Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Chrome Google

Chrome is Using 10-13% More RAM to Fight Spectre (pcworld.com) 148

An anonymous reader quotes PCWorld: The critical Meltdown and Spectre bugs baked deep into modern computer processors will have ramifications on the entire industry for years to come, and Chrome just became collateral damage. Google 67 enabled "Site Isolation" Spectre protection for most users, and the browser now uses 10 to 13 percent more RAM due to how the fix behaves.

"Site Isolation does cause Chrome to create more renderer processes, which comes with performance tradeoffs," Googleâ(TM)s Charlie Reis says. "On the plus side, each renderer process is smaller, shorter-lived, and has less contention internally, but there is about a 10-13% total memory overhead in real workloads due to the larger number of processes. Our team continues to work hard to optimize this behavior to keep Chrome both fast and secure." It's a significant performance hit, especially for a browser battling a reputation for being a memory hog, but a worthwhile one nonetheless.

Chrome's Spectre-blocking site isolation "is now enabled by default for 99 percent of Chrome users on all platforms."
This discussion has been archived. No new comments can be posted.

Chrome is Using 10-13% More RAM to Fight Spectre

Comments Filter:
  • by AHuxley ( 892839 ) on Sunday July 15, 2018 @12:40AM (#56950020) Journal
    design fix all this?
    No more slow CPU, no more extra RAM used, no more OS software to protect from CPU security flaws. Back to fast and secure CPU design work.

    Anyone have a design time line for when this will all be fixed in the CPU again?
    • Too bad AMD is also affected (Spectre), otherwise Intel would have had more incentives to make new CPU earlier.
      • by hcs_$reboot ( 1536101 ) on Sunday July 15, 2018 @01:37AM (#56950096)
        Well, there is still competition as who will have their fixed CPUs first..
        • by Agripa ( 139780 )

          Well, there is still competition as who will have their fixed CPUs first..

          If Spectre can be fixed which is not a given. Somehow they have to prevent speculative execution within the same process from altering CPU state.

          Without a time machine, how do you prevent speculative loads in untaken branches without preventing speculative loads in taken branches?

      • by Anonymous Coward

        Though intels problems require a quadruple bypass, while amd's require a band-aid on the finger.

    • by Anonymous Coward

      They were going to do this whether or not spectre and meltdown happened. This might have given them a kick in the as to hurry things up, but this ram was always going to be spent and you're not getting it back even if spectre & meltdown disappear.

    • by Anonymous Coward on Sunday July 15, 2018 @02:58AM (#56950232)

      I don't expect CPU fixes to come until 3-5 years have passed. This requires a major redesign, it's not just a little fix.

      • by AmiMoJo ( 196126 )

        Just buy an AMD CPU. The massive performance killing fixes are not required for them.

        Unfortunately it doesn't look like Chrome detects Intel CPUs before enabling this.

        • by Megol ( 3135005 )

          Yes they are required.

          Spectre is a collection of related exploits some of which are very hard to use on AMD architectures but not impossible in theory. Meltdown isn't however a problem for AMD but this Chrome design isn't intended to combat Meltdown.

        • Unfortunately it doesn't look like Chrome detects Intel CPUs before enabling this.

          And why would it? This kind of fix resolves Speculative execution bugs, but it doesn't exclusively target them. This form of isolation is just good security practice in general, especially given the most likely attack vector is not the primary domain you're connected to.

    • by arglebargle_xiv ( 2212710 ) on Sunday July 15, 2018 @03:07AM (#56950238)

      No more slow CPU, no more extra RAM used, no more OS software to protect from CPU security flaws.

      Pick any two. Which do you want?

      • Out of those three I would clearly sacrifice RAM. That is the easiest and cheapest part to go overboard on to ensure it is never a problem. Just get 32GB and this 10-13% extra usage is probably not an issue.

        Clearly I would love all three, but my ideal second choice would be to sacrifice RAM for better CPU performance.

    • No more slow CPU, no more extra RAM

      And ponies! We want ponies too.

      Remember the reason we're in this mess is because people didn't want slow CPUs in the first place.

    • by Agripa ( 139780 )

      design fix all this?

      No more slow CPU, no more extra RAM used, no more OS software to protect from CPU security flaws. Back to fast and secure CPU design work.

      Anyone have a design time line for when this will all be fixed in the CPU again?

      So programs will maintain two different codebases for processors which are vulnerable and processors which are not? That will not happen for a long time even assuming that Specter is solvable. At best the impact on processors immune to Meltdown will be minimized.

  • How vary misleading. (Score:1, Informative)

    by Anonymous Coward

    This is only a problem for intel cpus.

    • by Anonymous Coward

      This is only a problem for intel cpus.

      Oh, really?

      In particular, we have verified Spectre on Intel, AMD, and ARM processors.
      https://meltdownattack.com/ [meltdownattack.com]

  • Stupid over-reaction (Score:5, Interesting)

    by GerryGilmore ( 663905 ) on Sunday July 15, 2018 @12:58AM (#56950048)
    Supposedly, the biggest vulnerabilities are from cloud providers due to their extensive use of virtualization in their environs.
    However, I've never seen a real server that surfs the web using any browser. Stupidity is rampant, paranoia rules and perspective has completely left the building when it comes to Spectre/Meltdown.
    The most difficult "vulnerability" to leverage known to mankind has everyone scurrying like mad while basic security - allowing the Equifax breach, say - gets a passing nod. Well done, guys!
    • by darkain ( 749283 )

      "I've never seen a real server that surfs the web using any browser"

      There are countless web based resources that include web page screen shots. These screen shots are not made on client machines by hand, they're made using automated tasks with web browsers running on the servers.

    • by mccalli ( 323026 ) on Sunday July 15, 2018 @02:50AM (#56950222) Homepage
      Corporate VDI. A lot of the larger corporates are moving away from physical desktops towards having virtual desktops and thin clients.
      • by tepples ( 727027 )

        A lot of the larger corporates are moving away from physical desktops towards having virtual desktops and thin clients.

        How much are these corporates spending on Terminal Server client access licenses (CALs) to allow virtual Windows desktops to work? Or are they instead using virtual FreeBSD or GNU/Linux desktops?

      • Corporate VDI. A lot of the larger corporates are moving away from physical desktops towards having virtual desktops and thin clients.

        A typical employee has far more access to systems and people to care about sophisticated spectre related vulnerabilities. If you have a nefarious employee you're effectively screwed. Corporate IT security is not equipped to handle this.

    • by Anonymous Coward

      just because it's only theoretical and difficult doesn't mean chrome shouldn't patch it... if someone successfully made an exploit you just need to put some JS in an advert and you basically own the entire world.

    • You would need to define "server". Downloading patches and running reporting toolkits to find precisely what hardware or software revisions is something I've seen available only via some browsers. I've also seen companies require the local scan to report to the vendor on the web page to select the correct patches for local application. It's as confusing and annoying as Sun's, now Oracle's, practice of forcing you through a web form to sign the latest license agreement for the latest Java toolkit.

    • by Rain ( 5189 )
      Browsers are a concern for the same reason a cloud providers: you are running untrusted code in a sandboxed VM, and Spectre allows you to potentially exfiltrate data from outside the sandbox. Cloud providers are a bigger concern because they're more likely to contain interesting data* and because it's harder to exploit Spectre via Javascript than native code, but there are Spectre proof-of-concepts written in JS.

      * interesting to an attacker, relative to the effort required
  • by Anonymous Coward

    [insert your fave js blocker here] will reduce the footprint by MUCH more than that.

    • by AHuxley ( 892839 )
      Ad brands who give away free OS my not like brokers not showing their OS approved ads.
    • Yes, an ad-blocker definitely reduces memory usage, by a lot. However, its a bad idea to use any add-on for 'important' sites. I compartmentalize my browser into different user ids so the actual chrome instance I use to access sensitive accounts is completely independent of the instance I use for general browsing. The ad-blocker is disabled for the one I use to access sensitive accounts (in fact, ALL add-ons are disabled for that one), and enabled for the one I use for general browsing.

      -Matt

  • by Anonymous Coward

    Well, fortunately Chrome didn't use that much memory to begin with.

    Oh, wait...

  • I guess porn leads the way in cutting edge innovation for more than just the obvious reason :-/

    • by Agripa ( 139780 )

      I guess porn leads the way in cutting edge innovation for more than just the obvious reason :-/

      The original developers should have known; always practice safe hex.

  • by Anonymous Coward

    Every click goes to Google. No thanks

  • "The critical Meltdown and Spectre bugs baked deep into modern computer processors"

    That should be, the critical Meltdown and Spectre bugs baked deep into Intel x86 architecture processors. And such bugs wouldn't so serious if we didn't run our computing on a monoculture. As in nature, when a bug comes it doesn't wipe out a whole population.

    "Spectre lets attackers access protected information in your PC’s kernel memory, potentially revealing sensitive details like passwords, cryptographic keys, p
    • by Megol ( 3135005 )

      Spectre is there for all processors with more than the most trivial support for speculative execution. Yes that includes all modern computer processors.

      Meltdown is limited to Intel, some IBM designs and some ARM designs.

  • by TeknoHog ( 164938 ) on Sunday July 15, 2018 @10:58AM (#56951602) Homepage Journal

    Browsers should be using different processes for different websites anyway, as a general security measure, and I believe they have been aiming to do that already. Since Spectre only allows reading memory within the same process, I don't understand the panic here (though I guess it's different for virtual machines).

    We've already had countless issues where developers didn't sanitize their inputs, so a malicious piece of data could do something nasty; crucially, we didn't need Spectre for that. Meltdown is a wholly different beast, but I guess Intel needs to keep up the Spectre panic for AMD.

    • by Agripa ( 139780 )

      Browsers should be using different processes for different websites anyway, as a general security measure, and I believe they have been aiming to do that already. Since Spectre only allows reading memory within the same process, I don't understand the panic here (though I guess it's different for virtual machines).

      It is a good thing each web page only loads scripts from one domain.

  • So actually even though the memory footprint is larger, using separate processes also makes chrome more swap-friendly, which means the kernel can page-in/page-out the tabs more efficiently. The result seems, at least for me, to be a smoother ride when I have a lot of tabs open.

    Of course, swap space should always be configured on a SSD.

    I always enable the site isolation option. Its nice to see google finally making it the default.

    -Matt

    • by Agripa ( 139780 )

      So actually even though the memory footprint is larger, using separate processes also makes chrome more swap-friendly, which means the kernel can page-in/page-out the tabs more efficiently.

      This is true except on processors vulnerable to Meltdown which have to trash the page tables. They change was needed but it moved the problem to the operating system. At least it was feasible.

  • Seriously, who are these new Bond films targeting? 3/10.
  • Sorry, but I have more RAM than battery life. Why do I bring this up? Because the only real alternative Firefox reduces my battery life by about 30% when I do the exact same things on it as I would on Chrome. And Firefox doesn't even have site isolation yet.

    I really want to use Firefox and occassionally fire up the latest version. But I cannot justify using it , because it is trivial to buy a laptop with 32 GB RAM to overcome the resource hungriness. Battery life is not so easy to obtain.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (1) Gee, I wish we hadn't backed down on 'noalias'.

Working...