Presentation is loading. Please wait.

Presentation is loading. Please wait.

Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Published byJordan Garrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Native Client: A Sandbox for Portable, Untrusted x86 Native Code"— Presentation transcript:

1 Native Client: A Sandbox for Portable, Untrusted x86 Native Code
Yan Qiang,

2 Conference & Authors S&P 09’ Google Inc Best paper award
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar Best paper award

3 Outline We can now safely run native applications in the web browser!
System design and implementation Experience report Ambition of Google

4 Everyone uses the web browser
Browser is the most important tool to get the information in modern society. Restricted environment for safety purpose. Interpreter-based sandbox Slow Native plug-ins for extra performance or functionality requirements. Fast, versatile Trust-based protection but not safe

5 Native code == unsafe? “No fundamental reason why native code should be unsafe” Traditional difficulties: The problem of deciding the outcome of arbitrary native code with executing it is undecidable. Many unexpected side effects during code execution. Exception, interrupt, racing condition, I/O. But a safe and efficient isolated environment can be created for restricted native code.

6 Threat model Achieve comparable safety to accepted systems such as JavaScript. Input: arbitrary code and data support multi-threading, inter-module communication Restrictions (Obligations): No code page writing: No self-modification code, No JIT No direct system call: No I/O No hardware exception/interrupt: failsafe No ambiguous indirect control flow transfer Isolated direct memory access

7 Obey me or die Check by static analysis
Binary code satisfies the obligations Check by static analysis Native Client (NaCl) Binary code does not satisfy the obligations

8 Microkernel-based architecture
Untrusted native code runs in its own private address space created by X86 segment registers (%cs, %ds, %gs, %fs, %ss). Each NaCl module runs as a separated process. All dangerous interfaces are forbidden or monitored by the sandbox (including the instructions modifying the segment registers).

9 Obligations for control flow transfer

10 Security properties under obligations
A static code analysis will ensure: Data integrity All memory addresses are within the sandbox Otherwise, a segmentation fault given (%cs, %ds,… are set) Reliable disassembly All possible jump targets are known (mandatory 32byte alignment for all jump instructions) No unsafe instructions Disassembler is reliable Control flow integrity Same reason for reliable disassembly

11 Load a NaCl module 64KB Memory address:
Verify the module code according to the obligations. Load control code block into memory (including system call trampolines, thread context data). Load the module code and data into memory. Set the segment registers to establish a private memory space (64KB afterwards, 64KB is the zero offset). Transfer the control to the module code. Control Code Block 64KB Module Code and Data User far call to access system call trampolines. (call the routine out of current memory segmentation) All far calls are under control

12 Applications, tools, and availability
Allow developer to choose any language in the browser (not just JavaScript). Allow simple, computationally intensive extensions for web applications Binary-level sandbox without a trusted compiler Tools: GCC tool chain on Ubuntu Linux, MacOS, Windows XP Availability: open source, part of Chrome

13 Easier than you imagine
Ported programs mentioned: SPEC CPU 2000 benchmarks Some graphics computation demo H.264 video decoder Physics simulation system FPS game (Quake)

14 Insignificant performance overhead
Max space overhead is 57.5% code size increment for gcc in SPEC CPU 2000. Mandatory alignment for jump targets impacts the instruction cache and increases the code size (more significant if compared to dynamic linked executables).

15 Kill Bill Operating system runs native code
=> Web browser runs native code Browser plug-in runs native code

16 Company involved open source software is reshaping IT world
Does It seem too good to be true?

Download ppt "Native Client: A Sandbox for Portable, Untrusted x86 Native Code"

Similar presentations

Categories of I/O Devices

Categories of I/O Devices
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.

Extensibility, Safety and Performance in the SPIN Operating System Presented by Allen Kerr.
Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.
Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.

Extensibility, Safety and Performance in the SPIN Operating System Brian Bershad, Stefan Savage, Przemyslaw Pardyak, Emin Gun Sirer, David Becker, Marc.
Introduction to Operating Systems CS-2301 B-term 20081 Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.

Introduction to Operating Systems CS-2301 B-term Introduction to Operating Systems CS-2301, System Programming for Non-majors (Slides include materials.
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar Google Inc. 2009.

Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar Google Inc
OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.

OmniVM Efficient and Language- Independent Mobile Programs Ali-Reza Adl-Tabatabai, Geoff Langdale, Steven Lucco and Robert Wahbe from Carnegie Mellon University.
Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,

Operating System Structure. Announcements Make sure you are registered for CS 415 First CS 415 project is up –Initial design documents due next Friday,
Embedded Real-time Systems The Linux kernel. The Operating System Kernel Resident in memory, privileged mode System calls offer general purpose services.

Embedded Real-time Systems The Linux kernel. The Operating System Kernel Resident in memory, privileged mode System calls offer general purpose services.
Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.

Slide 3-1 Copyright © 2004 Pearson Education, Inc. Operating Systems: A Modern Perspective, Chapter 3 Operating System Organization.
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.

Session-02. Objective In this session you will learn : What is Class Loader ? What is Byte Code Verifier? JIT & JAVA API Features of Java Java Environment.
Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.

Efficient Software-Based Fault Isolation—sandboxing Presented by Carl Yao.
Input / Output CS 537 – Introduction to Operating Systems.

Input / Output CS 537 – Introduction to Operating Systems.
Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?

Stack Management Each process/thread has two stacks  Kernel stack  User stack Stack pointer changes when exiting/entering the kernel Q: Why is this necessary?
Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,

Previous Next 06/18/2000Shanghai Jiaotong Univ. Computer Science & Engineering Dept. C+J Software Architecture Shanghai Jiaotong University Author: Lu,
A genda for Today What is memory management Source code to execution Address binding Logical and physical address spaces Dynamic loading, dynamic linking,

A genda for Today What is memory management Source code to execution Address binding Logical and physical address spaces Dynamic loading, dynamic linking,

Similar presentations

Ads by Google