Modern implementation editIn 2019 Reis et al of the Google Chrome project presented a paper at USENIX Security 14 that detailed changes to their existing browser security model in response to the recent research proving that the Spectre attack could be used inside the rendering process of the browser 15 16 The paper proposed changes to the model that borrowed from Reis et al s work in 2009 17 Chrome s implementation of site isolation would use web origins as a primary differentiator of a site at a process level 18 19 Additionally the Chrome team also implemented the idea of website frames being executed out of process a feature that had been suggested by the authors of the Gazelle web browser as well as the OP and OP2 web browsers 12 This required a significant re engineering of Chrome s process handling code involving to more than 4000 commits from 320 contributors over a period of 5 years 20 Chrome s implementation of site isolation allowed it to eliminate multiple universal cross site scripting uXSS attacks 21 uXSS attacks allow attackers to compromise the same origin policy granting unrestricted access to inject and load attacker controlled javascript on other website 22 The Chrome team found that all 94 uXSS attacks reported between 2014 and 2018 would be rendered ineffective by the deployment of site isolation 23 In addition to this the Chrome team also claimed that their implementation of site isolation would be effective at preventing variations of the Spectre and Meltdown group of timing attacks that relied on the victim address space being on the same process as the attacker process 16 In March 2021 the Firefox development team announced that they would also roll out their implementation of site isolation This feature had been in development for multiple months under the codename Project Fission 24 Firefox s implementation fixed a few of the flaws that had been found in Chrome s implementation namely the fact that similar web pages were still vulnerable to uXSS attacks 25 26 The project also required a rewrite of the process handling code in Firefox 27 Reception editBefore 2019 site isolation had only been implemented by research browsers Site isolation was considered to be resource intensive 5 due to an increase in the amount of memory space taken up by the processes 28 This performance overhead was reflected in real world implementations as well 29 Chrome s implementation of site isolation on average took one to two cores more than the same without site isolation 5 Additionally engineers working on the site isolation project observed a 10 to 13 percent increase in memory usage when site isolation was used 30 31 Chrome was the industry s first major web browser to adopt site isolation as a defense against uXSS and transient execution attacks 32 To do this they overcame multiple performance and compatibility hurdles and in doing so they kickstarted an industry wide effort to improve browser security However despite this certain aspects of Spectre s defenses have been found lacking 6 In particular site isolation s ability to defend against timing attacks has been found to be incomplete 33 In 2021 Agarwal et al were able to develop an exploit called Spook js that was able to break Chrome s Spectre defenses and exfiltrate data across web page in different origins 34 In the same year researchers at Microsoft were able to leverage site isolation to perform a variety of timing attacks that allowed them to leak cross origin information by careful manipulation of the inter process communication protocols employed by site isolation 35 In 2023 researchers at Ruhr University Bochum showed that they were able to leverage the process architecture required by site isolation to exhaust system resources and also perform advanced attacks like DNS poisoning 36 References editCitations edit Reis amp Gribble 2009 pp 225 226 Dong et al 2013 pp 78 79 Jia et al 2016 pp 791 792 Dong et al 2013 p 89 a b c Zhu Wei amp Tiwari 2022 p 114 a b Jin et al 2022 p 1525 a b Rottger amp Janc Rogowski et al 2017 pp 336 367 Reis amp Gribble 2009 pp 224 225 Paul 2009 Wang et al 2009 pp 1 2 a b Reis Moshchuk amp Oskov 2019 p 1674 Dong et al 2013 p 80 Gierlings Brinkmann amp Schwenk 2023 p 7049 Kocher et al 2020 pp 96 97 a b Reis Moshchuk amp Oskov 2019 p 1661 Reis Moshchuk amp Oskov 2019 pp 1663 1664 Bishop 2021 pp 25 26 Rokicki Maurice amp Laperdrix 2021 p 476 Reis Moshchuk amp Oskov 2019 p 1667 Kim amp Lee 2023 p 757 Kim et al 2022 p 1007 Reis Moshchuk amp Oskov 2019 p 1668 Cimpanu 2019 Narayan et al 2020 p 714 Kokatsu 2020 Layzell 2019 Reis amp Gribble 2009 pp 229 230 Wang et al 2009 pp 12 13 Warren 2018 Reis Moshchuk amp Oskov 2019 p 1671 Jin et al 2022 p 1526 Jin et al 2022 p 1527 Agarwal et al 2022 pp 1529 1530 Jin et al 2022 pp 1525 1530 Gierlings Brinkmann amp Schwenk 2023 pp 7037 7038 Sources edit Reis Charles Gribble Steven D April 2009 Isolating web programs in modern browser architectures Proceedings of the 4th ACM European conference on Computer systems ACM pp 219 232 doi 10 1145 1519065 1519090 ISBN 978 1 60558 482 9 S2CID 8028056 Archived from the original on 2023 12 24 Retrieved 2023 12 24 Rogowski Roman Morton Micah Li Forrest Monrose Fabian Snow Kevin Z Polychronakis Michalis 2017 Revisiting Browser Security in the Modern Era New Data Only Attacks and Defenses 2017 IEEE European Symposium on Security and Privacy EuroS amp P pp 366 381 doi 10 1109 EuroSP 2017 39 ISBN 978 1 5090 5762 7 S2CID 7325479 Archived from the original on 2020 02 10 Retrieved 2023 12 24 Rottger Stephen Janc Artur A Spectre proof of concept for a Spectre proof web Google Online Security Blog Archived from the original on 2023 12 24 Retrieved 2023 12 24 Dong Xinshu Hu Hong Saxena Prateek Liang Zhenkai 2013 Crampton Jason Jajodia Sushil Mayes Keith eds A Quantitative Evaluation of Privilege Separation in Web Browser Designs Lecture Notes in Computer Science Berlin Heidelberg Springer pp 75 93 doi 10 1007 978 3 642 40203 6 5 ISBN 978 3 642 40203 6 Archived from the original on 2023 12 29 Retrieved 2023 12 29 Warren Tom 2018 07 12 Chrome now uses more RAM because of Spectre security fixes The Verge Archived from the original on 2022 10 25 Retrieved 2023 12 30 Reis Charles Moshchuk Alexander Oskov Nasko 2019 Site Isolation Process Separation for Web Sites within the Browser pp 1661 1678 ISBN 978 1 939133 06 9 Archived from the original on 2023 11 28 Retrieved 2023 12 24 Zhu Yongye Wei Shijia Tiwari Mohit 2022 Revisiting Browser Performance Benchmarking From an Architectural Perspective IEEE Computer Architecture Letters 21 2 113 116 doi 10 1109 LCA 2022 3210483 S2CID 252641754 Archived from the original on 2023 07 30 Retrieved 2023 12 24 Paul Ryan 2009 07 10 Inside Gazelle Microsoft Research s browser OS Ars Technica Retrieved 2024 03 07 Jin Zihao Kong Ziqiao Chen Shuo Duan Haixin 2022 Timing Based Browsing Privacy Vulnerabilities Via Site Isolation 2022 IEEE Symposium on Security and Privacy SP pp 1525 1539 doi 10 1109 SP46214 2022 9833710 ISBN 978 1 6654 1316 9 S2CID 247570554 Archived from the original on 2022 07 28 Retrieved 2023 12 24 Layzell Nika 2019 02 04 NIKA fission news 1 gt mystor github io Archived from the original on 2023 12 29 Retrieved 2023 12 30 Agarwal Ayush o Connell Sioli Kim Jason Yehezkel Shaked Genkin Daniel Ronen Eyal Yarom Yuval 2022 Spook js Attacking Chrome Strict Site Isolation via Speculative Execution 2022 IEEE Symposium on Security and Privacy SP pp 699 715 doi 10 1109 SP46214 2022 9833711 ISBN 978 1 6654 1316 9 S2CID 251140823 Archived from the original on 2022 10 27 Retrieved 2023 12 24 Rokicki Thomas Maurice Clementine Laperdrix Pierre 2021 SoK In Search of Lost Time A Review of JavaScript Timers in Browsers 2021 IEEE European Symposium on Security and Privacy EuroS amp P PDF pp 472 486 doi 10 1109 EuroSP51992 2021 00039 ISBN 978 1 6654 1491 3 S2CID 263897590 Archived PDF from the original on 2022 12 17 Retrieved 2023 12 24 Wang Helen Grier Chris Moshchuk Alexander King Samuel T Choudhury Piali Venter Herman King Sam 2009 02 19 The Multi Principal OS Construction of the Gazelle Web Browser SSYM 09 Proceedings of the 18th Conference on USENIX Security Symposium Archived from the original on 2023 09 04 Retrieved 2023 12 29 Jia Yaoqi Chua Zheng Leong Hu Hong Chen Shuo Saxena Prateek Liang Zhenkai 2016 10 24 The Web Local Boundary is Fuzzy A Security Study of Chrome s Process based Sandboxing Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security CCS 16 New York NY USA Association for Computing Machinery pp 791 804 doi 10 1145 2976749 2978414 ISBN 978 1 4503 4139 4 S2CID 7573477 Bishop Douglas L 2021 Improvements of User s Security and Privacy in a Web Browser Thesis University of Dayton Archived from the original on 2023 12 24 Retrieved 2023 12 24 Cimpanu Catalin 2019 02 06 Firefox to get a site isolation feature similar to Chrome ZDNET Archived from the original on 2023 12 29 Retrieved 2023 12 29 Narayan Shravan Disselkoen Craig Garfinkel Tal Froyd Nathan Rahm Eric Lerner Sorin Shacham Hovav Stefan Deian 2020 Retrofitting Fine Grain Isolation in the Firefox Renderer pp 699 716 ISBN 978 1 939133 17 5 Archived from the original on 2023 12 24 Retrieved 2023 12 24 Gierlings Matthias Brinkmann Marcus Schwenk Jorg 2023 Isolated and Exhausted Attacking Operating Systems via Site Isolation in the Browser pp 7037 7054 ISBN 978 1 939133 37 3 Archived from the original on 2023 12 24 Retrieved 2023 12 24 Kokatsu Jun 2020 11 10 Deep Dive into Site Isolation Part 1 Microsoft Browser Vulnerability Research Archived from the original on 2023 12 24 Retrieved 2023 12 24 Kim Young Min Lee Byoungyoung 2023 Extending a Hand to Attackers Browser Privilege Escalation Attacks via Extensions pp 7055 7071 ISBN 978 1 939133 37 3 Archived from the original on 2023 12 24 Retrieved 2023 12 24 Kocher Paul Horn Jann Fogh Anders Genkin Daniel Gruss Daniel Haas Werner Hamburg Mike Lipp Moritz Mangard Stefan Prescher Thomas Schwarz Michael Yarom Yuval 2020 06 18 Spectre attacks exploiting speculative execution Communications of the ACM 63 7 93 101 doi 10 1145 3399742 ISSN 0001 0782 S2CID 373888 Kim Sunwoo Kim Young Min Hur Jaewon Song Suhwan Lee Gwangmu Lee Byoungyoung 2022 FuzzOrigin Detecting UXSS vulnerabilities in Browsers through Origin Fuzzing pp 1008 1023 ISBN 978 1 939133 31 1 Retrieved from https en wikipedia org w index php title Site isolation amp oldid 1212750201, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.