native client: a sandbox for portable, untrusted x86 native code

Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar

Google Inc.2009 IEEE Symposium on Security and Privacy

Advanced Defense Lab

2

OUTLINE Introduction System Architecture Implementation Experience Discussion Related Work

Advanced Defense Lab

3

INTRODUCTION The modern web browser brings together a

remarkable combination of resources. JavaScript Document Object Model (DOM) …

It remains handicapped in a critical dimension: computational performance. Newtonian physics High-resolution scene rendering …

Advanced Defense Lab

4

WEB BROWSER EXTENSION Internet Explorer

ActiveX Other Browser

NPAPI

Rely on non-technical measures for security

Advanced Defense Lab

5

SYSTEM ARCHITECTURE

<embed src=“game.nexe”>

game.nexe

Service runtime

IMCBrowser

Storage

Server

Advanced Defense Lab

6

SYSTEM ARCHITECTURE (CONT.) Use “NaCl module” to refer to

untrusted native code

The service is responsible for insuring that it only services request consistent with the implied contract with the user.

Advanced Defense Lab

7

SANDBOX Native Client is built around an x86-

specific intra-process “inner sandbox”

A “outer sandbox ” mediates system calls at the process boundary.

Advanced Defense Lab

8

INNER SANDBOX Use static analysis to detect security

defects

The inner sandbox is used to create a security subdomain within a native operating system process.

Advanced Defense Lab

9

RUNTIME FACILITIES The “Inter-Module

Communications(IMC)” allows trusted and untrusted modules to send/receive datagrams with optional “NaCl Resource Descriptors.”

Two higher-level abstractions RPC NPAPI

Advanced Defense Lab

10

RUNTIME FACILITIES (CONT.) The service runtime provide a set of

system service. Ex: mmap(), malloc()/free() A subset of the POSIX threads interface

To prevent unintended network access, connect()/accept() are omitted. Modules can access the network via

Javascript

Advanced Defense Lab

11

IMPLEMENTATION – INNER SANDBOX The design is limited to explicit control

flow. Allow for a small trusted code

base(TCB) Validator: less than 600 C statements

About 6000 bytes of executable code

Advanced Defense Lab

12

INNER SANDBOX - GOAL Data integrity

Use segment register(C1) Reliable disassembly No unsafe instruction Control flow integrity

Advanced Defense Lab

13

INNER SANDBOX - CONSTRAINT

Advanced Defense Lab

14

INNER SANDBOX Disallowed opcode

Privileged instructions syscall and int Instructions that modify x86 segment state

lds, far calls ret – replace by indirect jump

Use hlt to terminate module(C4)

Advanced Defense Lab

15

INNER SANDBOX Use 32-byte alignment to avoid

arbitrary x86 machine code(C5, C7) Use nacljmp for indirect jump(C3)

and %eax, 0xffffffe0 jmp *%eax

Advanced Defense Lab

16

eip

eip

Advanced Defense Lab

17

Advanced Defense Lab

18

EXCEPOTIONS Hardware exceptions and external

interrupts are not allowed The incompatible models in Linux, MacOS,

and Windows. NaCl apply a failsafe policy to exceptions But NaCl support C++ exceptions

Advanced Defense Lab

19

SERVICE RUNTIME4KB

64KB

256MB Text (C2)

Trampoline / Springboard

For service runtime

Advanced Defense Lab

20

TRAMPOLINE AND SPRINGBOARD

0x1000

0x1010

0x1020

Trampoline

Springboard

Service Runtime

Transfer to untrusted codePOSIX threadStart the main thread

0xffff

Advanced Defense Lab

21

SYSTEM CALL OVERHEAD The getpid syscall time is 138ns

Platform “null” ServiceRuntime call time

Linux, Ubuntu 6.06IntelTM CoreTM 2 66002.4 GHz

156

Mac OSX 10.5IntelTM XeonTM E54622.8 GHz

148

Windows XPIntelTM CoreTM 2 Q66002.4 GHz

123

Advanced Defense Lab

22

COMMUNICATION IMC is built around a NaCl socket,

providing a bi-directional, reliable, in-order datagram service.

JavaScript can connect to the module by opening and sharing NaCl sockets as NaCl descriptors.

Advanced Defense Lab

23

COMMUNICATION (CONT.)

Advanced Defense Lab

24

DEVELOPER TOOLS - BUILDING Modify gcc

-falign-functions to 32-byte aligned -falign-jumps to jumped target aligned Ensure call instructions always appear in

the final byte of a 32 byte block. (for springboard)

Making some changes permits testing applications by running them on the command line.

Advanced Defense Lab

25

EXPERIENCE In this paper, measurements are made

without the NaCl outer sandbox.

Advanced Defense Lab

26

EXPERIENCE – SPEC2000

Average: 5%

Advanced Defense Lab

27

EXPERIENCE – SPEC2000 About the alignment

Advanced Defense Lab

28

EXPERIENCE – SPEC2000 About code size

Advanced Defense Lab

29

EXPERIENCE – COMPUTE/GRAPHICS Earth Voronoi Life

Advanced Defense Lab

30

Advanced Defense Lab

31

EXPERIENCE –PORTING EFFORT H.264 Decoder

Original: 11K lines of C Porting effort:

20 lines of C Rewriting the Makefile

Advanced Defense Lab

32

EXPERIENCE –BULLET A physics simulation system.

Baseline : 36.5 sec 32-byte aligned : 36.1 sec NaCl : 37.1 sec

Advanced Defense Lab

33

EXPERIENCE –QUAKE

Advanced Defense Lab

34

Advanced Defense Lab

35

DISCUSSION Popular operating systems generally

require all threads to use a flat addressing model in order to deliver exceptions correctly.

Native Client would benefit from more consistent enabling of LDT access across popular x86 OS.

Advanced Defense Lab

36

RELATED WORK System Request Moderation

Android Each application is run as a different Linux user

Xax by Microsoft Research Using system call interception

Advanced Defense Lab

37

RELATED WORK (CONT.) Fault Isolation

The current CFI technique builds on the seminal work by Wahbe et al.

CFI provides finer-gained control flow integrity

Overhead: 15% vs. 5% by NaCl

Advanced Defense Lab

38

RELATED WORK (CONT.) Trust with Authentication

ActiveX