Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
branch: master
Fetching contributors…

Cannot retrieve contributors at this time

189 lines (154 sloc) 5.429 kB
<!DOCTYPE html>
<!--
Google HTML5 slide template
Authors: Luke Mahé (code)
Marcin Wichary (code and design)
Dominic Mazzoni (browser compatibility)
Charles Chen (ChromeVox support)
URL: http://code.google.com/p/html5slides/
-->
<html>
<head>
<title>Presentation</title>
<meta charset='utf-8'>
<script
src='http://html5slides.googlecode.com/svn/trunk/slides.js'></script>
</head>
<style>
/* Your individual styles here, or just use inline styles if that’s
what you want. */
</style>
<body style='display: none'>
<section class='slides layout-regular template-default'>
<!-- Your slides (<article>s) go here. Delete or comment out the
slides below. -->
<article class="nobackground">
<h1>
Native Client
</h1>
<p>
Matt Page
<br>
August 1, 2012
</p>
</article>
<article class="nobackground">
<h3> Goals </h3>
<ul>
<li> Safe execution environment for native code </li>
<li> OS portability </li>
<li> Maintain performance characteristics of native code </li>
</article>
<article class="nobackground">
<h3>
Why are people leery of native code execution?
</h3>
<ul>
<li> Theft of secrets </li>
<li> Installation of malware/spyware </li>
</ul>
</article>
<article class="nobackground">
<h3>
Native code execution != arbitrary code execution
</h3>
<ul>
<li> Native code with no side effects is relatively harmless</li>
<li> Native code with no side effects is relatively useless?</li>
<li> Key: Prove native code has no unintended side effects. </li>
</ul>
</article>
<article class="nobackground">
<h3> Components </h3>
<ul>
<li> Inner Sandbox </li>
<li> Outer Sandbox </li>
<li> Service Runtime </li>
<li> Compiler Toolchain </li>
<li> IMC - Kind of </li>
</ul>
</article>
<article class="nobackground">
<h3>Architecture Overview</h3>
<br />
<img src="nacl_overview.png" />
</article>
<article class="nobackground">
<h3>Inner Sandbox</h3>
Sufficient conditions for limiting side effects:
<ul>
<li> No loads/stores outside the module </li>
<li> No unsafe instructions </li>
<li> Control flow integrity </li>
</ul>
The above conditions can be verified assuming reliable disassembly
and a properly implemented sandbox. Verification of the above is a "proof"
that no unintended side effects will occur.
</article>
<article class="nobackground">
<h3> Inner Sandbox - Controlling Memory References </h3>
<ul>
<li> Segmentation constrains valid references.</li>
<li> %cs register set to limit control flow to [0, NEXE_END). </li>
<li> %ss, %ds, etc registers set to limit data access to [0, 256MB). </li>
</ul>
<img src="nacl_service_runtime.png" />
</article>
<article class="nobackground">
<h3> Inner Sandbox - Disassembler/Validator </h3>
<ul>
<li> Every non branching instruction is "safe". </li>
<li> Every branching instruction targets a "safe" instruction. </li>
<li> All future states of execution are "safe". </li>
<li> Compiler toolchain generates code that is easily verifiable. </li>
</ul>
</article>
<article class="nobackround">
<h3> Service Runtime </h3>
<img src="nacl_overview.png" />
</article>
<article class="nobackground">
<h3> Service Runtime </h3>
<ul>
<li> Trust boundary </li>
<li> Injects trampolines into (4k, 64k) for untrusted -> trusted control flow. </li>
<li> Injects a springboard into (4k, 64k) for trusted -> untrusted control flow. </li>
</ul>
<img src="nacl_service_runtime.png" />
</article>
<article class="nobackround">
<h3> Outer Sandbox </h3>
<img src="nacl_overview.png" />
</article>
<article class="nobackground">
<h3> Outer Sandbox </h3>
<ul>
<li> Defense in depth. </li>
<li> Policy based enforcement of allowed syscalls at the process level. </li>
<li> OS Specific implementations. </li>
<li> OSX - Seatbelt / `man 7 sandbox`. </li>
<li> Windows - Custom implementation </li>
<li> Linux - Seccomp, AppArmor, setuid </li>
</ul>
</article>
<article class="nobackground">
<h3> Results </h3>
<ul>
<li> Speed comparable to unmodified executable. </li>
<li> Size impact varies widely depending on number of distinct callsites. </li>
</ul>
</article>
<article class="nobackground">
<h3>
Discussion
</h3>
<ul>
<li> Real motivation? </li>
<li> Real apps need side effects? </li>
<li> Does the performance of V8's JIT obviate the need for NaCl? </li>
<li> Other uses? </li>
</ul>
</article>
</section>
</body>
</html>
Jump to Line
Something went wrong with that request. Please try again.