Native Client: A Sandbox for Portable, Untrusted x86 Native Code

Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar

Google Inc.2009 IEEE Symposium on Security and Privacy

Advanced Defense Lab

2

OUTLINE

Introduction System Architecture Implementation Experience Discussion Related Work

Advanced Defense Lab

3

INTRODUCTION

The modern web browser brings together a remarkable combination of resources. JavaScript Document Object Model (DOM) …

It remains handicapped in a critical dimension: computational performance. Newtonian physics High-resolution scene rendering …

Advanced Defense Lab

4

WEB BROWSER EXTENSION

Internet Explorer ActiveX

Other Browser NPAPI

Rely on non-technical measures for security

Advanced Defense Lab

5

SYSTEM ARCHITECTURE

<embed src=“game.nexe”>

game.nexe

Service runtime

IMCBrowser

Storage

Server

Advanced Defense Lab

6

SYSTEM ARCHITECTURE (CONT.)

Use “NaCl module” to refer to untrusted native code

The service is responsible for insuring that it only services request consistent with the implied contract with the user.

Advanced Defense Lab

7

SANDBOX

Native Client is built around an x86-specific intra-process “inner sandbox”

A “outer sandbox ” mediates system calls at the process boundary.

Advanced Defense Lab

8

INNER SANDBOX

Use static analysis to detect security defects

The inner sandbox is used to create a security subdomain within a native operating system process.

Advanced Defense Lab

9

RUNTIME FACILITIES

The “Inter-Module Communications(IMC)” allows trusted and untrusted modules to send/receive datagrams with optional “NaCl Resource Descriptors.”

Two higher-level abstractions RPC NPAPI

Advanced Defense Lab

10

RUNTIME FACILITIES (CONT.)

The service runtime provide a set of system service. Ex: mmap(), malloc()/free() A subset of the POSIX threads interface

To prevent unintended network access, connect()/accept() are omitted. Modules can access the network via

Javascript

Advanced Defense Lab

11

IMPLEMENTATION – INNER SANDBOX

The design is limited to explicit control flow.

Allow for a small trusted code base(TCB)

Validator: less than 600 C statements About 6000 bytes of executable code

Advanced Defense Lab

12

INNER SANDBOX - GOAL

Data integrity Use segment register(C1)

Reliable disassembly No unsafe instruction Control flow integrity

Advanced Defense Lab

13

INNER SANDBOX - CONSTRAINT

Advanced Defense Lab

14

INNER SANDBOX

Disallowed opcode Privileged instructions syscall and int Instructions that modify x86 segment state

lds, far calls ret – replace by indirect jump

Use hlt to terminate module(C4)

Advanced Defense Lab

15

INNER SANDBOX

Use 32-byte alignment to avoid arbitrary x86 machine code(C5, C7)

Use nacljmp for indirect jump(C3) and %eax, 0xffffffe0 jmp *%eax

Advanced Defense Lab

16

eip

eip

Advanced Defense Lab

17

Advanced Defense Lab

18

EXCEPOTIONS

Hardware exceptions and external interrupts are not allowed The incompatible models in Linux, MacOS,

and Windows. NaCl apply a failsafe policy to exceptions But NaCl support C++ exceptions

Advanced Defense Lab

19

SERVICE RUNTIME4KB

64KB

256MBText (C2)

Trampoline / Springboard

For service runtime

Advanced Defense Lab

20

TRAMPOLINE AND SPRINGBOARD

0x1000

0x1010

0x1020

Trampoline

Springboard

Service Runtime

Transfer to untrusted codePOSIX threadStart the main thread

0xffff

Advanced Defense Lab

21

SYSTEM CALL OVERHEAD

The getpid syscall time is 138ns

Platform “null” ServiceRuntime call time

Linux, Ubuntu 6.06IntelTM CoreTM 2 66002.4 GHz

156

Mac OSX 10.5IntelTM XeonTM E54622.8 GHz

148

Windows XPIntelTM CoreTM 2 Q66002.4 GHz

123

Advanced Defense Lab

22

COMMUNICATION

IMC is built around a NaCl socket, providing a bi-directional, reliable, in-order datagram service.

JavaScript can connect to the module by opening and sharing NaCl sockets as NaCl descriptors.

Advanced Defense Lab

23

COMMUNICATION (CONT.)

Advanced Defense Lab

24

DEVELOPER TOOLS - BUILDING

Modify gcc -falign-functions to 32-byte aligned -falign-jumps to jumped target aligned Ensure call instructions always appear in

the final byte of a 32 byte block. (for springboard)

Making some changes permits testing applications by running them on the command line.

Advanced Defense Lab

25

EXPERIENCE

In this paper, measurements are made without the NaCl outer sandbox.

Advanced Defense Lab

26

EXPERIENCE – SPEC2000

Average: 5%

Advanced Defense Lab

27

EXPERIENCE – SPEC2000

About the alignment

Advanced Defense Lab

28

EXPERIENCE – SPEC2000

About code size

Advanced Defense Lab

29

EXPERIENCE – COMPUTE/GRAPHICS

Earth Voronoi Life

Advanced Defense Lab

30

Advanced Defense Lab

31

EXPERIENCE –PORTING EFFORT

H.264 Decoder Original: 11K lines of C Porting effort:

20 lines of C Rewriting the Makefile

Advanced Defense Lab

32

EXPERIENCE –BULLET

A physics simulation system.

Baseline : 36.5 sec 32-byte aligned : 36.1 sec NaCl : 37.1 sec

Advanced Defense Lab

33

EXPERIENCE –QUAKE

Advanced Defense Lab

34

Advanced Defense Lab

35

DISCUSSION

Popular operating systems generally require all threads to use a flat addressing model in order to deliver exceptions correctly.

Native Client would benefit from more consistent enabling of LDT access across popular x86 OS.

Advanced Defense Lab

36

RELATED WORK

System Request Moderation Android

Each application is run as a different Linux user Xax by Microsoft Research

Using system call interception

Advanced Defense Lab

37

RELATED WORK (CONT.)

Fault Isolation The current CFI technique builds on the

seminal work by Wahbe et al. CFI provides finer-gained control flow

integrity Overhead: 15% vs. 5% by NaCl

Advanced Defense Lab

38

RELATED WORK (CONT.)

Trust with Authentication ActiveX