Google Native Client Sandboxing

Reference: NaCl1, PNaCl2

Original NaCl

Inner sandbox, the NaCl module:

  • code section is read-only and statically linked;
  • code section is conceptually divided into fixed sized bundles of 32 bytes.
  • All valid instructions are reachable by a dissassembly starting at a bundle beginning.
  • All indirect control flow instructions are replaced by a multiple-instruction sequence (pseudo-instruction) that ensures target address alignment to a bundle boundary.

  • No instructions or pseudo-instrucitons in the binary crosses a bundle boundary.

  • All rules above are checked by a verifier brefore a program is executed. This verifier with the runtime system comprise NaCl’s trusted computing base (TCB).

Outer sandbox: system call interposition

  • mediates system calls at the process boundary;
  • similar to prior stuctures: systrace3 and Janus 4.

Thread model of original NaCl

  • code for untrusted module: confirms to validity rules, reject otherwise.
  • NaCl module may
    • execute any reachable instruction block in the validated text segment; –> weak control flow
    • exercise the NaCl ABI to access runtime servies in any way: passing invalid arguments, etc.
    • send arbitrary data via our intermodule communication interface;
    • allocate memory and spawn threads up to resource limits. ??? how to limit the resource of a sandbox?

(From Chapter 2, page 3) Native Client is ideal for application components requiring pure computation. It is not appropriate for modules requiring process creation, direct file system access, or unrestricted access to the network.

Interfaces of NaCl to communicate outside of sandbox

  • Inter-Module Communications (IMC) for general inter-component communication;used by both trusted and untrusted components, such as the trusted JavaScript components, NaCl browser plugin, and untrusted NaCl modules.

    • send/receiving datagrams, contains:
    • untyped arrays, along with optional:
    • NaCl Resource Descriptors for sharing of files, shared memory objects, communication channels, etc.

  • Communicate between Browser and NaCl module:

    • Simple RPC facility (SRPC)
    • Netscap Plugin Application Programming Interface (NPAPI)
    • Both based on IMC

  • “service runtime” and NaCl module:

    • memory management operations;
    • thread creation;
    • other system services. sysbrk(), mmap(), malloc()/free()
    • Analogous to the system call interface of a conventional OS.
    • System call interception.

Attack surface

  • Inner sandbox: binary validation
  • Outer sandbox: OS system-call interception
  • Service runtime binary module loader
  • Service runtime trampoline interfaces
  • IMC communication interface
  • NPAPI interface

(From 2.3, page 4): In addition to the inner and outer sandbox, the system design also incorporates CPU blacklist and NaCl module blacklist. ==> ??? What is the CPU black-list, NaCl black-lists????

NaCl dev environment

  • Linux based
  • GCC 4.2.2

Native Client applies concepts of software isolation and proof-carrying code that have been extensively discussed in the research literature.

  • NaCl data integrity scheme is a straightforward application of segmented memory as implemented in the Intel 80386.

  • NaCl control flow integrity technique builds on the seminal work by Wahbe, Lucco, Anderson and Graham5. Native Client extends this previous work with specific mechanisms to achieve safety for the x86 ring-3 instruction set archtecture, using several techniques first described by McCamant and Morrisett6.

  • NaCl uses a static validator rather than a trusted compiler, similar to validators described for other systems 6 7 8 9, applying the concept of proof-carrying code10.

Compare with CFI11:

  • CFI: finer-grained control flow integrity. NaCl: only guarantees indirect control flow will target an aligned address in the text;

  • Finer-grained CFI is not useful for Native Client:

    • NaCl intends to permit quite arbitrary control flow, even hand-coded assembler, as long as execution remains in known text and targets are aligned.

  • CFI 15% on SPEC 2000. Three times higher than NaCl 5%.

  • XFI 9 add data dandboxing to CFI control flow checks. with additioinal overhead; NaCl get data integrity for free from x86 segments

NaCl descriptors similar mechanisms:

  • EROS [^55] capabilities.
  • Singularity [^30] channel.
  • DTrace[^11], Systemtap8, XFI9.

Interrupt Handling

Hardware exceptions (segmentation faults, floating point exceptions) and external interrupts are not allowed, due in part to distinct and incompatible exception models in Linux, MacOS and Windows. Both Linux and Windows rely on the x86 stack via %esp for delivery of these events. Regrettably, since NaCl modifies the %ss segment register, the stack appears to be invalid to the operating system, such that it cannot deliver the event and the corresponding process is immediately terminated. The use of x86 segmentation for data sandboxing effectively precludes recovery from these types of exceptions.

Portable Native Client

  • Portable NaCl

    • Portable Native Client 1: control flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. Introduction About previous SFI on CISC Control+store SFI on x86-32, which we considered excessive, indicates about 25% overhead. “As we continued our exploration of ARM SFI and sought to understand ARM behavior relative to x86 behavior, we could not adequately explain the observed performance gap between ARM SFI at under 10% overhead with the overhead on x86-32 in terms of instruction set differences.

  1. Native Client: A Sandbox for Portable, Untrusted x86 Native Code. SP 2009. ↩
  2. Adapting Software Fault Isolation to Contemporary CPU Architectures. USENIX SEC, 2010. ↩
  3. N. Provos. Improving host security with system call policies. USENIX Security, 2003. ↩
  4. A secure environment for untrusted helper applications. USENIX Security, 1996. ↩
  5. Efficient software-based fault isolation. By R. Wahbe, S. Lucco, T.E. Anderson, and S.L. Graham. ACM SIGOPS Operating System Review. 1993. ↩
  6. Efficient, verifiable binary sandboxing for a CISC architecture. By S. McCamant and G. Morrisett. MIT-CSAIL-TR-2005-30, 2005. ↩
  7. Evaluating SFI for a CISC architecture. By S. McCamant and G. Morrisett. USENIX Security, 2006. ↩
  8. Locating system problems using dynamic instrumentation. Ottawa Linux Symposium, 2005. ↩
  9. XFI: Software guards for system address spaces. OSDI, 2006. ↩
  10. G. Necula. Proof carrying code. Principles of Programming Languages. 1997. ↩
  11. Control flow integrity: Principles, implementations, and applications. By M. Abadi, M. Budiu, U. Erlingsson, and J. Ligatti. CCS, 2005. ↩
Created Aug 12, 2019 // Last Updated Feb 10, 2022

If you could revise
the fundmental principles of
computer system design
to improve security...

... what would you change?