Google’s Native Client
description
Transcript of Google’s Native Client
Google’s Native Client
A Sandbox for Portable, Untrusted x86 Native Code
Benjamin Harringon
Introduction
• If you were Google…
• Sandbox vs. Virtualization?
What is NaCl?
To succeed where others have failed:• ActiveX– Trust me, Microsoft does…
• NPAPI– Solely for plugins, but just as dangerous
• JavaScript– Too slow
Why NaCl?
• Support for threads• Instruction set extensions (SSE)• Computational performance– Newtonian physics, Fluid dynamics
• Large bodies of high quality code– Maximizing work distractions
Quake Break!
Usage Example
How Native Client rolls:
• Binaries are subject to validation
• Validated Binaries are constrained
• Communication is receiver validated
• Inner sandbox reinforced by Outer sandbox
Pillars of Native Client
• Software Fault Isolation
• Secure Runtime
• Open Architecture
Software Fault Isolation
• Modified compilation tool chain• Static analyzer• Validator must address:– Data Integrity– Reliable Disassembly– No Unsafe instructions– Control flow integrity
SFI – The Rules of the Game
Software Fault Isolation
Control Flow Integrity• Indirect branches must be encoded as
and %eax, 0xffffffe0jmp *%eax
– Guarantees that target is 32-byte aligned– Works because of restriction to the zero-based
segment– Very efficient enforcement of control-flow
integrity
SFI – No Exceptions for you.
• Hardware Exceptions not allowed– Segmentation faults– Floating point exceptions
• External interrupts are not allowed
Crash and burn baby!
Server Runtime
• Implements enforcement of inner sandbox– Segment Isolated 256 MB– First 64 KB reserved for initialization• First 4 KB read/write protected• Remaining 60 KB for Trampoline and Springboard
• Trusted– Contains forbidden instructions
Server Runtime
• Trampolines– For jumping out• Go to the trusted service handlers• Disable the inner sandbox• Then load %esp with the trusted stack
• Springboards– For jumping in• Or starting a new thread• Or start the main thread
Server Runtime
• Communication via NaCl socket• SRPC abstraction– Supports ints, floats and char– Pointers not supported
• NPAPI also used– Subject to change
Developer Tools
• Modification to existing tool chains– Relatively simple (1000 lines to gcc)
• Includes simple profiling framework– Call trace with embedded outputs
Performance
• Compute/Graphics– Better and good?
• H.264 Decoder– Check
• Quake– No problem
• High compute/low message passing ideal
Open Source
“we’ll publish the source code, you’ll find flaws. The winner gets $0x2000 USD.”
SkyNet sends a Mark Dawd Unit …from the future!
•X-Force research engineer at IBM Internet Security Systems and winner of the Google Native Client security contest along with partner Ben Hawkes
•Found a way to execute arbitrary code in user mode.
•“...it will be deployed on the Internet in a secure fashion.“
•He’s a robot from the future!
Conclusion
• X86 code run securely at near native speed• Portable across O.S. and Browsers• Robust inner sandbox, with outer sandbox• Porting is relatively easy• Open source – OK’d by robots from the future• Now we can play Quake at work.
Questions?