Firefox unveils new browser security architecture with site isolation

Firefox, like any other browser, can download code from untrustworthy and potentially dangerous sites and then run it on your computer. To protect users and take Internet security to the next level, the Mozilla team decided to redesign their browser.

The new site isolation security architecture extends existing security mechanisms by separating content. Now a separate operating system process will be created for each site. This will completely isolate code from different sites. In particular, to provide protection against malicious resources trying to gain access to confidential information from other sites visited by users. For example, entered passwords, credit card numbers, etc.

Firefox employs various security mechanisms to protect data, such as the Rule domain restrictions (Same Origin Policy – “The principle of the same source”), which limits the interaction of information received from different sources. That is, it prevents attackers from accessing information from other resources loaded in the same application. But this is not enough. To protect users from potential threats, you should completely separate the memory space allocated to different sites – the new architecture of Firefox provides these security guarantees.

Why Sharing Memory Space Is So Important

In early 2018, security researchers discovered two major vulnerabilities known as Meltdown (a hardware vulnerability that exploits a speculative execution bug in some Intel and ARM processors that causes the processor to ignore page permissions.) And Specter (a group of hardware vulnerabilities in most processors that allows reading data through a third-party channel). Experts have demonstrated how an untrusted site can give attackers access to process memory even in such a high-level language as JavaScript (which almost every site runs in).

To protect against vulnerabilities, interim countermeasures were deployed from the OS, CPU, and major web browsers. They quickly neutralized the attacks, but led to a decrease in performance. But these were just temporary patches.

Firefox has decided to fundamentally redesign its browser architecture to shield users from current and future versions of similar vulnerabilities. The picture below details an example of how an attacker can gain access to personal data in an attack like Specter.

With the new architecture, Firefox loads each site in its own process, thus isolating their memory from each other. For example, a user has two websites open: www.my-bank.com and www.attacker.com. As shown in the picture above, with the old browser architecture, content from both sites can be loaded into the same operating system process. If an attack like Specter comes from www.attacker.com, attackers will be able to request and access data from my-bank.com.

Despite the existing security measures, the only way to ensure complete memory protection is by isolating content from different sites and using operating system process separation.

How the legacy browser architecture worked

Once Firefox started, it would create one privileged process (or parent process), which would then launch and coordinate multiple web processes. The parent process is the most privileged because it is allowed to perform any action that the end user can take.

This multiprocessing architecture allowed Firefox to split more complex or less reliable code into separate processes, most of which have limited access to operating system resources or user files. As a consequence, less privileged code had to request more privileged code to perform operations that it itself could not perform.

For example, a site needs to ask the parent process for permission to save an uploaded file because it does not have permission to write to the computer’s disk. In other words, if an attacker manages to compromise the process launched by the site, he will have to additionally bypass one of the APIs in order to convince the parent process to act on his behalf.

Firefox parent process (as of April 2021) ran a fixed number of processes: eight web content processes, up to two additional semi-privileged web content processes, and four service processes for web extensions, GPU operations, networking and media decoding.

While splitting content into eight processes already provided good security, it did not meet Mozilla’s security standards because it allowed two completely different sites to run in the same operating system process and therefore share the process’s memory. To avoid this, Firefox is moving to a site isolation architecture that loads each site into its own process.

What is happening in the illustration above? The user opens the sites in different tabs: www.my-bank.com, www.getpocket.com, www.mozilla.org and www.attacker.com. It may happen that my-bank.com and attacker.com will be processed by the same operating system process, that is, they will share the memory of this process. Accordingly, an attacker could perform a Specter attack to access data from my-bank.com.

Another important point: without site isolation, the browser will load all pop-up pages in the same process as the top-level site. Subframes (ads, embedded video) are also processed in the general process. As a result, a malicious site can gain access to subframes and confidential information that you enter there. Firefox’s new site isolation security architecture will prevent such attacks.

How the new Firefox architecture with site isolation works

When you add Site Isolation to Firefox for desktop, each unique site will create its own separate process. For example, if you download “https://mozilla.org” and “http://getpocket.com”, the Site Isolation Browser will split them into two different operating system processes, since they are not the same site.

Likewise, https://getpocket.com (note that here it is the https protocol, not http, as in the previous paragraph) will also be loaded into a separate process. That is, all three sites will be loaded in different processes.

Moreover, there are some domains, such as “.github.io” or “.blogspot.com”, which are too general to be identified as “site”. Therefore, Firefox will use the community-supported list Top Level Domains (eTLDs) to help differentiate sites.

Since “github.io” is listed as an eTLD, “a.github.io” and “b.github.io” will be loaded in different processes. Going back to the examples mentioned earlier, the sites www.my-bank.com and www.attacker.com are not considered one site, so they will be isolated from each other in separate processes. The memory will also be isolated to ensure data security.

Also with subframes. Subframes that are not “the same site” as the top-level page will be loaded in a different process.

In the picture above, you can see that the www.attacker.com page is trying to subframe the page from www.my-bank.com, but it will be loaded in a different process. This ensures that process memory is also isolated.

Additional benefits of site isolation

The new architecture not only makes Firefox safer. It provides other benefits as well:

  • By putting more pages in separate processes, doing heavy computation on one page won’t slow down other pages.

  • Using more processes to load websites allows you to distribute the load across multiple CPU cores and use hardware more efficiently.

  • Due to the fragmentation of sites, the failure of one subframe or tab will not affect sites loaded in other processes, that is, the stability of the application increases.

Plans and prospects

Firefox is currently testing site isolation in nightly and beta versions of desktop browsers. However, you can take advantage of the improved security architecture now. To do this, you need to download the browser Nightly or Beta from here and do the following:

To turn on site isolation in Firefox Nightly:

  1. Go to about: Preferences # Experiment

  2. Check the Fission (Site Isolation) box.

  3. Restart Firefox.

To enable site isolation in Firefox Beta:

  1. Go to about: config.

  2. Set the `fission.autostart` parameter to` true `.

  3. Restart Firefox.

Now you can master the updated browser and enjoy the enhanced security.


What else is interesting in the blog Cloud4Y

→ Frequent errors in Nginx settings, due to which the web server becomes vulnerable

→ Password as a Horcrux: Another way to protect your credentials

→ Cloud kitchen: preparing data for monitoring using the vCloud API and a pressure cooker

→ Prepare vApp template for VMware vCenter + ESXi test environment

→ Why your business can be destroyed

Subscribe to our Telegram-channel, so as not to miss the next article. We write no more than twice a week and only on business.

Similar Posts

Leave a Reply