Native Client: A Sandbox for Portable, Untrusted x86
Download
Report
Transcript Native Client: A Sandbox for Portable, Untrusted x86
Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis
Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar
Google Inc.
2009 IEEE Symposium on Security and Privacy
Native Client: A Sandbox for Portable,
Untrusted x86 Native Code
Advanced Defense Lab
OUTLINE
Introduction
System Architecture
Implementation
Experience
Discussion
Related Work
2
Advanced Defense Lab
INTRODUCTION
The modern web browser brings together a
remarkable combination of resources.
JavaScript
Document Object Model (DOM)
…
It remains handicapped in a critical dimension:
computational performance.
Newtonian physics
High-resolution scene rendering
…
3
Advanced Defense Lab
WEB BROWSER EXTENSION
Internet Explorer
ActiveX
Other Browser
NPAPI
Rely on non-technical measures for security
4
Advanced Defense Lab
SYSTEM ARCHITECTURE
Server
Browser
<embed
src=“game.nexe”>
IMC
game.nexe
Storage
Service runtime
5
Advanced Defense Lab
SYSTEM ARCHITECTURE (CONT.)
Use “NaCl module” to refer to untrusted native
code
The service is responsible for insuring that it
only services request consistent with the
implied contract with the user.
6
Advanced Defense Lab
SANDBOX
Native Client is built around an x86-specific
intra-process “inner sandbox”
A “outer sandbox ” mediates system calls at
the process boundary.
7
Advanced Defense Lab
INNER SANDBOX
Use static analysis to detect security defects
The inner sandbox is used to create a security
subdomain within a native operating system
process.
8
Advanced Defense Lab
RUNTIME FACILITIES
The “Inter-Module Communications(IMC)”
allows trusted and untrusted modules to
send/receive datagrams with optional “NaCl
Resource Descriptors.”
Two higher-level abstractions
RPC
NPAPI
9
Advanced Defense Lab
RUNTIME FACILITIES (CONT.)
The service runtime provide a set of system
service.
Ex:
mmap(), malloc()/free()
A subset of the POSIX threads interface
To prevent unintended network access,
connect()/accept() are omitted.
Modules
can access the network via Javascript
10
Advanced Defense Lab
IMPLEMENTATION – INNER SANDBOX
The design is limited to explicit control flow.
Allow for a small trusted code base(TCB)
Validator: less than 600 C statements
About
6000 bytes of executable code
11
Advanced Defense Lab
INNER SANDBOX - GOAL
Data integrity
Use
segment register(C1)
Reliable disassembly
No unsafe instruction
Control flow integrity
12
Advanced Defense Lab
INNER SANDBOX - CONSTRAINT
13
Advanced Defense Lab
INNER SANDBOX
Disallowed opcode
Privileged
instructions
syscall and int
Instructions
lds,
ret
that modify x86 segment state
far calls
– replace by indirect jump
Use hlt to terminate module(C4)
14
Advanced Defense Lab
INNER SANDBOX
Use 32-byte alignment to avoid arbitrary x86
machine code(C5, C7)
Use nacljmp for indirect jump(C3)
and
jmp
%eax, 0xffffffe0
*%eax
15
Advanced Defense Lab
eip
eip
16
Advanced Defense Lab
17
Advanced Defense Lab
EXCEPOTIONS
Hardware exceptions and external interrupts
are not allowed
The
incompatible models in Linux, MacOS, and
Windows.
NaCl apply a failsafe policy to exceptions
But NaCl support C++ exceptions
18
Advanced Defense Lab
SERVICE RUNTIME
4KB
64KB
256MB
For service runtime
Trampoline /
Springboard
Text (C2)
19
Advanced Defense Lab
TRAMPOLINE AND SPRINGBOARD
0x1000
Trampoline
Service
Runtime
0x1010
0x1020
Springboard
Transfer to untrusted code
POSIX thread
Start the main thread
0xffff
20
Advanced Defense Lab
SYSTEM CALL OVERHEAD
The getpid syscall time is 138ns
Platform
“null” Service
Runtime call time
Linux, Ubuntu 6.06
IntelTM CoreTM 2 6600
2.4 GHz
156
Mac OSX 10.5
IntelTM XeonTM E5462
2.8 GHz
148
Windows XP
IntelTM CoreTM 2 Q6600
2.4 GHz
123
21
Advanced Defense Lab
COMMUNICATION
IMC is built around a NaCl socket, providing a
bi-directional, reliable, in-order datagram
service.
JavaScript can connect to the module by
opening and sharing NaCl sockets as NaCl
descriptors.
22
Advanced Defense Lab
COMMUNICATION (CONT.)
23
Advanced Defense Lab
DEVELOPER TOOLS - BUILDING
Modify gcc
to 32-byte aligned
-falign-jumps to jumped target aligned
-falign-functions
Ensure
call instructions always appear in the final
byte of a 32 byte block. (for springboard)
Making some changes permits testing applications
by running them on the command line.
24
Advanced Defense Lab
EXPERIENCE
In this paper, measurements are made without
the NaCl outer sandbox.
25
Advanced Defense Lab
EXPERIENCE – SPEC2000
Average: 5%
26
Advanced Defense Lab
EXPERIENCE – SPEC2000
About the alignment
27
Advanced Defense Lab
EXPERIENCE – SPEC2000
About code size
28
Advanced Defense Lab
EXPERIENCE – COMPUTE/GRAPHICS
Earth
Voronoi
Life
29
Advanced Defense Lab
30
Advanced Defense Lab
EXPERIENCE –PORTING EFFORT
H.264 Decoder
Original:
11K lines of C
Porting effort:
20
lines of C
Rewriting the Makefile
31
Advanced Defense Lab
EXPERIENCE –BULLET
A physics simulation system.
Baseline : 36.5 sec
32-byte aligned : 36.1 sec
NaCl : 37.1 sec
32
Advanced Defense Lab
EXPERIENCE –QUAKE
33
Advanced Defense Lab
34
Advanced Defense Lab
DISCUSSION
Popular operating systems generally require all
threads to use a flat addressing model in order
to deliver exceptions correctly.
Native Client would benefit from more
consistent enabling of LDT access across
popular x86 OS.
35
Advanced Defense Lab
RELATED WORK
System Request Moderation
Android
Each
Xax
application is run as a different Linux user
by Microsoft Research
Using
system call interception
36
Advanced Defense Lab
RELATED WORK (CONT.)
Fault Isolation
The
current CFI technique builds on the seminal
work by Wahbe et al.
CFI provides finer-gained control flow integrity
Overhead:
15% vs. 5% by NaCl
37
Advanced Defense Lab
RELATED WORK (CONT.)
Trust with Authentication
ActiveX
38