440 likes | 905 Views
Bennet Yee, David Sehr , Gregory Dardyk , J. Bradley Chen, Robert Muth , Tavis Ormandy, Shiki Okasaka , Neha Narula , and Nicholas Fullagar Google Inc. 2009 IEEE Symposium on Security and Privacy. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Introduction
E N D
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, NehaNarula, and Nicholas Fullagar Google Inc. 2009 IEEE Symposium on Security and Privacy Native Client: A Sandbox for Portable, Untrusted x86 Native Code
Introduction System Architecture Implementation Experience Discussion Related Work Advanced Defense Lab Outline
The modern web browser brings together a remarkable combination of resources. • JavaScript • Document Object Model (DOM) • … • It remains handicapped in a critical dimension: computational performance. • Newtonian physics • High-resolution scene rendering • … Advanced Defense Lab Introduction
Internet Explorer • ActiveX • Other Browser • NPAPI • Rely on non-technical measures for security Advanced Defense Lab Web browser extension
Advanced Defense Lab System Architecture Server Browser IMC game.nexe <embed src=“game.nexe”> Storage Service runtime
Use “NaCl module” to refer to untrusted native code The service is responsible for insuring that it only services request consistent with the implied contract with the user. Advanced Defense Lab System Architecture (cont.)
Native Client is built around an x86-specific intra-process “inner sandbox” A “outer sandbox ” mediates system calls at the process boundary. Advanced Defense Lab Sandbox
Use static analysis to detect security defects The inner sandbox is used to create a security subdomain within a native operating system process. Advanced Defense Lab Inner sandbox
The “Inter-Module Communications(IMC)” allows trusted and untrusted modules to send/receive datagrams with optional “NaCl Resource Descriptors.” • Two higher-level abstractions • RPC • NPAPI Advanced Defense Lab Runtime Facilities
The service runtime provide a set of system service. • Ex: mmap(), malloc()/free() • A subset of the POSIX threads interface • To prevent unintended network access, connect()/accept() are omitted. • Modules can access the network via Javascript Advanced Defense Lab Runtime Facilities (cont.)
The design is limited to explicit control flow. • Allow for a small trusted code base(TCB) • Validator: less than 600 C statements • About 6000 bytes of executable code Advanced Defense Lab Implementation – inner sAndbox
Data integrity • Use segment register(C1) • Reliable disassembly • No unsafe instruction • Control flow integrity Advanced Defense Lab inner sAndbox - goal
Advanced Defense Lab inner sAndbox - constraint
Disallowed opcode • Privileged instructions • syscall and int • Instructions that modify x86 segment state • lds, far calls • ret – replace by indirect jump • Use hlt to terminate module(C4) Advanced Defense Lab inner sAndbox
Use 32-byte alignment to avoid arbitrary x86 machine code(C5, C7) • Use nacljmp for indirect jump(C3) • and %eax, 0xffffffe0 • jmp *%eax Advanced Defense Lab inner sAndbox
Advanced Defense Lab eip eip
Hardware exceptions and external interrupts are not allowed • The incompatible models in Linux, MacOS, and Windows. • NaCl apply a failsafe policy to exceptions • But NaCl support C++ exceptions Advanced Defense Lab excepotions
Advanced Defense Lab Service Runtime 4KB For service runtime Trampoline / Springboard 64KB Text (C2) 256MB
Advanced Defense Lab Trampoline and springboard 0x1000 Trampoline Service Runtime 0x1010 0x1020 Springboard Transfer to untrusted code POSIX thread Start the main thread 0xffff
The getpidsyscall time is 138ns Advanced Defense Lab System call overhead
IMC is built around a NaCl socket, providing a bi-directional, reliable, in-order datagram service. JavaScript can connect to the module by opening and sharing NaCl sockets as NaCl descriptors. Advanced Defense Lab Communication
Advanced Defense Lab Communication (cont.)
Modify gcc • -falign-functions to 32-byte aligned • -falign-jumps to jumped target aligned • Ensure call instructions always appear in the final byte of a 32 byte block. (for springboard) • Making some changes permits testing applications by running them on the command line. Advanced Defense Lab Developer tools - Building
In this paper, measurements are made without the NaCl outer sandbox. Advanced Defense Lab Experience
Advanced Defense Lab Experience – SPEC2000 Average: 5%
About the alignment Advanced Defense Lab Experience – SPEC2000
About code size Advanced Defense Lab Experience – SPEC2000
Earth Voronoi Life Advanced Defense Lab Experience – Compute/graphics
H.264 Decoder • Original: 11K lines of C • Porting effort: • 20 lines of C • Rewriting the Makefile Advanced Defense Lab Experience –Porting effort
A physics simulation system. Baseline : 36.5 sec 32-byte aligned : 36.1 sec NaCl : 37.1 sec Advanced Defense Lab Experience –Bullet
Advanced Defense Lab Experience –Quake
Popular operating systems generally require all threads to use a flat addressing model in order to deliver exceptions correctly. Native Client would benefit from more consistent enabling of LDT access across popular x86 OS. Advanced Defense Lab Discussion
System Request Moderation • Android • Each application is run as a different Linux user • Xaxby Microsoft Research • Using system call interception Advanced Defense Lab Related Work
Fault Isolation • The current CFI technique builds on the seminal work by Wahbe et al. • CFI provides finer-gained control flow integrity • Overhead: 15% vs. 5% by NaCl Advanced Defense Lab Related Work (cont.)
Trust with Authentication • ActiveX Advanced Defense Lab Related Work (cont.)