Are your Sites Truly Isolated? Automatically Detecting Logic Bugs in Site Isolation Implementations
Jan Drescher
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Network Security
**Site isolation** is a critical browser security architecture that enforces separation between web applications by placing cross-site content into separate sandboxed renderer processes. This talk presents a novel IPC fuzzing approach to automatically detect **site isolation bypass vulnerabilities** -- logic bugs that allow a compromised renderer process to access cross-site data or execute scripts in another renderer. The researchers analyze all **39 known site isolation bypass CVEs** in Chrome and Firefox, identify three attack classes (missing checks, circumventable checks, origin confusion), and build a fuzzer combining **Web IDL-based grammar generation**, **IPC message mutation**, and two new sanitizers: a **process sanitizer** detecting cross-site renderer reuse and a **leak sanitizer** detecting cross-site data leakage.
AI review
A well-targeted fuzzer for one of the most critical browser security boundaries -- site isolation IPC. The analysis of all 39 known site isolation bypasses into three attack classes (missing checks, circumventable checks, origin confusion) is valuable taxonomy work. The synchronized JavaScript/IPC mutation approach and the two custom sanitizers are technically clean. Finding a Firefox CVE via history.replaceState demonstrates real-world impact. The key insight that these are all semantic bugs invisible to ASan highlights a critical gap in browser security testing.