1 / 38

Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Bennet Yee, David Sehr , Gregory Dardyk , J. Bradley Chen, Robert Muth , Tavis Ormandy, Shiki Okasaka , Neha Narula , and Nicholas Fullagar Google Inc. 2009 IEEE Symposium on Security and Privacy. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. Introduction

bern
Download Presentation

Native Client: A Sandbox for Portable, Untrusted x86 Native Code

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, NehaNarula, and Nicholas Fullagar Google Inc. 2009 IEEE Symposium on Security and Privacy Native Client: A Sandbox for Portable, Untrusted x86 Native Code

  2. Introduction System Architecture Implementation Experience Discussion Related Work Advanced Defense Lab Outline

  3. The modern web browser brings together a remarkable combination of resources. • JavaScript • Document Object Model (DOM) • … • It remains handicapped in a critical dimension: computational performance. • Newtonian physics • High-resolution scene rendering • … Advanced Defense Lab Introduction

  4. Internet Explorer • ActiveX • Other Browser • NPAPI • Rely on non-technical measures for security Advanced Defense Lab Web browser extension

  5. Advanced Defense Lab System Architecture Server Browser IMC game.nexe <embed src=“game.nexe”> Storage Service runtime

  6. Use “NaCl module” to refer to untrusted native code The service is responsible for insuring that it only services request consistent with the implied contract with the user. Advanced Defense Lab System Architecture (cont.)

  7. Native Client is built around an x86-specific intra-process “inner sandbox” A “outer sandbox ” mediates system calls at the process boundary. Advanced Defense Lab Sandbox

  8. Use static analysis to detect security defects The inner sandbox is used to create a security subdomain within a native operating system process. Advanced Defense Lab Inner sandbox

  9. The “Inter-Module Communications(IMC)” allows trusted and untrusted modules to send/receive datagrams with optional “NaCl Resource Descriptors.” • Two higher-level abstractions • RPC • NPAPI Advanced Defense Lab Runtime Facilities

  10. The service runtime provide a set of system service. • Ex: mmap(), malloc()/free() • A subset of the POSIX threads interface • To prevent unintended network access, connect()/accept() are omitted. • Modules can access the network via Javascript Advanced Defense Lab Runtime Facilities (cont.)

  11. The design is limited to explicit control flow. • Allow for a small trusted code base(TCB) • Validator: less than 600 C statements • About 6000 bytes of executable code Advanced Defense Lab Implementation – inner sAndbox

  12. Data integrity • Use segment register(C1) • Reliable disassembly • No unsafe instruction • Control flow integrity Advanced Defense Lab inner sAndbox - goal

  13. Advanced Defense Lab inner sAndbox - constraint

  14. Disallowed opcode • Privileged instructions • syscall and int • Instructions that modify x86 segment state • lds, far calls • ret – replace by indirect jump • Use hlt to terminate module(C4) Advanced Defense Lab inner sAndbox

  15. Use 32-byte alignment to avoid arbitrary x86 machine code(C5, C7) • Use nacljmp for indirect jump(C3) • and %eax, 0xffffffe0 • jmp *%eax Advanced Defense Lab inner sAndbox

  16. Advanced Defense Lab eip eip

  17. Advanced Defense Lab

  18. Hardware exceptions and external interrupts are not allowed • The incompatible models in Linux, MacOS, and Windows. • NaCl apply a failsafe policy to exceptions • But NaCl support C++ exceptions Advanced Defense Lab excepotions

  19. Advanced Defense Lab Service Runtime 4KB For service runtime Trampoline / Springboard 64KB Text (C2) 256MB

  20. Advanced Defense Lab Trampoline and springboard 0x1000 Trampoline Service Runtime 0x1010 0x1020 Springboard Transfer to untrusted code POSIX thread Start the main thread 0xffff

  21. The getpidsyscall time is 138ns Advanced Defense Lab System call overhead

  22. IMC is built around a NaCl socket, providing a bi-directional, reliable, in-order datagram service. JavaScript can connect to the module by opening and sharing NaCl sockets as NaCl descriptors. Advanced Defense Lab Communication

  23. Advanced Defense Lab Communication (cont.)

  24. Modify gcc • -falign-functions to 32-byte aligned • -falign-jumps to jumped target aligned • Ensure call instructions always appear in the final byte of a 32 byte block. (for springboard) • Making some changes permits testing applications by running them on the command line. Advanced Defense Lab Developer tools - Building

  25. In this paper, measurements are made without the NaCl outer sandbox. Advanced Defense Lab Experience

  26. Advanced Defense Lab Experience – SPEC2000 Average: 5%

  27. About the alignment Advanced Defense Lab Experience – SPEC2000

  28. About code size Advanced Defense Lab Experience – SPEC2000

  29. Earth Voronoi Life Advanced Defense Lab Experience – Compute/graphics

  30. Advanced Defense Lab

  31. H.264 Decoder • Original: 11K lines of C • Porting effort: • 20 lines of C • Rewriting the Makefile Advanced Defense Lab Experience –Porting effort

  32. A physics simulation system. Baseline : 36.5 sec 32-byte aligned : 36.1 sec NaCl : 37.1 sec Advanced Defense Lab Experience –Bullet

  33. Advanced Defense Lab Experience –Quake

  34. Advanced Defense Lab

  35. Popular operating systems generally require all threads to use a flat addressing model in order to deliver exceptions correctly. Native Client would benefit from more consistent enabling of LDT access across popular x86 OS. Advanced Defense Lab Discussion

  36. System Request Moderation • Android • Each application is run as a different Linux user • Xaxby Microsoft Research • Using system call interception Advanced Defense Lab Related Work

  37. Fault Isolation • The current CFI technique builds on the seminal work by Wahbe et al. • CFI provides finer-gained control flow integrity • Overhead: 15% vs. 5% by NaCl Advanced Defense Lab Related Work (cont.)

  38. Trust with Authentication • ActiveX Advanced Defense Lab Related Work (cont.)

More Related