native client: a sandbox for portable, untrusted x86 native code
DESCRIPTION
Bennet Yee, David Sehr , Gregory Dardyk , J. Bradley Chen, Robert Muth , Tavis Ormandy, Shiki Okasaka , Neha Narula , and Nicholas Fullagar Google Inc. 2009 IEEE Symposium on Security and Privacy. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Introduction - PowerPoint PPT PresentationTRANSCRIPT
Native Client: A Sandbox for Portable, Untrusted x86 Native Code
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar
Google Inc.2009 IEEE Symposium on Security and Privacy
Advanced Defense Lab
2
OUTLINE Introduction System Architecture Implementation Experience Discussion Related Work
Advanced Defense Lab
3
INTRODUCTION The modern web browser brings together a
remarkable combination of resources. JavaScript Document Object Model (DOM) …
It remains handicapped in a critical dimension: computational performance. Newtonian physics High-resolution scene rendering …
Advanced Defense Lab
4
WEB BROWSER EXTENSION Internet Explorer
ActiveX Other Browser
NPAPI
Rely on non-technical measures for security
Advanced Defense Lab
5
SYSTEM ARCHITECTURE
<embed src=“game.nexe”>
game.nexe
Service runtime
IMCBrowser
Storage
Server
Advanced Defense Lab
6
SYSTEM ARCHITECTURE (CONT.) Use “NaCl module” to refer to
untrusted native code
The service is responsible for insuring that it only services request consistent with the implied contract with the user.
Advanced Defense Lab
7
SANDBOX Native Client is built around an x86-
specific intra-process “inner sandbox”
A “outer sandbox ” mediates system calls at the process boundary.
Advanced Defense Lab
8
INNER SANDBOX Use static analysis to detect security
defects
The inner sandbox is used to create a security subdomain within a native operating system process.
Advanced Defense Lab
9
RUNTIME FACILITIES The “Inter-Module
Communications(IMC)” allows trusted and untrusted modules to send/receive datagrams with optional “NaCl Resource Descriptors.”
Two higher-level abstractions RPC NPAPI
Advanced Defense Lab
10
RUNTIME FACILITIES (CONT.) The service runtime provide a set of
system service. Ex: mmap(), malloc()/free() A subset of the POSIX threads interface
To prevent unintended network access, connect()/accept() are omitted. Modules can access the network via
Javascript
Advanced Defense Lab
11
IMPLEMENTATION – INNER SANDBOX The design is limited to explicit control
flow. Allow for a small trusted code
base(TCB) Validator: less than 600 C statements
About 6000 bytes of executable code
Advanced Defense Lab
12
INNER SANDBOX - GOAL Data integrity
Use segment register(C1) Reliable disassembly No unsafe instruction Control flow integrity
Advanced Defense Lab
13
INNER SANDBOX - CONSTRAINT
Advanced Defense Lab
14
INNER SANDBOX Disallowed opcode
Privileged instructions syscall and int Instructions that modify x86 segment state
lds, far calls ret – replace by indirect jump
Use hlt to terminate module(C4)
Advanced Defense Lab
15
INNER SANDBOX Use 32-byte alignment to avoid
arbitrary x86 machine code(C5, C7) Use nacljmp for indirect jump(C3)
and %eax, 0xffffffe0 jmp *%eax
Advanced Defense Lab
16
eip
eip
Advanced Defense Lab
17
Advanced Defense Lab
18
EXCEPOTIONS Hardware exceptions and external
interrupts are not allowed The incompatible models in Linux, MacOS,
and Windows. NaCl apply a failsafe policy to exceptions But NaCl support C++ exceptions
Advanced Defense Lab
19
SERVICE RUNTIME4KB
64KB
256MB Text (C2)
Trampoline / Springboard
For service runtime
Advanced Defense Lab
20
TRAMPOLINE AND SPRINGBOARD
0x1000
0x1010
0x1020
Trampoline
Springboard
Service Runtime
Transfer to untrusted codePOSIX threadStart the main thread
0xffff
Advanced Defense Lab
21
SYSTEM CALL OVERHEAD The getpid syscall time is 138ns
Platform “null” ServiceRuntime call time
Linux, Ubuntu 6.06IntelTM CoreTM 2 66002.4 GHz
156
Mac OSX 10.5IntelTM XeonTM E54622.8 GHz
148
Windows XPIntelTM CoreTM 2 Q66002.4 GHz
123
Advanced Defense Lab
22
COMMUNICATION IMC is built around a NaCl socket,
providing a bi-directional, reliable, in-order datagram service.
JavaScript can connect to the module by opening and sharing NaCl sockets as NaCl descriptors.
Advanced Defense Lab
23
COMMUNICATION (CONT.)
Advanced Defense Lab
24
DEVELOPER TOOLS - BUILDING Modify gcc
-falign-functions to 32-byte aligned -falign-jumps to jumped target aligned Ensure call instructions always appear in
the final byte of a 32 byte block. (for springboard)
Making some changes permits testing applications by running them on the command line.
Advanced Defense Lab
25
EXPERIENCE In this paper, measurements are made
without the NaCl outer sandbox.
Advanced Defense Lab
26
EXPERIENCE – SPEC2000
Average: 5%
Advanced Defense Lab
27
EXPERIENCE – SPEC2000 About the alignment
Advanced Defense Lab
28
EXPERIENCE – SPEC2000 About code size
Advanced Defense Lab
29
EXPERIENCE – COMPUTE/GRAPHICS Earth Voronoi Life
Advanced Defense Lab
30
Advanced Defense Lab
31
EXPERIENCE –PORTING EFFORT H.264 Decoder
Original: 11K lines of C Porting effort:
20 lines of C Rewriting the Makefile
Advanced Defense Lab
32
EXPERIENCE –BULLET A physics simulation system.
Baseline : 36.5 sec 32-byte aligned : 36.1 sec NaCl : 37.1 sec
Advanced Defense Lab
33
EXPERIENCE –QUAKE
Advanced Defense Lab
34
Advanced Defense Lab
35
DISCUSSION Popular operating systems generally
require all threads to use a flat addressing model in order to deliver exceptions correctly.
Native Client would benefit from more consistent enabling of LDT access across popular x86 OS.
Advanced Defense Lab
36
RELATED WORK System Request Moderation
Android Each application is run as a different Linux user
Xax by Microsoft Research Using system call interception
Advanced Defense Lab
37
RELATED WORK (CONT.) Fault Isolation
The current CFI technique builds on the seminal work by Wahbe et al.
CFI provides finer-gained control flow integrity
Overhead: 15% vs. 5% by NaCl
Advanced Defense Lab
38
RELATED WORK (CONT.) Trust with Authentication
ActiveX