Google NativeClient Security Contest

← Back to Stories (view on slashdot.org)

Google NativeClient Security Contest

Posted by kdawson on Monday March 2, 2009 @12:10PM from the insert-favorite-salt-pun-here dept.

An anonymous reader writes "You may remember Google's NativeClient project, discussed here last December. Don't be fooled into calling this ActiveX 2.0 — rather than a model of trust and authentication, NaCl is designed to make dangerous code impossible by enforcing a set of a rules at load time that guarantee hostile code simply cannot execute (PDF). NaCl is still in heavy development, but the developers want to encourage low-level security experts to take a look at their design and code. To this end Google has opened the NativeClient Security Contest, and will award prizes topping out at $2^13 to top bug submitters. If you're familiar with low level security, memory segmentation, accurate disassembly of hostile code, code alignment, and related topics, do take a look. Mac, Linux, and Windows are all supported."

42 of 175 comments (clear)

Any project named NaCl by iamacat · 2009-03-02 12:12 · Score: 5, Funny

Simply has to be taken with a grain of salt!
1. Re:Any project named NaCl by palegray.net · 2009-03-02 12:18 · Score: 4, Funny
  
  Just wait till the KDE project gets their hands on this concept; we'll be seeing a new SourceForge project for KCl any day now.
  
  --
  512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
2. Re:Any project named NaCl by c0d3g33k · 2009-03-02 12:36 · Score: 4, Funny
  
  Good one. It made me CaCl.
3. Re:Any project named NaCl by gringer · 2009-03-02 12:38 · Score: 4, Funny
  
  Q: Why did the bridge end up in police custody?
  A: It was charged with a salt
  Q: Why did the wire end up in jail?
  A: It was connected with a battery
  Q: How do you know the potassium did something wrong?
  A: They were inside a cell
  
  --
  Ask me about repetitive DNA
4. Re:Any project named NaCl by The+Raven · 2009-03-02 12:59 · Score: 3, Funny
  
  A name like that would poison support for their project.
  
  --
  "I will trust Google to 'do no evil' until the founders no longer run it." Hello Alphabet.
5. Re:Any project named NaCl by MarkRose · 2009-03-02 15:17 · Score: 4, Funny
  
  PbF!! Yeah right it did.
  Will Slashdot receive the Nobel Prize in Chemistry for discovering the onomatopoeic bond?
  
  --
  Be relentless!
x86 in the browser? Ugh... by gravos · 2009-03-02 12:18 · Score: 5, Insightful

I'm sorry, I just don't buy this whole thing. x86 in the browser? Ugh... Because all that we need is to further promote an archaic instruction set that won't die because of all the pre-existing code compiled for it. An instruction set that was finally starting to loosen its grip as the industry worked toward more abstract solutions.

--
This game will waste your life. Don't clicky!
1. Re:x86 in the browser? Ugh... by tlhIngan · 2009-03-02 17:05 · Score: 2, Insightful
  
  I'm sorry, I just don't buy this whole thing. x86 in the browser? Ugh... Because all that we need is to further promote an archaic instruction set that won't die because of all the pre-existing code compiled for it. An instruction set that was finally starting to loosen its grip as the industry worked toward more abstract solutions.
  Better yet, we don't have any existing code for this system yet. It won't run ActiveX, so there's no code loss there. And now we're going to have to put the equivalent of Bochs or Qemu now into every browser on mobile devices? If you thought no Flash on the iPhone was bad, now all mobile browsers have to have Bochs/Qemu so they can run these plugins.
  LLVM would be better. Or since these mobile systems are predominantly ARM, and ARM is more or less the predominant architecture everywhere (outselling x86 CPUs mostly because ARM is highly embeddable), why not make x86 emulate the ARM? x86 systems run faster than the vast majority of ARM systems, and would tax the x86 CPU less than a 400MHz one in say, the iPhone.
  And really - why? Do we really need another Java equivalent?
2. Re:x86 in the browser? Ugh... by Anonymous Coward · 2009-03-03 00:38 · Score: 2, Insightful
  
  I was thinking the same thing. The least they could do is use a nice neutral intermediate representation like LLVM bc and JIT compile it to whatever.
  But what would they call this wonderful new concept? I suggest Java.
3. Re:x86 in the browser? Ugh... by pohl · 2009-03-03 04:09 · Score: 2, Informative
  
  Amusing joke, but entirely dissimilar. It seems to me that if you want to prove that code doesn't do anything nasty, then a single-static-assignment IR could be very useful. JVM bytecode could never pull that trick. Also, LLVM imposes no runtime requirements whatsoever. None. It and Java are at opposite ends of that spectrum.
  
  --
  The "cue the foo posts in 3, 2, 1..." posts will commence with no subsequent foo posts in 3, 2, 1...
Re:NaCl? by palegray.net · 2009-03-02 12:19 · Score: 4, Interesting

Eh, it's an okay choice for a project related to security.

--
512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
dangerous code impossible? by thermian · 2009-03-02 12:23 · Score: 5, Insightful

I doubt that. More likely they intend to make its detection and negation easier.
After all, the best language man can devise can only work as well as the coders who utilise it. If they are forced to cut corners in order to meet deadlines, errors will creep in, and we all know the urge to be first to profit is a prime reason for such things.

--
A learning experience is one of those things that say, 'You know that thing you just did? Don't do that.' - D. Adams
1. Re:dangerous code impossible? by Cyberax · 2009-03-02 12:31 · Score: 4, Insightful
  
  Nope. NaCl is designed to be secure, read the PDF (I read it some time ago).
  It's not really that hard, VMWare/VBox does something like this for 10 years now.
  There might be some subtle race condition bugs, but so far it looks very well thought out.
So what you're saying.. by michaelhood · 2009-03-02 12:26 · Score: 2, Funny

Don't be fooled into calling this ActiveX 2.0 â" rather than a model of trust and authentication, NaCl is designed to make dangerous code impossible by enforcing a set of a rules at load time that guarantee hostile code simply cannot execute (PDF).
So what you're saying is..
Using just one half of NaCl could be poisonous, but when sprinkled atop the web as one all is well?
Proofs are only as good as the implementation. by Anonymous Coward · 2009-03-02 12:30 · Score: 5, Insightful

Beware of bugs in the above code; I have only proved it correct, not tried it.
- Knuth
Re:gee - sounds exactly like... by Nicopa · 2009-03-02 12:30 · Score: 2, Funny

Which in turn sounds pretty similar to... Java!
This is like the opening of a monster movie by Sloppy · 2009-03-02 12:31 · Score: 3, Insightful

where the scientist is saying he's covered all the bases, and nothing can go wrong.

--
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
1. Re:This is like the opening of a monster movie by cjfs · 2009-03-02 12:41 · Score: 4, Funny
  
  where the scientist is saying he's covered all the bases, and nothing can go wrong.
  If this is a monster movie, I'd hate to think what ActiveX was.
2. Re:This is like the opening of a monster movie by Sloppy · 2009-03-02 13:04 · Score: 2, Insightful
  
  That's the original. This is Rob Zombie or Marcus Nispel remake.
  
  --
  As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Re:gee - sounds exactly like... by Lifyre · 2009-03-02 12:33 · Score: 2, Insightful

Is .NET open source?
Has .NET been vetted by experts in the way open source projects like this will be?
Is .NET likely to ever be cross platform?
Is .NET for running x86 code?
Now I'm no expert and could be way off base but there seem to be some pretty major differences here....

--
I'll meet you at the intersection of "Should be" and "Reality"
2^13? by Moraelin · 2009-03-02 12:40 · Score: 4, Insightful

Admittedly, it's after past 1AM, so maybe my maths stopped working by now, but isn't 2^13 about 8000 dollars for the grand prize? It seems a bit low for all the work of basically reviewing their code and concepts.
Hostile code disassembly? If it were that simple to disassemble someone else's code and automatically prove that it can't do anything wrong -- including by having security holes exploitable by a third party -- forget the browser, we'd have it standard in the OS or in the last step of make/ant/whatever. We could all stop worrying about antiviruses (who, in turn, would stop needing signatures and heuristics updated all the time anyway), reviewing code by hand to see if all buffers are checked, etc. Just run the magic utility and it'll tell you.
I'm willing to bet that at least the antivirus makers have tried that before, you know, what with all of them offering some forms of heuristics by now, and none of them got it past the level of hit-and-miss. More miss than hit, in fact.
Not saying that Google couldn't have got some genius that actually made it work, but at the very least it's not going to be a trivial job digging through all their cases to check if they really checked all possible attack vectors.
And 8192 dollars doesn't really seem to be much incentive for doing that work.

--
A polar bear is a cartesian bear after a coordinate transform.
1. Re:2^13? by cjfs · 2009-03-02 12:45 · Score: 4, Funny
  
  Admittedly, it's after past 1AM, so maybe my maths stopped working by now, but isn't 2^13 about 8000 dollars for the grand prize?
  I contacted Google and their reply confirms your approximate amount.
2. Re:2^13? by Cyberax · 2009-03-02 12:49 · Score: 3, Insightful
  
  NaCl just does not check that there's no buffer overflows, instead it isolates the program to make sure that buffer overflows do not cause problems.
  I.e. you can can overflow, use dangling pointers and cause all sorts of access violations to your heart's contents inside the NaCl sandbox. But it won't cause a security breach.
3. Re:2^13? by Tyger · 2009-03-02 13:09 · Score: 4, Interesting
  
  The PDF was an interesting read, though I agree that the money they are dishing out is pretty paltry for all the free review they are trying to garner. Furthermore, I think they are taking platform neutrality in the wrong direction by locking the idea in to the x86 architecture.
  But about how it would work, they are basically enforcing strict limits on how the code can be structured. The limits are designed to make the code easily analyzed. Anything that falls outside the strict requirements is rejected. It doesn't work for antivirus because they have to deal with any code that comes in without restriction.
  As to why it doesn't work for OS... There is no reason the basic concept wouldn't, aside from the performance penalty and increased code size. (Though further compiler optimization could minimize or eliminate some of that).
  However, if you want to go that route of making an OS do it, you might as well pick up a decent modern RISC architecture, because you're already breaking compatibility with any past program for any OS on the x86 CPU. Most of what they are doing is basically taking something that is standard on RISC and shoehorning it into the CISC architecture of the x86. Namely that instruction boundries can be reliably tested for jumps. They enforce that by requiring jumps only to 32 byte boundries, and then verifying each 32 byte block for correctness. Combined with disallowing self modifying code and eliminating the stack completely, all code that executes can be properly analyzed ahead of time.
  The concept looks sound to me (Experience working low level with x86 architecture) but the security still relies on the implementation. Off the top of my head I can think of several ways to break the sandbox depending on how it is implemented. However the PDF is quite short on the details to evaluate the implementation. Namely, what exactly qualifies as an allowed x86 instruction, and for the syscalls that are checked, what the check is, not to mention the potential for bugs in the syscall handler for what would otherwise be valid calls, and even potentially the state of the OS or process when the protected code is executed.
  Overall, I don't think this is the right direction for the web platform. Theoretically interpreted byte code should be more secure because it doesn't do anything that the interpreter doesn't explicitly allow (Javascript, Java, Flash, etc) and we see where that got us.
4. Re:2^13? by grcumb · 2009-03-02 13:43 · Score: 3, Funny
  
  ...you can can overflow...
  Looks like you already did.
  /me ducks and runs
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
5. Re:2^13? by cryptoluddite · 2009-03-02 14:07 · Score: 2, Informative
  
  As to why it doesn't work for OS... There is no reason the basic concept wouldn't, aside from the performance penalty and increased code size. (Though further compiler optimization could minimize or eliminate some of that).
  Java generally runs at ~30% slower than C. Unless NaCL can run faster than this then there's no point in it. The demo talk shows it running Quake at ~40 fps. Java quake runs at 200 fps, on a much slower computer.
6. Re:2^13? by uid8472 · 2009-03-02 14:07 · Score: 2, Insightful
  
  The idea is that programs are written in a heavily restricted subset of x86 that can be proven safe, where "safe" here basically boils down to not being able to make system calls or otherwise interact with the world without going through the sandbox library. The program might still be compromised by a third party if it's badly written, but then the attacker won't be able to escape the sandbox either.
7. Re:2^13? by Breakfast+Pants · 2009-03-02 23:04 · Score: 2, Insightful
  
  The java examples you showed had quake running at 1/8th the number of pixels as the C example from google.
  
  --
  
  --
  
  WHO ATE MY BREAKFAST PANTS?
Oops... by TheUni · 2009-03-02 12:41 · Score: 5, Funny

...guarantee hostile code simply cannot execute (PDF)
Hah! Was that a jab at Adobe?
1. Re:Oops... by utnapistim · 2009-03-02 21:14 · Score: 2, Funny
  
  NEVER, EVER give slashdot a challenge you don't want fulfilled!
  Chalenge:
  1. RTFA!
  2. ???
  3. I win! (profit)
  
  --
  Tie two birds together: although they have four wings, they cannot fly. (The blind man)
Sandbox, not preemptive code analysis by White+Flame · 2009-03-02 12:55 · Score: 3, Informative

They're asking for people who are familiar in low-level x86 security fields to point out any issues from their experience that could compromise their sandbox.
Re:gee - sounds exactly like... by ClosedSource · 2009-03-02 12:59 · Score: 2, Interesting

"Has .NET been vetted by experts in the way open source projects like this will be?"
What open source projects like this have been vetted by experts in the past? Who were they?
Why not look at java? by ADRA · 2009-03-02 13:01 · Score: 4, Interesting

You could beat them up for many things, but they have a working system of arbitrary code execution that generally doesn't expose your system to risk (unless you tell it to, and only when the code is signed, though self-certs are ok).
I'm sure there have been plenty of security advisories over the years, but the general philosophy is sane.
The problem with Java's implementation is that the code is run within Java, which itself has sand-box protection for all executed code. Unless Google is seeking an interpreted language client-side or Google only wants to allow execution of trusted signer code, I think their task is probably a fruitless one.

--
Bye!
1. Re:Why not look at java? by Jahava · 2009-03-02 16:26 · Score: 3, Interesting
  I am, myself, curious about this. Java seems to have a decent sandbox model already implemented through the JVM and Runtime APIs. Additionally, it is (or can be) platform- and architecture-independent, which seems more conducive towards Internet usage since it doesn't require an x86 instruction set.
  While the Applet model is still viable, I think more mature alternatives (Flash, for example) obsolete it. Rather, I would wager Google is targeting two specific scenarios:
  
  Full-scale protected/sandboxed application deployment, as per their Quake example
  Browser-based Web 2.0 content control, essentially replacing JavaScript with native code
  In the case of (1), a nice sandboxed application API for Java would be more than adequate. Most (or maybe even all) of the work is already done for this, including the signing and distribution of the application code.
  (2), which seems really interesting, could still be easily (comparatively) accomplished via a low-level browser control API that is implemented in the various browsers either internally or via add-ons.
  Not to knock Google's approach, for it does seem (from what I've read so far) well-thought out. What I am wondering, though, is what advantage they are seeking in choosing directly-native code over something like Java or .NET. If I recall, most modern Java metrics show it performing competitively with native code.
  I understand that some of the appeal of NaCl is that they are attempting to provide verifiable proof that any code executed in their environment is secure. However, there looks like there would still be a root of trust in the NaCl implementation just as much as Java sandboxing relies on appropriate JVM implementation. I don't believe it is inherently more secure (although NaCl is likely less complex, so easier to evaluate).
  As a research project, NaCl is very cool. However, to reach the goal of web content running at native performance, there are more mature technologies out there such as Java that are also more Internet-conducive. Google shouldn't re-invent the wheel; rather, they should pursue the existing powerful technologies, lay down some API and sandbox groundwork, and push for browser compliance.
2. Re:Why not look at java? by tucuxi · 2009-03-02 23:40 · Score: 2, Insightful
  
  Sure, Java has a great security model and will not cause buffer overflows. But you have to write it in (duh) Java.
  The fun part about NaCL is that it can eat existing (C, C++, pick-your-own compiled language) code with only minor modifications to the compile chain, as long as that code does not make weird system calls. Just make sure that the compiler does not echo any of the 'forbidden' instructions, aligns jumps to 32-bit boundaries, and uses the prescribed instruction sequences for jumps and system calls. And they provide modified versions of GCC that do just that. The paper also says that, in their experience, modification of most programs they tried was, at most, a problem of "a few hours".
  If I had to port an existing app to run as a sort of browser plugin, guess what sounds better: a full rewrite in Java, or a few changes to the Makefile. Because *that* is the selling point of NaCL.
It made me cackle too by tepples · 2009-03-02 13:16 · Score: 3, Funny

It made me CaCl2.
(Calcium takes two anions.)
1. Re:It made me cackle too by SnowZero · 2009-03-02 17:00 · Score: 3, Funny
  
  It's easy to get a reaction from a chemical nazi.
Re:Guarantee hostile code cannot execute by Craig+Davison · 2009-03-02 14:12 · Score: 2, Insightful

Of course, Windows didn't have memory protection until Windows NT (1993), and Macs until MacOS X (2001). http://en.wikipedia.org/wiki/Memory_protection

--
Hands in my pocket
Okay, some preemptive code analysis by White+Flame · 2009-03-02 14:40 · Score: 4, Informative

Okay, they do preemptive code analysis inside the sandbox, too. Relevant portion of the PDF (section 2.2):

The inner-sandbox uses static analysis to detect security defects in untrusted x86 code. Previously, such analysis has been challenging for arbitrary x86 code due to such practices as self-modifying code and overlapping instructions. In Native Client we disallow such practices through a set of alignment and structural rules that, when observed, insure that the native code module can be disassembled reliably, such that all reachable instructions are identified during disassembly. With reliable disassembly as a tool, our validator can then insure that the executable includes only the subset of legal instructions, disallowing unsafe machine instructions.
This then happens inside a sandbox where CPU segments are strictly enforced and any OS calls are trapped.
It's a good idea. But will they do it right? by Animats · 2009-03-02 16:24 · Score: 4, Informative

I've read Google's paper, and I'm reasonably impressed. Basically, they've defined a little operating system, with 42 system calls, the same on all platforms, and defined a subset of 32-bit x86 machine code which can't modify itself and can't make calls to the regular OS. This requires using the seldom-used x86 segmentation hardware, which is quite clever and rarely used. But 64-bit mode has no segment machinery, so this approach doesn't translate to the current generation of 64-bit CPUs.
The biggest headache with Google's model is that they have to use a sort of interpreter to check all "ret" instructions, so someone can't clobber the stack and cause a branch to an arbitrary location. What's really needed is a CPU with a separate return point stack, accessed only by "call" and "ret" instructions, so return points are stored someplace that code can't clobber. (Machines have been built with such hardware, but there was never a compelling reason for it before.) Google has to emulate that in software. This adds a few percent of overhead.
Note that you can't use graphics hardware Google's OS. Conceptually, they could add a way to talk to OpenGL, which is reasonably secureable. But they haven't done that. They have a Quake port, but the main CPU is doing the rendering.
Interestingly, it would be quite possible to make a very minimal operating system which ran Google's little OS directly. You don't need the gigabytes of baggage of Windows or Linux.
It would also be possible to develop an x86 variant which enforced in hardware the rules of Google's restricted code model. That would be useful. Most of the things Google's model prohibits, you don't want to do anyway. (I know, somebody who thinks they're "l33t" will have some argument that they need to do some of the stuff Google prohibits. Just say no.)
The main question is whether the implementers will have the guts to say "no" to things that people really, really want to do, but are insecure. The Java people wimped out on this; Java applets could have been secure, but in practice they trust too much library, and library bugs can be exploited.
NSA Secure Linux has a similar problem. If you turn on mandatory security and don't put any exceptions in the rules, the security is quite good. But your users will whine and applications will have to be revised to conform to the rules.
Incidentally, the people who talk about "undecidability" and "Turing completeness" in this context have no clue. It's quite possible to define a system which is both useful and decidable. (Formally, any deterministic system with finite memory is decidable; eventually you either repeat a previous state or loop. For many systems, decidability may be "hard", but that's a separate issue. If termination checking is "hard" for a loop, just add a runaway loop counter that limits the number of iterations, and termination becomes decidable again. Realistically, if you have an algorithm complex enough that termination is tough to decide, you need something like that anyway. Formal methods for this sort of thing are used routinely in modern hardware design. Anyway, none of this applies to Google's approach, which merely restricts code to a specific well-formed subset which has certain well-behaved properties.)
Re:B.S. Article (No it's not) by TheSunborn · 2009-03-02 19:19 · Score: 2, Insightful

No it's not impossible. What is impossible is to reject "exactly all dangerous code" but they don't claim to do that.
A simple implementation will simply reject all code. There will not be any way to get dangerous code past that implementation so I have just made what you said was impossible.
What Google does is that they try to verify that the program is not dangerous. And if they can verify(Create a proof) that the program is not dangerous then they run it. Else they reject it.
This will result in Google rejecting valid programs which are not dangerous, but if google runs a program it knows its safe to run.
To be really useful you develop the compiler and verify code together, so that the compiler only issue code that it knows the verifier can verify.
Java does something like this. The java compiler only output code that it know that the Jvm can verify as valid, but if you write your bytecode directly, you can write valid non dangerous code that
the classloader will reject, because it can't prove that it's not dangerous.
Re:gee - sounds exactly like... by Lifyre · 2009-03-07 23:14 · Score: 2, Insightful

Fair enough. Sean Patrick Timmons, I'm sorry I'm not going to give you my SSN and DOB, though you might be able to find them anyway.
While I understand your issue with the hive mind the disagreements appears to be more rooted in ignorance than just opinions. Your supposition that closed source is more secure because the code can't be inspected is hilarious. In the same way that turning off a light and shutting the door makes a room secure.

--
I'll meet you at the intersection of "Should be" and "Reality"