native client (Евгений Эльцин)
If you can't read please download the document
TRANSCRIPT
Native Client
Native Client
Native Client
Evgeny Eltsin
Overview
Why Native Client?
What is it?
How it works?
Ecosystem
Developer stuff
Why Native Client?
Close the gap between desktop and web appsPerformance
Choice of programming language
Leverage legacy code
Why Native Client?
Close the gap between desktop and web appsSafety
Portability
Web Apps
Interpreted languages (JavaScript)Safe
but often slow
How to Improve?
Just-In-Time compilerFaster (fast enough?)
and often complex (more vulnerable?)
Web Apps
Native code "as is" (ActiveX)Fast
but not safe
How to Improve?
Make native code "manageable"?OS gives few options
What is Native Client?
NaCl system for safe execution of untrusted native codeIn a web browser
Open-source http://code.google.com/p/nativeclient
What is it Good for?
Port desktop apps to webZero install
Performance close to native
What is it Good for?
Enhance web apps withC/C++/... libraries (libcrypt, CGAL, ...)
New high-performance code (threads, hand-coded asm, ...)
What is it Good for?
Sandbox existing pluginsStop asking users to trust your code
Lunch isn't Free
Must recompile from sourceand do some porting
Part of system interfaces are unavailable
Still work in progress
What is Safe?
No side effects except via explicit secure interfaces
Runtime Sandbox
No side effects ...No read, write or execute outside of the sandbox
... except via explicit secure interfaces"system calls"
How it Works?
Runtime sandbox is created via an agreement betweenCode generator (untrusted)
Validator and loader (trusted)
Trusted part is simple
What Code Validation is?
First, disassemble all executable codeNo overlapping instructions
Run-time code generation needs special support
Control Flow Integrity
Do we jump to code we know?Direct jumps are easy to validate
but indirect?
Instruction Bundles
Every bundle-aligned code address is a potential jump targetNo instructions cross bundle boundaries
Code generator pads with NOPs
Bundle is 32-bytes (chosen from experiment)
Instruction Bundles
Indirect jump always go to a bundle-aligned addressCode generator makes code to enforce
Validator checks enforcement
i386 Example
call 0x1280(%eax)
lea 0x1280(%eax), %eax
and 0xffffffe0, %eax
call *%eax
Checking Read, Write and Jump
i386 ExampleValidator checks instructions use correct segment registers
Loader sets segment registers correctly
Loader protects memory accordingly
System Calls
Trampoline to outer stuffValid jump target inside the sandbox
Does "context switch" and jump out of the sandbox
Generated by trusted loader
Ecosystem
Availabilityi386, x86_64, ARM
Linux, Windows, MacOS
chrome enable-nacl
Firefox plugin (fewer features than in Chrome, unfortunately)
Portability
PNaCl - work in progressPortable representation (LLVM bitcode)
Final translation on the client
or translation/cache server
Deployment
HTML
Binary picked by client architecture
Scripting interface
What works?
Gallery at http://code.google.com/p/nativeclient
And much more stuffQuake
Video decoder
Python
Developer Stuff
ILP32 data model for all architectures
Linux-like programming environment
ELF binaries
Netscape Plugin API/Pepper Plugin API
Native Client SDK
http://code.google.com/p/nativeclient-sdk
Ported Gnu toolchaingcc 4.4.3 (4.5 coming)
newlib (glibc coming)
Native Client Ports
http://code.google.com/p/naclports
zlib
cairo
mesa
theora
expat
Developers Welcome!
Lot of fun projectsGTK
SDL
and your choice of cool stuff!
Thank You!
Questions?
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010
25.10.2010