Changes

Jump to: navigation, search

Project Fission

2,791 bytes added, 02:25, 12 April 2018
Project Fission
=Project Fission=
An evolution Project Fission is the code named assigned to our long term Spectre mitigation strategy of our isolating process per origin (aka Site Isolation). How Project Fission Mitigates SpectreSpectre allows one origin to steal the user’s or another origin’s private data using one of the above variants; but only data in the same process address space. Fission mitigates Spectre by moving all the private data that an origin shouldn’t be able to access into a separate process model. That way, even if a Spectre variant is successfully used, there is no private data to steal. Importantly, this avoids having to mitigate each Spectre variant (Variant examples omitted for Security purposes) individually. This will likely explanation critically assumes that Spectre variants don’t work across processes. The general answer here is that the Meltdown fixes already deployed ensure this is the case. There is currently a known theoretical cross-process Spectre leak, but Windows already has an opt-in fix which might become the default for all user mode processes. Other than this, we’re not aware of other cross-process Spectre attacks. More generally, using Fission to mitigate Spectre aligns browsers with what seems to be the emerging cross-industry contract that the OS+CPU prevent Spectre attacks between userspace and kernel and between separate userspace processes. When trying to isolate mutually untrusted code within a longprocess, all indications are that browsers are on our own from the OS+CPU perspective, which is a risky position. Moreover, the OS+CPU have better tools for stopping cross-process Spectre leaks: PCID, scheduling policy, context switches, page tables, ring 0-term projectonly instructions, etc==Project planning==Tracking  Project Fission will consist of a Cross Functional engineering team across the Platform organization. The DOM team is currently engaged in several architectural changes in preparation for isolating process per origin.  Primary Meta bug - Bug 1432593 - [meta] Site Isolation Other Relevant bugs Bug 1437994 - Implement Abstract Browsing Context Trees Bug 1436504 - JS APIs for async communication between DocShells Bug 1429896 - [meta] Out of Process (OOP) iframes Bug 1353867 - Implement Cross-Process async window proxies Bug 1438272 - Move Session History State into the Parent Process Bug 1445459 - Rework Session Restore for changes to Session History We are still in the process of scoping the breadth of Project Fission and expect to have additional documents in the coming weeks. Scope, PHD, Project process, Roadmap, and Release criteria are still being formed and expected to be shared over the coming weeks. ==Team== Executive Sponsor: Dave Camp Product Sponsor: Selena Decklemann Engineering Manager: Andrew Overholt Project Architect: Nika Lyzell Project Manager: Thomas Elin RASCI: https://bugzilladocs.mozillagoogle.orgcom/spreadsheets/show_bug.cgi?idd/1jwYDrq0FDD0qNEN_-SXxgOAtaj15hGfH4Xna1v4qrec/edit#gid=1451850705986634
119
edits

Navigation menu