Mozilla to harden Firefox defenses with site isolation, a la Chrome
- 15 February, 2019 06:13
Mozilla plans to boost Firefox's defensive skills by mimicking the "Site Isolation" technology introduced to Google's Chrome last year.
Dubbed "Project Fission," the effort will more granularly separate sites and their individual components than is currently the case in Firefox. The goal: Isolate malicious sites and attack code so individual sites cannot wreak havoc in the browser at large, or pillage the browser, the device or the device's memory of critical information, such as authentication credentials and encryption keys.
"We aim to build a browser which isn't just secure against known security vulnerabilities, but also has layers of built-in defense against potential future vulnerabilities," Nika Layzel, the project tech lead of the Fission team, wrote in a post last week to a Firefox development mailing list. "To accomplish this, we need to revamp the architecture of Firefox and support full Site Isolation." Layzel also published the note as the first newsletter from the Fission engineering group.
Site Isolation, while a generic label, has been most linked to Google, which used it to describe the defensive features it added to Chrome in 2018. Although Google had been working on site isolation for years, it only added the technology to Chrome in late 2017, and switched it on for most users in mid-2018. Fortuitously, site isolation was the answer to Spectre and Meltdown, new classes of vulnerabilities in a huge swath of hardware, including PC and server processors, and software - primarily browsers - that went public in early 2018.
With site isolation, a browser devotes separate processes to each domain, or site, and in some cases, different processes for components on a site. iframes, for example, which have been used for malicious purposes, are rendered in processes separate from the one handling the overarching site.
One Chrome software engineer applauded Mozilla's move. "Awesome to hear that @firefox is working on full site isolation," said Nasko Oskov in a Feb. 5 Twitter message. "I'll be cheering from the sidelines and if sharing our hurdles on Chrome can be helpful, I'd be more than happy to share. Lots of interesting challenges and bugs along the way."
Currently, Firefox dedicates one process to the browser user interface (UI) and several others - up to eight - for the browser tabs' content. Site isolation would multiply the number of processes assigned to the browser, with at least one, likely several, for each website.
That multi-process work, called "Electrolysis," had a torturous history as Mozilla started, stopped, then restarted the project. Only in 2016 did Firefox start offering the results to users, with Mozilla calling it the "largest change we've ever made to Firefox."
Fission will be a daunting project as well, Layzel predicted. "Fission is a massive project," he said, after asserting "we need to revamp the architecture of Firefox" to accomplish the mission.
Mozilla has given no hint of when it expects to complete Fission - it has not published a public roadmap, as it sometimes does with major initiatives - but the first in what will certainly be a long series of milestones comes due at the end of February.
"Now that we've moved past much of the initial infrastructure ground work, we are going to keep track of work with our milestone targets," Layzel wrote. "Each milestone will contain a collection of new features and improved functionality which brings us incrementally closer to our goal."
The first of those markers will encompass tasks necessary to move iframes to their own processes, Layzel said.
No one at Mozilla has hazarded a guess as to the memory impact of Fission, but that topic will be of great interest to users when work has neared a final browser release. Splitting the browser into multiple processes consumes more memory, a factor in Mozilla's decision to adopt the format of Electrolysis. At the time, Mozilla argued that its approach was more conservative of memory than Google's, which at the time relied on a separate process for each tab. (Now, of course, Chrome can assign several processes to a single tab's contents.)
When Google added Site Isolation to Chrome, the open round memory hit was around a 20% increase. Later changes brought that down to between 10% and 13%.