D3-ABPI

Isolate
Application-based Process Isolation

Definition

Application code which prevents its own subroutines from accessing intra-process / internal memory space.

How it works

Some applications implement logic to permit or deny a particular subroutine access to other data within the same applicaition process. This is intended to prevent critical application process data from being tampered with.

Application-based Process Isolation in web browsers.

Isolation in browsers usually is designed with the following architectural mindset:

Sandboxes and web resources should not be allowed to access each other because compromise of one should not effect the other.

The principle of least-privilege should be followed when browsing.

The following aspects help make browser-based process isolation possible:

Same Origin Policy

Separate tabs and iframes use their own DOMs (cross-site document object models always run as a different process)

CORS ensures cross-site data is not delivered to a process unless the server allows it

Cookie and local data storage is separated by domain/site

Separate execution environments (threads)

Considerations

Using isolation in browsers does mitigate and protect by default some types of attacks (e.g. renderer attacks and access to the filesystem) but it depends on correct configuration of CORS, use of valid/appropriate certificates.

Application-based Process Isolation may increase memory footprint.

Application-based Process Isolation may decrease application performance.

Artifact Relationships

This defensive technique relates to specific digital artifacts.

isolates
restricts
Application-based Process Isolation
Process
Subroutine

References

Reference - Private application access with browser isolation Reference - Protecting web applications from untrusted endpoints using remote browser isolation Reference - Site Isolation Design Document