Interesting paper on Google’s NaCl

Google’s Chrome browser is trying to take an interesting approach to running native i686 and x86-64 code safely in a sandbox (without needing code signing, so unlike ActiveX).

Essentially they compile C or C++ with a modified gcc that generates a limited subset of machine code which can be easily validated at runtime. This paper and web page explains the precise details:

http://nativeclient.googlecode.com/svn/data/site/NaCl_SFI.pdf
http://www.chromium.org/nativeclient/design-documents/nacl-sfi-model-on-x86-64-systems

This code (after validation) can be loaded from a completely untrusted source into one of the web browser’s tabs (most tabs run as separate processes). The untrusted code cannot make syscalls directly or write over any trusted parts of the same process — this is enforced by the validation step. But because it is native machine code (or a large but safe subset thereof) it still runs at just about full native speed.

To perform operations (drawing graphics etc), the untrusted code can only call a limited set of trampolines into the trusted part of the process. These are called “syscalls” but aren’t the same as ordinary OS syscalls. They are more like safe procedure calls between threads in the same process. This “syscall” trampoline is described here:

http://www.chromium.org/nativeclient/reference/anatomy-of-a-sys

This is a nice implementation of some old ideas: trusted compilers and code validation have been around for many years, for example on the Burroughs computers and in the JVM respectively.

Leave a comment

Filed under Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s