Firefox Fission aims to thwart nasty Spectre-style attacks
With a Firefox effort called Project Fission, Mozilla is moving ahead this month with a plan to keep a major class of computer attacks at bay.
The Spectre and Meltdown attacks, more broadly called side-channel attacks, have been a major issue for the computing industry since they emerged a year ago. Mozilla fixed the immediate security vulnerabilities in Firefox last year, but now with an overhaul called Project Fission, the company hopes to protect the browser from any future Spectre-class variations.
Fission has been underway for months. But Mozilla plans to take its first concrete step later this month with a release called Milestone 1, said Nika Layzell, a Firefox platform engineer, in a blog post Monday.
“We aim to build a browser which isn’t just secure against known security vulnerabilities, but also has layers of built-in defense against potential future vulnerabilities,” Layzell said. “Fission is a massive project.”
Spectre-style attacks can be used to steal highly sensitive data like passwords or encryption keys not just by exploiting web browsers but also processors and operating systems. The computing industry has been scrambling to fundamentally redesign much of its technology as a result. The magnitude of Project Fission shows just how hard it is to take care of the problem.
Mozilla isn’t yet ready to say when Fission will be done. But it’ll start shipping its elements in the Firefox Nightly test version of the browser when it’s ready.
“Project Fission changes the Firefox browser architecture to make it even more secure and resilient to security vulnerabilities. We are defining early project milestones and sharing them so that people interested in Firefox development can follow along,” the nonprofit said in a statement Tuesday.
Following up on Firefox Electrolysis
Project Fission is something of a sequel to Mozilla’s earlier Electrolysis project, which split some parts of Firefox into separate computing processes to improve security and performance. In scientific terms, electrolysis can split molecules into separate atoms, for example turning water into hydrogen and oxygen.
But fission splits individual atoms, and as the term suggests, Project Fission involves a lower-level change than Electrolysis.
Specifically, Project Fission enables a technology called site isolation that can split even individual websites into separate computing processes. Google already enabled site isolation in its Chrome browser after a years-long research project that turned out to bear fruit when Spectre emerged.
One drawback of site isolation is that it requires more memory. Mozilla had hoped its Electrolysis plan would offer a memory advantage over Chrome, but the need for site isolation wiped out that expectation. To try to contain browser bloat, though, Mozilla has a related project called Fission Memshrink.
“We are working to ensure Firefox users continue to experience best-in-class memory usage and performance,” Mozilla said in a statement Tuesday.
Fission won’t arrive in one single update. “Each milestone will contain a collection of new features and improved functionality which brings us incrementally closer to our goal,” Layzell said of the project.