Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka,...
-
Upload
logan-obrien -
Category
Documents
-
view
214 -
download
0
Transcript of Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka,...
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar
Google Inc.2009 IEEE Symposium on Security and Privacy
Advanced Defense Lab
2
OUTLINE
Introduction System Architecture Implementation Experience Discussion Related Work
Advanced Defense Lab
3
INTRODUCTION
The modern web browser brings together a remarkable combination of resources. JavaScript Document Object Model (DOM) …
It remains handicapped in a critical dimension: computational performance. Newtonian physics High-resolution scene rendering …
Advanced Defense Lab
4
WEB BROWSER EXTENSION
Internet Explorer ActiveX
Other Browser NPAPI
Rely on non-technical measures for security
Advanced Defense Lab
5
SYSTEM ARCHITECTURE
<embed src=“game.nexe”>
game.nexe
Service runtime
IMCBrowser
Storage
Server
Advanced Defense Lab
6
SYSTEM ARCHITECTURE (CONT.)
Use “NaCl module” to refer to untrusted native code
The service is responsible for insuring that it only services request consistent with the implied contract with the user.
Advanced Defense Lab
7
SANDBOX
Native Client is built around an x86-specific intra-process “inner sandbox”
A “outer sandbox ” mediates system calls at the process boundary.
Advanced Defense Lab
8
INNER SANDBOX
Use static analysis to detect security defects
The inner sandbox is used to create a security subdomain within a native operating system process.
Advanced Defense Lab
9
RUNTIME FACILITIES
The “Inter-Module Communications(IMC)” allows trusted and untrusted modules to send/receive datagrams with optional “NaCl Resource Descriptors.”
Two higher-level abstractions RPC NPAPI
Advanced Defense Lab
10
RUNTIME FACILITIES (CONT.)
The service runtime provide a set of system service. Ex: mmap(), malloc()/free() A subset of the POSIX threads interface
To prevent unintended network access, connect()/accept() are omitted. Modules can access the network via
Javascript
Advanced Defense Lab
11
IMPLEMENTATION – INNER SANDBOX
The design is limited to explicit control flow.
Allow for a small trusted code base(TCB)
Validator: less than 600 C statements About 6000 bytes of executable code
Advanced Defense Lab
12
INNER SANDBOX - GOAL
Data integrity Use segment register(C1)
Reliable disassembly No unsafe instruction Control flow integrity
Advanced Defense Lab
13
INNER SANDBOX - CONSTRAINT
Advanced Defense Lab
14
INNER SANDBOX
Disallowed opcode Privileged instructions syscall and int Instructions that modify x86 segment state
lds, far calls ret – replace by indirect jump
Use hlt to terminate module(C4)
Advanced Defense Lab
15
INNER SANDBOX
Use 32-byte alignment to avoid arbitrary x86 machine code(C5, C7)
Use nacljmp for indirect jump(C3) and %eax, 0xffffffe0 jmp *%eax
Advanced Defense Lab
16
eip
eip
Advanced Defense Lab
17
Advanced Defense Lab
18
EXCEPOTIONS
Hardware exceptions and external interrupts are not allowed The incompatible models in Linux, MacOS,
and Windows. NaCl apply a failsafe policy to exceptions But NaCl support C++ exceptions
Advanced Defense Lab
19
SERVICE RUNTIME4KB
64KB
256MBText (C2)
Trampoline / Springboard
For service runtime
Advanced Defense Lab
20
TRAMPOLINE AND SPRINGBOARD
0x1000
0x1010
0x1020
Trampoline
Springboard
Service Runtime
Transfer to untrusted codePOSIX threadStart the main thread
0xffff
Advanced Defense Lab
21
SYSTEM CALL OVERHEAD
The getpid syscall time is 138ns
Platform “null” ServiceRuntime call time
Linux, Ubuntu 6.06IntelTM CoreTM 2 66002.4 GHz
156
Mac OSX 10.5IntelTM XeonTM E54622.8 GHz
148
Windows XPIntelTM CoreTM 2 Q66002.4 GHz
123
Advanced Defense Lab
22
COMMUNICATION
IMC is built around a NaCl socket, providing a bi-directional, reliable, in-order datagram service.
JavaScript can connect to the module by opening and sharing NaCl sockets as NaCl descriptors.
Advanced Defense Lab
23
COMMUNICATION (CONT.)
Advanced Defense Lab
24
DEVELOPER TOOLS - BUILDING
Modify gcc -falign-functions to 32-byte aligned -falign-jumps to jumped target aligned Ensure call instructions always appear in
the final byte of a 32 byte block. (for springboard)
Making some changes permits testing applications by running them on the command line.
Advanced Defense Lab
25
EXPERIENCE
In this paper, measurements are made without the NaCl outer sandbox.
Advanced Defense Lab
26
EXPERIENCE – SPEC2000
Average: 5%
Advanced Defense Lab
27
EXPERIENCE – SPEC2000
About the alignment
Advanced Defense Lab
28
EXPERIENCE – SPEC2000
About code size
Advanced Defense Lab
29
EXPERIENCE – COMPUTE/GRAPHICS
Earth Voronoi Life
Advanced Defense Lab
30
Advanced Defense Lab
31
EXPERIENCE –PORTING EFFORT
H.264 Decoder Original: 11K lines of C Porting effort:
20 lines of C Rewriting the Makefile
Advanced Defense Lab
32
EXPERIENCE –BULLET
A physics simulation system.
Baseline : 36.5 sec 32-byte aligned : 36.1 sec NaCl : 37.1 sec
Advanced Defense Lab
33
EXPERIENCE –QUAKE
Advanced Defense Lab
34
Advanced Defense Lab
35
DISCUSSION
Popular operating systems generally require all threads to use a flat addressing model in order to deliver exceptions correctly.
Native Client would benefit from more consistent enabling of LDT access across popular x86 OS.
Advanced Defense Lab
36
RELATED WORK
System Request Moderation Android
Each application is run as a different Linux user Xax by Microsoft Research
Using system call interception
Advanced Defense Lab
37
RELATED WORK (CONT.)
Fault Isolation The current CFI technique builds on the
seminal work by Wahbe et al. CFI provides finer-gained control flow
integrity Overhead: 15% vs. 5% by NaCl
Advanced Defense Lab
38
RELATED WORK (CONT.)
Trust with Authentication ActiveX