Google’s Native Client
A Sandbox for Portable,
Untrusted x86 Native
Code
Benjamin Harringon
Introduction
• If you were Google…
• Sandbox vs. Virtualization?
What is NaCl?
To succeed where others have failed:
• ActiveX
– Trust me, Microsoft does…
• NPAPI
– Solely for plugins, but just as dangerous
• JavaScript
– Too slow
Why NaCl?
• Support for threads
• Instruction set extensions (SSE)
• Computational performance
– Newtonian physics, Fluid dynamics
• Large bodies of high quality code
– Maximizing work distractions
Quake Break!
Usage Example
How Native Client rolls:
• Binaries are subject to validation
• Validated Binaries are constrained
• Communication is receiver validated
• Inner sandbox reinforced by Outer sandbox
Pillars of Native Client
• Software Fault Isolation
• Secure Runtime
• Open Architecture
Software Fault Isolation
• Modified compilation tool chain
• Static analyzer
• Validator must address:
– Data Integrity
– Reliable Disassembly
– No Unsafe instructions
– Control flow integrity
SFI – The Rules of the Game
Software Fault Isolation
Control Flow Integrity
• Indirect branches must be encoded as
and %eax, 0xffffffe0
jmp *%eax
– Guarantees that target is 32-byte aligned
– Works because of restriction to the zero-based
segment
– Very efficient enforcement of control-flow
integrity
SFI – No Exceptions for you.
• Hardware Exceptions not allowed
– Segmentation faults
– Floating point exceptions
• External interrupts are not allowed
Crash and burn baby!
Server Runtime
• Implements enforcement of inner sandbox
– Segment Isolated 256 MB
– First 64 KB reserved for initialization
• First 4 KB read/write protected
• Remaining 60 KB for Trampoline and Springboard
• Trusted
– Contains forbidden instructions
Server Runtime
• Trampolines
– For jumping out
• Go to the trusted service handlers
• Disable the inner sandbox
• Then load %esp with the trusted stack
• Springboards
– For jumping in
• Or starting a new thread
• Or start the main thread
Server Runtime
• Communication via NaCl socket
• SRPC abstraction
– Supports ints, floats and char
– Pointers not supported
• NPAPI also used
– Subject to change
Developer Tools
• Modification to existing tool chains
– Relatively simple (1000 lines to gcc)
• Includes simple profiling framework
– Call trace with embedded outputs
Performance
• Compute/Graphics
– Better and good?
• H.264 Decoder
– Check
• Quake
– No problem
• High compute/low message passing ideal
Open Source
“we’ll publish the source code, you’ll find
flaws. The winner gets $0x2000 USD.”
SkyNet sends a Mark Dawd Unit
…from the future!
•X-Force research engineer at
IBM Internet Security Systems
and winner of the Google
Native Client security contest
along with partner Ben Hawkes
•Found a way to execute
arbitrary code in user mode.
•“...it will be deployed on the
Internet in a secure fashion.“
•He’s a robot from the future!
Conclusion
•
•
•
•
•
•
X86 code run securely at near native speed
Portable across O.S. and Browsers
Robust inner sandbox, with outer sandbox
Porting is relatively easy
Open source – OK’d by robots from the future
Now we can play Quake at work.
Questions?