240 likes | 1.27k Views
Google’s Native Client. A Sandbox for Portable, Untrusted x86 Native Code Benjamin Harringon. Introduction. If you were Google… Sandbox vs. Virtualization?. What is NaCl?. To succeed where others have failed: ActiveX Trust me, Microsoft does… NPAPI
E N D
Google’s Native Client A Sandbox for Portable, Untrusted x86 Native Code Benjamin Harringon
Introduction • If you were Google… • Sandbox vs. Virtualization?
What is NaCl? To succeed where others have failed: • ActiveX • Trust me, Microsoft does… • NPAPI • Solely for plugins, but just as dangerous • JavaScript • Too slow
Why NaCl? • Support for threads • Instruction set extensions (SSE) • Computational performance • Newtonian physics, Fluid dynamics • Large bodies of high quality code • Maximizing work distractions
How Native Client rolls: • Binaries are subject to validation • Validated Binaries are constrained • Communication is receiver validated • Inner sandbox reinforced by Outer sandbox
Pillars of Native Client • Software Fault Isolation • Secure Runtime • Open Architecture
Software Fault Isolation • Modified compilation tool chain • Static analyzer • Validator must address: • Data Integrity • Reliable Disassembly • No Unsafe instructions • Control flow integrity
Software Fault Isolation Control Flow Integrity • Indirect branches must be encoded as and %eax, 0xffffffe0 jmp *%eax • Guarantees that target is 32-byte aligned • Works because of restriction to the zero-based segment • Very efficient enforcement of control-flow integrity
SFI – No Exceptions for you. • Hardware Exceptions not allowed • Segmentation faults • Floating point exceptions • External interrupts are not allowed Crash and burn baby!
Server Runtime • Implements enforcement of inner sandbox • Segment Isolated 256 MB • First 64 KB reserved for initialization • First 4 KB read/write protected • Remaining 60 KB for Trampoline and Springboard • Trusted • Contains forbidden instructions
Server Runtime • Trampolines • For jumping out • Go to the trusted service handlers • Disable the inner sandbox • Then load %esp with the trusted stack • Springboards • For jumping in • Or starting a new thread • Or start the main thread
Server Runtime • Communication via NaCl socket • SRPC abstraction • Supports ints, floats and char • Pointers not supported • NPAPI also used • Subject to change
Developer Tools • Modification to existing tool chains • Relatively simple (1000 lines to gcc) • Includes simple profiling framework • Call trace with embedded outputs
Performance • Compute/Graphics • Better and good? • H.264 Decoder • Check • Quake • No problem • High compute/low message passing ideal
Open Source “we’ll publish the source code, you’ll find flaws. The winner gets $0x2000 USD.”
SkyNet sends a Mark Dawd Unit …from the future! X-Force research engineer at IBM Internet Security Systems and winner of the Google Native Client security contest along with partner Ben Hawkes Found a way to execute arbitrary code in user mode. “...it will be deployed on the Internet in a secure fashion.“ He’s a robot from the future!
Conclusion • X86 code run securely at near native speed • Portable across O.S. and Browsers • Robust inner sandbox, with outer sandbox • Porting is relatively easy • Open source – OK’d by robots from the future • Now we can play Quake at work.