1 / 21

Google’s Native Client

Google’s Native Client. A Sandbox for Portable, Untrusted x86 Native Code Benjamin Harringon. Introduction. If you were Google… Sandbox vs. Virtualization?. What is NaCl?. To succeed where others have failed: ActiveX Trust me, Microsoft does… NPAPI

koren
Download Presentation

Google’s Native Client

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Google’s Native Client A Sandbox for Portable, Untrusted x86 Native Code Benjamin Harringon

  2. Introduction • If you were Google… • Sandbox vs. Virtualization?

  3. What is NaCl? To succeed where others have failed: • ActiveX • Trust me, Microsoft does… • NPAPI • Solely for plugins, but just as dangerous • JavaScript • Too slow

  4. Why NaCl? • Support for threads • Instruction set extensions (SSE) • Computational performance • Newtonian physics, Fluid dynamics • Large bodies of high quality code • Maximizing work distractions

  5. Quake Break!

  6. Usage Example

  7. How Native Client rolls: • Binaries are subject to validation • Validated Binaries are constrained • Communication is receiver validated • Inner sandbox reinforced by Outer sandbox

  8. Pillars of Native Client • Software Fault Isolation • Secure Runtime • Open Architecture

  9. Software Fault Isolation • Modified compilation tool chain • Static analyzer • Validator must address: • Data Integrity • Reliable Disassembly • No Unsafe instructions • Control flow integrity

  10. SFI – The Rules of the Game

  11. Software Fault Isolation Control Flow Integrity • Indirect branches must be encoded as and %eax, 0xffffffe0 jmp *%eax • Guarantees that target is 32-byte aligned • Works because of restriction to the zero-based segment • Very efficient enforcement of control-flow integrity

  12. SFI – No Exceptions for you. • Hardware Exceptions not allowed • Segmentation faults • Floating point exceptions • External interrupts are not allowed Crash and burn baby!

  13. Server Runtime • Implements enforcement of inner sandbox • Segment Isolated 256 MB • First 64 KB reserved for initialization • First 4 KB read/write protected • Remaining 60 KB for Trampoline and Springboard • Trusted • Contains forbidden instructions

  14. Server Runtime • Trampolines • For jumping out • Go to the trusted service handlers • Disable the inner sandbox • Then load %esp with the trusted stack • Springboards • For jumping in • Or starting a new thread • Or start the main thread

  15. Server Runtime • Communication via NaCl socket • SRPC abstraction • Supports ints, floats and char • Pointers not supported • NPAPI also used • Subject to change

  16. Developer Tools • Modification to existing tool chains • Relatively simple (1000 lines to gcc) • Includes simple profiling framework • Call trace with embedded outputs

  17. Performance • Compute/Graphics • Better and good? • H.264 Decoder • Check • Quake • No problem • High compute/low message passing ideal

  18. Open Source “we’ll publish the source code, you’ll find flaws. The winner gets $0x2000 USD.”

  19. SkyNet sends a Mark Dawd Unit …from the future! X-Force research engineer at IBM Internet Security Systems and winner of the Google Native Client security contest along with partner Ben Hawkes Found a way to execute arbitrary code in user mode. “...it will be deployed on the Internet in a secure fashion.“ He’s a robot from the future!

  20. Conclusion • X86 code run securely at near native speed • Portable across O.S. and Browsers • Robust inner sandbox, with outer sandbox • Porting is relatively easy • Open source – OK’d by robots from the future • Now we can play Quake at work.

  21. Questions?

More Related