Google Native Client Puts x86 On the Web

t3rmin4t0r writes "Google has announced its Google native client, which enables x86 native code to be run securely inside a browser. With Java applets already dead and buried, this could mean the end of the new war between browsers and the various JavaScript engines (V8, Squirrelfish, Tracemonkey). The only question remains whether it can be secured (ala ActiveX) and whether the advantages carry over onto non-x86 platforms. The package is available for download from its Google code site. Hopefully, I can finally write my web apps in asm." Note: the Google code page description points out that this is not ready for production use: "We've released this project at an early, research stage to get feedback from the security and broader open-source communities." Reader eldavojohn links to a technical paper linked from that Google code page [PDF] titled "Native Client: A Sandbox for Portable, Untrusted x86 Native Code," and suggests this in-browser Quake demo, which requires the Native Code plug-in.

Re:doesn't sound too secure yet

[meepzorb]

With the x86 instruction set, I can load a data file and execute a jump to a data segment without the code having passed through any sort of system loader.

...and that won't be insecure at all!

(I just love it when my browser runs unmanaged code full of unverified branch statements!)

Re:doesn't sound too secure yet

[Moochman]

It's first compiled to an intermediate "Java bytecode" which is THEN upon being run compiled "Just in Time" to the native bytecode.

The difference is that an interpreter is compiling "Just in Time" directly from the source code, which as a rule is considerably slower.