native client a sandbox for portable untrusted x86 native
play

Native Client: A Sandbox for Portable, Untrusted x86 Native Code - PowerPoint PPT Presentation

Jan 18, 2023 •97 likes •497 views

Native Client: A Sandbox for Portable, Untrusted x86 Native Code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar Google Inc. Presented by: Gilmore R.

  1. Native Client: A Sandbox for Portable, Untrusted x86 Native Code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki Okasaka, Neha Narula, and Nicholas Fullagar Google Inc. Presented by: Gilmore R. Lundquist April 4, 2012

  2. Overview and Goals Architecture Implementation Extras Outline Overview and Goals 1 Architecture 2 Organization NaCl Modules Communication Service Runtime Trusted NaCl Services Attack Surface Implementation 3 Sandboxing SFI / Inner Sandbox Validator Validator Performance Memory Layout Trampolines Springboard Extras 4 Presented by: Gilmore R. Lundquist Native Client

  3. Overview and Goals Architecture Implementation Extras Outline Overview and Goals 1 Architecture 2 Organization NaCl Modules Communication Service Runtime Trusted NaCl Services Attack Surface Implementation 3 Sandboxing SFI / Inner Sandbox Validator Validator Performance Memory Layout Trampolines Springboard Extras 4 Presented by: Gilmore R. Lundquist Native Client

  4. Overview and Goals Architecture Implementation Extras Overview Native Client (”NaCl”) is: A sandbox for untrusted x86 native code A browser-based framework Designed to: Give browser-based applications the computational performance of native applications Provide operating system portability Provide performance-oriented features Threading Instruction set extensions (e.g., SSE) Compiler intrinsics Hand-coded assembly An open architecture Presented by: Gilmore R. Lundquist Native Client

  5. Overview and Goals Architecture Implementation Extras Computation! Running native code allows previously infeasible computations to run with your browser: Simulation of Newtonian physics Computational fluid-dynamics High-resolution scene rendering Use of languages other than JavaScript Presented by: Gilmore R. Lundquist Native Client

  6. Overview and Goals Architecture Implementation Extras Previous Problems Native code allowed previously (e.g., ActiveX, NPAPI) Presented by: Gilmore R. Lundquist Native Client

  7. Overview and Goals Architecture Implementation Extras Previous Problems Native code allowed previously (e.g., ActiveX, NPAPI) Problem: Native code must be trusted Browser security mechanisms are circumvented Presented by: Gilmore R. Lundquist Native Client

  8. Overview and Goals Architecture Implementation Extras Previous Problems Native code allowed previously (e.g., ActiveX, NPAPI) Problem: Native code must be trusted Browser security mechanisms are circumvented Problem: Trust must be established manually (pop-up boxes) Presented by: Gilmore R. Lundquist Native Client

  9. Overview and Goals Architecture Implementation Extras Previous Problems Native code allowed previously (e.g., ActiveX, NPAPI) Problem: Native code must be trusted Browser security mechanisms are circumvented Problem: Trust must be established manually (pop-up boxes) Ineffective for preventing security problems Presented by: Gilmore R. Lundquist Native Client

  10. Overview and Goals Architecture Implementation Extras Threat Model Modules can contain arbitrary code Runtime confirms that the code conforms to validity rules Code which doesn’t conform is rejected Once accepted, module must be constrained to prevent unintended side effects Presented by: Gilmore R. Lundquist Native Client

  11. Overview and Goals Architecture Implementation Extras Threat Model The NaCl module may: Arbitrarily combine the entire variety of behaviors permitted by the NaCl execution environment in attempting to compromise the system Execute any reachable instruction block in the validated text segment Exercise the NaCl application binary interface to access runtime services in any way: passing invalid arguments, etc. Send arbitrary data via our intermodule communication interface, with the communicating peer responsible for validating input Allocate memory and spawn threads up to resource limits Attempt to exploit race conditions in subverting the system Presented by: Gilmore R. Lundquist Native Client

  12. Overview and Goals Architecture Implementation Extras Outline Overview and Goals 1 Architecture 2 Organization NaCl Modules Communication Service Runtime Trusted NaCl Services Attack Surface Implementation 3 Sandboxing SFI / Inner Sandbox Validator Validator Performance Memory Layout Trampolines Springboard Extras 4 Presented by: Gilmore R. Lundquist Native Client

  13. Overview and Goals Architecture Implementation Extras Organization Figure: Hypothetical NaCl-based application with a trusted storage service. Untrusted modules have a grey background. Native Client is organized in two parts: A constrained execution environment for native code to prevent unintended side effects A runtime for hosting these native code extensions through which allowable side effects may occur safely Presented by: Gilmore R. Lundquist Native Client

  14. Overview and Goals Architecture Implementation Extras Organization Figure: Hypothetical NaCl-based application with a trusted storage service. Untrusted modules have a grey background. Application components (untrusted): Browser component: User Interface written in HTML / JavaScript Constrained by browser Native component: NaCl module Constrained by NaCl container (inner and outer sandboxes) 32-bit executables (currently no 64-bit support) Both parts portable across OS / browser Presented by: Gilmore R. Lundquist Native Client

  15. Overview and Goals Architecture Implementation Extras Organization Figure: Hypothetical NaCl-based application with a trusted storage service. Untrusted modules have a grey background. NaCl system components (trusted): NaCl browser plugin (OS and browser specific) Inter-component communication IMC (Inter-Module Communications) Simple Remote Procedure Call (SRPC) Netscape Plugin Application Programming Interface (NPAPI) Service runtime Trusted NaCl services (e.g., storage service) Presented by: Gilmore R. Lundquist Native Client

  16. Overview and Goals Architecture Implementation Extras NaCl Modules NaCl modules consist of untrusted x86 code NaCl module load is requested by JavaScript Might load one or more modules Loaded silently (no pop-ups involved) Ideally used for pure computation Uses SFI to sandbox and secure Presented by: Gilmore R. Lundquist Native Client

  17. Overview and Goals Architecture Implementation Extras Communication Browser to NaCl module communication subsystems IMC (Inter-Module Communications) Reliable datagram service Can be used by trusted and untrusted clients 2 protocols available, built on IMC (SRPC) Simple Remote Procedure Call Used for JavaScript calls to native code (NPAPI) Netscape Plugin Application Programming Interface Used to access browser state, open URLs, access the DOM Provides facilities normally available in JavaScript Allows: Browser content modifications, handling mouse/keyboard activity, fetching additional site content Shared memory and shared synchronization objects also available from IMC Presented by: Gilmore R. Lundquist Native Client

  18. Overview and Goals Architecture Implementation Extras Service Runtime The service runtime provides system services common to application programming: sysbrk() mmap() malloc() / free() (or similar) POSIX threads subset with NaCl extensions Robust enough to port Intel’s Thread Building Blocks to NaCl POSIX file IO Used for communications channels Used for fetching web-based read-only content Cannot affect the local file system connect() and accept() NOT provided – can create sockets in JavaScript Presented by: Gilmore R. Lundquist Native Client

  19. Overview and Goals Architecture Implementation Extras Trusted NaCl Services Trusted NaCl service (e.g., storage service) Installed as a browser plugin Use of syscalls prevents implementation as NaCl module Communication to and from trusted services is available through any IMC services NaCl module can use static linking to a library to encapsulate communication details Service is trusted, and therefore must assume clients are untrusted! Presented by: Gilmore R. Lundquist Native Client

  20. Overview and Goals Architecture Implementation Extras Attack Surface Components an attacker might exploit: Inner sandbox: Binary validation Outer sandbox: OS system-call interception Service runtime binary module loader Service runtime trampoline interfaces IMC communications interface NPAPI interface Presented by: Gilmore R. Lundquist Native Client

  21. Overview and Goals Architecture Implementation Extras Outline Overview and Goals 1 Architecture 2 Organization NaCl Modules Communication Service Runtime Trusted NaCl Services Attack Surface Implementation 3 Sandboxing SFI / Inner Sandbox Validator Validator Performance Memory Layout Trampolines Springboard Extras 4 Presented by: Gilmore R. Lundquist Native Client

  22. Overview and Goals Architecture Implementation Extras Sandboxing NaCl provides inner and outer sandboxes The outer sandbox is very similar to systrace or Janus (not described in paper) The inner sandbox: Is x86-specific Uses static analysis (taken from proof-carrying code techniques) Disallows Self-modifying code Arbitrary instructions Presented by: Gilmore R. Lundquist Native Client

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory

Faculty of Computer Science Institute for System Architecture, Operating Systems Group Native Client: A sandbox for portable, untrusted x86 native code Bennet Yee, David Sehr, Gregory Dardyk, J. Bradley Chen, Robert Muth, Tavis Ormandy, Shiki

170 views • 13 slides
LLVM on the Web Using Portable Native Client to run Clang/LLVM in the Browser Brad Nelson

LLVM on the Web Using Portable Native Client to run Clang/LLVM in the Browser Brad Nelson

LLVM on the Web Using Portable Native Client to run Clang/LLVM in the Browser Brad Nelson February 1, 2015 @flagxor Motivation Author Ron Reuter (aka MainByte) I created the photo/file and it is released to the public domain. Motivation

692 views • 44 slides
Get your port on! porting to Native Client as of Pepper 18 Colt "MainRoach" McAnlis

Get your port on! porting to Native Client as of Pepper 18 Colt "MainRoach" McAnlis

Get your port on! porting to Native Client as of Pepper 18 Colt "MainRoach" McAnlis 3.05.2012 Getting Started gonacl.com It works! Native Client runs C++ code in a web page No plug-in required The Gist C++ code GCC / G++ NEXE

588 views • 34 slides
Going Native Getting your content discovered What is NATIVE Advertising? With many different

Going Native Getting your content discovered What is NATIVE Advertising? With many different

Going Native Getting your content discovered What is NATIVE Advertising? With many different definitions in the industry this is still a Native advertising is a form of fuzzy concept but Zane Furtado, Acquire Online Programmatic advertising

750 views • 15 slides
Convert an Industry-Leading Native App to React Native 1 sdmay19-02 Team Members: Victor

Convert an Industry-Leading Native App to React Native 1 sdmay19-02 Team Members: Victor

Convert an Industry-Leading Native App to React Native 1 sdmay19-02 Team Members: Victor Amupitan Francis San Filippo Kyle Nordstrom Lucas Kern Michielu Menning Walter Seymour Client: Buildertrend Jake Johnson Rich Kalasky Daric Teske

696 views • 30 slides
Live Coding Kotlin/Native Snake github.com/dkandalov/kotlin-native-snake @dmitrykandalov

Live Coding Kotlin/Native Snake github.com/dkandalov/kotlin-native-snake @dmitrykandalov

Live Coding Kotlin/Native Snake github.com/dkandalov/kotlin-native-snake @dmitrykandalov Lightning talk What is Kotlin/Native? Kotlin/Native is an LLVM backend for the Kotlin compiler, runtime implementation, and native code

995 views • 68 slides
Native Ads Native display ads go across all devices and match the look, feel and visual context

Native Ads Native display ads go across all devices and match the look, feel and visual context

Native Ads Native display ads go across all devices and match the look, feel and visual context of the website or app where they are seen. Why are Native Ads so popular? They get higher click through rates and arent typically blocked by

1.09k views • 83 slides
ILLUMI NATIVE NARRATIVE CHANGE INSIGHTS AND ACTION PRESENTATION ILLUMI NATIVE S MISSION Created

ILLUMI NATIVE NARRATIVE CHANGE INSIGHTS AND ACTION PRESENTATION ILLUMI NATIVE S MISSION Created

ILLUMI NATIVE NARRATIVE CHANGE INSIGHTS AND ACTION PRESENTATION ILLUMI NATIVE S MISSION Created and led by Native peoples, Illumi Native is creating and amplifying authentic, accurate, and contemporary portrayals of Native peoples in pop

634 views • 49 slides
NATIVE MODE PROGRAMMING Fiona Reid Overview What is native mode? What codes are suitable

NATIVE MODE PROGRAMMING Fiona Reid Overview What is native mode? What codes are suitable

NATIVE MODE PROGRAMMING Fiona Reid Overview What is native mode? What codes are suitable for native mode? MPI and OpenMP in native mode MPI performance in native mode OpenMP thread placement How to run over multiple Xeon

508 views • 23 slides
DO YOU RECOGNIZE ME? THE DIGITAL NATIVE The Digital Native Video Students are more and more

DO YOU RECOGNIZE ME? THE DIGITAL NATIVE The Digital Native Video Students are more and more

DO YOU RECOGNIZE ME? THE DIGITAL NATIVE The Digital Native Video Students are more and more visually literate. They live in a world filled with technology and visual input. Patricia Nuez, Palm Springs Middle School 21 st century

450 views • 30 slides
Native Plants in your Yard and Garden. Edible Native Landscape Plants Presented by Shawn

Native Plants in your Yard and Garden. Edible Native Landscape Plants Presented by Shawn

Going Native: the Hows and Whys of including Native Plants in your Yard and Garden. Edible Native Landscape Plants Presented by Shawn Jalbert Acer rubrum & A. saccharum , Red & Sugar Maple Both red and sugar maples can be tapped

432 views • 21 slides
2020 NM NATIVE CENSUS COALITION Background NAVA Education Project Native American Census

2020 NM NATIVE CENSUS COALITION Background NAVA Education Project Native American Census

2020 NM NATIVE CENSUS COALITION Background NAVA Education Project Native American Census Coalition 19 Pueblos 2 Apache Tribes Navajo Nation Urban Native Population Objective: Coordinate and implement plan for

571 views • 14 slides
Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer:

Are We Really Cloud-Native? Bert Ertman Cloud-Native Computing What is Cloud-Native? answer: Blah blah blah Kubernetes! Kubernetes is the Greek god of spending money on cloud services - @QuinniPig About me: Java/Cloud

1.03k views • 67 slides
Native Bank On: Addressing Native Banking Access September 18, 2019 PRESENTERS Christy Finsel

Native Bank On: Addressing Native Banking Access September 18, 2019 PRESENTERS Christy Finsel

Native Bank On: Addressing Native Banking Access September 18, 2019 PRESENTERS Christy Finsel Executive Director, Oklahoma Native Assets Coalition, Inc. PRESENTERS Paige Diner Associate, Cities for Financial Empowerment Fund PRESENTERS

897 views • 27 slides
Barriers to election services and voting for Native Americans Native Americans living on tribal

Barriers to election services and voting for Native Americans Native Americans living on tribal

Barriers to election services and voting for Native Americans Native Americans living on tribal nations are the most disenfranchised population in our great state. Western Native Voice has identified six key barriers for Montana citizens living

243 views • 13 slides
Climate Change and Canadian Native Prairie Jeff Thorpe February 2018 6 th Native Prairie

Climate Change and Canadian Native Prairie Jeff Thorpe February 2018 6 th Native Prairie

Climate Change and Canadian Native Prairie Jeff Thorpe February 2018 6 th Native Prairie Restoration / Reclamation Workshop Native prairie Created the rich soils that now support prairie agriculture. Still makes up 20 - 25% of the

618 views • 28 slides
Analysing iOS apps: road from AppStore to security analysis report Egor Fominykh, Lenar Safin,

Analysing iOS apps: road from AppStore to security analysis report Egor Fominykh, Lenar Safin,

Analysing iOS apps: road from AppStore to security analysis report Egor Fominykh, Lenar Safin, Yaroslav Alexandrov SmartDec REcon, Brussels, 2017 What we do at SmartDec Decompilation, deobfuscation x86/x64 ARM/AArch64 JVM,

429 views • 42 slides
Single Run-Time Environment Yutaka Ishikawa, Atsushi Hori, Hiroya Matsuba, Yoshikazu Kamoshida,

Single Run-Time Environment Yutaka Ishikawa, Atsushi Hori, Hiroya Matsuba, Yoshikazu Kamoshida,

Single Run-Time Environment Yutaka Ishikawa, Atsushi Hori, Hiroya Matsuba, Yoshikazu Kamoshida, Kazuki Ohta (University of Tokyo) Shinji Sumimoto (Fujitsu Laboratory) Takashi Yasui (Hitachi) T2K Open Supercomputer Alliance Motivations and

375 views • 12 slides
The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of

The Architecture of Virtual Machines Lecture for the Embedded Systems Course CSD, University of Crete (April 29, 2014) Manolis Marazakis (maraz@ics.forth.gr) Institute of Computer Science (ICS) Foundation for Research and Technology

1.58k views • 31 slides
Processor state Information about %rax currently executing program %rdi General purpose

Processor state Information about %rax currently executing program %rdi General purpose

Processor state Information about %rax currently executing program %rdi General purpose Temporary data ... registers %rax, %rdi, %r14 current parameters, local variables Location of runtime stack %r15 %rsp Location of current

481 views • 14 slides
The Evolution of MPI William Gropp Computer Science www.cs.uiuc.edu/ homes/ wgropp Outline 1.

The Evolution of MPI William Gropp Computer Science www.cs.uiuc.edu/ homes/ wgropp Outline 1.

The Evolution of MPI William Gropp Computer Science www.cs.uiuc.edu/ homes/ wgropp Outline 1. Why an MPI talk? 2. MPI Status: Performance, Scalability, and Functionality 3. Changes to MPI: MPI Forum activites 4. What this (should) mean

586 views • 43 slides
Compiler Construction Lecture 15: x86-64 and real world procedures 2020-02-28 Michael Engel

Compiler Construction Lecture 15: x86-64 and real world procedures 2020-02-28 Michael Engel

Compiler Construction Lecture 15: x86-64 and real world procedures 2020-02-28 Michael Engel Overview The real world: x86-64 Structure of ELF files Storage types Loading and running programs A quick x86-64 assembler intro

796 views • 33 slides
String, I/O , Math, Char, and User Defined Libraries Turgay Korkmaz Office: SB 4.01.13 Phone:

String, I/O , Math, Char, and User Defined Libraries Turgay Korkmaz Office: SB 4.01.13 Phone:

CS 1713 Introduction to Computer Programming II Ch 3 Overview C programming Language Interfaces Libraries String, I/O , Math, Char, and User Defined Libraries Turgay Korkmaz Office: SB 4.01.13 Phone: (210) 458-7346 Fax: (210)

977 views • 73 slides
Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an

Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an

Splitting Interfaces Making Trust Between Apps and OS Configurable Trust Model for an Application Kernel is seldom exploited directly (eg. malicious system calls) Attacker takes control of kernel through privileged applications

869 views • 33 slides

More recommend