Native Client: A Sandbox for Portable, Untrusted x86 Native Code

This paper describes the design, implementation and evaluation of Native Client, a sandbox for untrusted x86 native code. Native Client aims to give browser-based applications the computational performance of native applications without compromising safety. Native Client uses software fault isolation and a secure runtime to direct system interaction and side effects through interfaces managed by Native Client. Native Client provides operating system portability for binary code while supporting performance-oriented features generally absent from web application programming environments, such as thread support, instruction set extensions such as SSE, and use of compiler intrinsics and hand-coded assembler. We combine these properties in an open architecture that encourages community review and 3rd-party tools.

[1]  Bryan Ford VXA: a virtual architecture for durable compressed archives , 2005, FAST'05.

[2]  Stephen McCamant,et al.  Evaluating SFI for a CISC Architecture , 2006, USENIX Security Symposium.

[3]  Mihai Budiu,et al.  Control-flow integrity principles, implementations, and applications , 2009, TSEC.

[4]  Frederick B. Cohen Defense-in-depth against computer viruses , 1992, Comput. Secur..

[5]  Dafydd Gibbon,et al.  1 User’s guide , 1998 .

[6]  Brian W. Kernighan,et al.  The C Programming Language, Second Edition , 1988 .

[7]  Frederick B. Cohen,et al.  Operating system protection through program evolution , 1993, Comput. Secur..

[8]  Brian N. Bershad,et al.  Recovering device drivers , 2004, TOCS.

[9]  Alessandro Forin,et al.  UNIX as an Application Program , 1990, USENIX Summer.

[10]  William J. Bolosky,et al.  Mach: A New Kernel Foundation for UNIX Development , 1986, USENIX Summer.

[11]  クイック,et al.  ActiveX controls inside out , 1997 .

[12]  Robert Wahbe,et al.  Efficient software-based fault isolation , 1994, SOSP '93.

[13]  Christian Damsgaard Jensen,et al.  Protection wrappers: a simple and portable sandbox for untrusted applications , 1998, EW 8.

[14]  Jon Howell,et al.  Leveraging Legacy Code to Deploy Desktop Applications on the Web , 2008, OSDI.

[15]  George C. Necula,et al.  Proof-carrying code , 1997, POPL '97.

[16]  Sotiris Ioannidis,et al.  Sub-operating systems: a new approach to application security , 2002, EW 10.

[17]  Richard West,et al.  User-Level Sandboxing: a Safe and Efficient Mechanism for Extensibility , 2003 .

[18]  Martín Abadi,et al.  XFI: software guards for system address spaces , 2006, OSDI '06.

[19]  Sotiris Ioannidis,et al.  Building a Secure Web Browser , 2001, USENIX Annual Technical Conference, FREENIX Track.

[20]  Frank Yellin,et al.  The Java Virtual Machine Specification , 1996 .

[21]  Guy L. Steele,et al.  The Java Language Specification , 1996 .

[22]  David Walker,et al.  Stack-based typed assembly language , 2002, J. Funct. Program..

[23]  Bjarne Stroustrup,et al.  The C++ Programming Language, Second Edition , 1991 .

[24]  John B. Goodenough,et al.  Structured exception handling , 1975, POPL '75.

[25]  Peter Lee,et al.  TIL: a type-directed, optimizing compiler for ML , 2004, SIGP.

[26]  Jonathan M. Smith,et al.  EROS: a fast capability system , 1999, SOSP.

[27]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[28]  Christopher Small MiSFIT: A Tool for Constructing Safe Extensible C++ Systems , 1997, COOTS.

[29]  Stephen McCamant,et al.  Efficient, Verifiable Binary Sandboxing for a CISC Architecture , 2005 .

[30]  Scott Devine,et al.  Disco: running commodity operating systems on scalable multiprocessors , 1997, TOCS.

[31]  Jonathan S. Shapiro,et al.  EROS: A Principle-Driven Operating System from the Ground Up , 2002, IEEE Softw..

[32]  Richard M. Stallman,et al.  An Introduction to GCC , 2004 .

[33]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.

[34]  Douglas M. Pase,et al.  System programming in Modula-2 , 1985, SIGP.

[35]  Margo I. Seltzer,et al.  MiSFIT: constructing safe extensible systems , 1998, IEEE Concurr..

[36]  Martín Abadi,et al.  An Overview of the Singularity Project , 2005 .

[37]  Robert Wahbe,et al.  Efficient and language-independent mobile programs , 1996, PLDI '96.

[38]  Peyman Milanfar,et al.  Efficient generalized cross-validation with applications to parametric image restoration and resolution enhancement , 2001, IEEE Trans. Image Process..

[39]  Brad Chen,et al.  Locating System Problems Using Dynamic Instrumentation , 2010 .

[40]  Bryan Cantrill,et al.  Dynamic Instrumentation of Production Systems , 2004, USENIX Annual Technical Conference, General Track.

[41]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[42]  David R. Cheriton,et al.  The V distributed system , 1988, CACM.

[43]  Niels Provos,et al.  Improving Host Security with System Call Policies , 2003, USENIX Security Symposium.

[44]  Carl A. Waldspurger,et al.  Memory resource management in VMware ESX server , 2002, OSDI '02.