Native Client: A Sandbox for Portable, Untrusted x86

Download Report

Transcript Native Client: A Sandbox for Portable, Untrusted x86 

Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis
Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar
Google Inc.
2009 IEEE Symposium on Security and Privacy
Native Client: A Sandbox for Portable,
Untrusted x86 Native Code
Advanced Defense Lab
OUTLINE
Introduction
 System Architecture
 Implementation
 Experience
 Discussion
 Related Work

2
Advanced Defense Lab
INTRODUCTION

The modern web browser brings together a
remarkable combination of resources.
JavaScript
 Document Object Model (DOM)
…


It remains handicapped in a critical dimension:
computational performance.
Newtonian physics
 High-resolution scene rendering
…

3
Advanced Defense Lab
WEB BROWSER EXTENSION

Internet Explorer
 ActiveX

Other Browser
 NPAPI

Rely on non-technical measures for security
4
Advanced Defense Lab
SYSTEM ARCHITECTURE
Server
Browser
<embed
src=“game.nexe”>
IMC
game.nexe
Storage
Service runtime
5
Advanced Defense Lab
SYSTEM ARCHITECTURE (CONT.)

Use “NaCl module” to refer to untrusted native
code

The service is responsible for insuring that it
only services request consistent with the
implied contract with the user.
6
Advanced Defense Lab
SANDBOX

Native Client is built around an x86-specific
intra-process “inner sandbox”

A “outer sandbox ” mediates system calls at
the process boundary.
7
Advanced Defense Lab
INNER SANDBOX

Use static analysis to detect security defects

The inner sandbox is used to create a security
subdomain within a native operating system
process.
8
Advanced Defense Lab
RUNTIME FACILITIES

The “Inter-Module Communications(IMC)”
allows trusted and untrusted modules to
send/receive datagrams with optional “NaCl
Resource Descriptors.”

Two higher-level abstractions
 RPC
 NPAPI
9
Advanced Defense Lab
RUNTIME FACILITIES (CONT.)

The service runtime provide a set of system
service.
 Ex:
mmap(), malloc()/free()
 A subset of the POSIX threads interface

To prevent unintended network access,
connect()/accept() are omitted.
 Modules
can access the network via Javascript
10
Advanced Defense Lab
IMPLEMENTATION – INNER SANDBOX
The design is limited to explicit control flow.
 Allow for a small trusted code base(TCB)
 Validator: less than 600 C statements

 About
6000 bytes of executable code
11
Advanced Defense Lab
INNER SANDBOX - GOAL

Data integrity
 Use
segment register(C1)
Reliable disassembly
 No unsafe instruction
 Control flow integrity

12
Advanced Defense Lab
INNER SANDBOX - CONSTRAINT
13
Advanced Defense Lab
INNER SANDBOX

Disallowed opcode
 Privileged
instructions
 syscall and int
 Instructions
 lds,
 ret

that modify x86 segment state
far calls
– replace by indirect jump
Use hlt to terminate module(C4)
14
Advanced Defense Lab
INNER SANDBOX
Use 32-byte alignment to avoid arbitrary x86
machine code(C5, C7)
 Use nacljmp for indirect jump(C3)

 and
 jmp
%eax, 0xffffffe0
*%eax
15
Advanced Defense Lab
eip
eip
16
Advanced Defense Lab
17
Advanced Defense Lab
EXCEPOTIONS

Hardware exceptions and external interrupts
are not allowed
 The
incompatible models in Linux, MacOS, and
Windows.
 NaCl apply a failsafe policy to exceptions
 But NaCl support C++ exceptions
18
Advanced Defense Lab
SERVICE RUNTIME
4KB
64KB
256MB
For service runtime
Trampoline /
Springboard
Text (C2)
19
Advanced Defense Lab
TRAMPOLINE AND SPRINGBOARD
0x1000
Trampoline
Service
Runtime
0x1010
0x1020
Springboard
Transfer to untrusted code
POSIX thread
Start the main thread
0xffff
20
Advanced Defense Lab
SYSTEM CALL OVERHEAD

The getpid syscall time is 138ns
Platform
“null” Service
Runtime call time
Linux, Ubuntu 6.06
IntelTM CoreTM 2 6600
2.4 GHz
156
Mac OSX 10.5
IntelTM XeonTM E5462
2.8 GHz
148
Windows XP
IntelTM CoreTM 2 Q6600
2.4 GHz
123
21
Advanced Defense Lab
COMMUNICATION
IMC is built around a NaCl socket, providing a
bi-directional, reliable, in-order datagram
service.
 JavaScript can connect to the module by
opening and sharing NaCl sockets as NaCl
descriptors.

22
Advanced Defense Lab
COMMUNICATION (CONT.)
23
Advanced Defense Lab
DEVELOPER TOOLS - BUILDING

Modify gcc
to 32-byte aligned
 -falign-jumps to jumped target aligned
 -falign-functions
 Ensure
call instructions always appear in the final
byte of a 32 byte block. (for springboard)
 Making some changes permits testing applications
by running them on the command line.
24
Advanced Defense Lab
EXPERIENCE

In this paper, measurements are made without
the NaCl outer sandbox.
25
Advanced Defense Lab
EXPERIENCE – SPEC2000
Average: 5%
26
Advanced Defense Lab
EXPERIENCE – SPEC2000

About the alignment
27
Advanced Defense Lab
EXPERIENCE – SPEC2000

About code size
28
Advanced Defense Lab
EXPERIENCE – COMPUTE/GRAPHICS
Earth
 Voronoi
 Life

29
Advanced Defense Lab
30
Advanced Defense Lab
EXPERIENCE –PORTING EFFORT

H.264 Decoder
 Original:
11K lines of C
 Porting effort:
 20
lines of C
 Rewriting the Makefile
31
Advanced Defense Lab
EXPERIENCE –BULLET

A physics simulation system.
Baseline : 36.5 sec
 32-byte aligned : 36.1 sec
 NaCl : 37.1 sec

32
Advanced Defense Lab
EXPERIENCE –QUAKE
33
Advanced Defense Lab
34
Advanced Defense Lab
DISCUSSION
Popular operating systems generally require all
threads to use a flat addressing model in order
to deliver exceptions correctly.
 Native Client would benefit from more
consistent enabling of LDT access across
popular x86 OS.

35
Advanced Defense Lab
RELATED WORK

System Request Moderation
 Android
 Each
 Xax
application is run as a different Linux user
by Microsoft Research
 Using
system call interception
36
Advanced Defense Lab
RELATED WORK (CONT.)

Fault Isolation
 The
current CFI technique builds on the seminal
work by Wahbe et al.
 CFI provides finer-gained control flow integrity
 Overhead:
15% vs. 5% by NaCl
37
Advanced Defense Lab
RELATED WORK (CONT.)

Trust with Authentication
 ActiveX
38