DOCSLIB.ORG

Bakersfield: Bringing Software Fault Isolation to X64

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

BakerSFIeld: Bringing software fault isolation to x64 Joshua A. Kroll Drew Dean Computer Science Department Computer Science Lab Princeton University SRI International Princeton, NJ, USA Menlo Park, CA, USA [email protected] [email protected] Abstract—We present BakerSFIeld, a Software Fault generally coarse-grained, with all processes confined Isolation (SFI) framework for the x64 instruction set to a pre-defined system call interface. architecture. BakerSFIeld is derived from PittSFIeld, In SFI, we require all memory references to lie and retains the assembly language rewriting style of within specific, pre-defined bounds. We further require sandboxing, but has been substantially re-architected for greater clarity, separating the concerns of rewriting that all control flow transfer only allow instructions in the program for memory safety, and re-aligning the a specific, pre-defined memory region to be executed. code for control-flow safety. BakerSFIeld also corrects These properties can be checked statically for absolute several significant security flaws we found in PittSFIeld. references. For indirect references (e.g. references to We measure the performance of BakerSFIeld on a memory or control transfer through a register), we modern 64-bit desktop machine and determine that it require that the code include dynamic checks of safety. has significantly lower overhead than its 32-bit cousin. Code is verified at load time to ensure that all memory references and control transfers are either (1) abso- I. INTRODUCTION lutely safe or (2) include a valid dynamic check. As widely distributed computing applications be- The original SFI techniques of Wahbe, et al. were come more decoupled and are used in ways that only applicable to RISC architectures in which in- can vary widely from day to day, trust relationships struction words have a constant length and consis- become increasingly difficult to establish. For systems tent alignment. Improved techniques from McCamant with rapidly changing and mobile code, confinement and Morrisett [2] allow sandboxing in CISC architec- of untrusted code modules is a tenable alternative to tures by simulating constant-length instruction words trust. Confinement is useful in secure systems design through careful code re-alignment. McCamant and when a component cannot be trusted or easily verified Morrisett also provide an implementation of their tech- to a high level of assurance. It also helps to place nique for the x86, which they call PittSFIeld. Most the security burden on the system’s designers rather recently, Google has presented Native Client [3], a than on users. Software Fault Isolation (SFI) [1], also re-implementation of PittSFIeld which makes use of called sandboxing, implements memory and control- x86 segment registers for efficiency. Here, we present flow confinement for untrusted code modules loaded several improvements to the PittSFIeld sandboxing inside a trusted process. technique, fixing several vulnerabilities and improv- The most common way to provide isolation of ing end-to-end reliability. Alongside these, we present untrusted code is via an operating system process, BakerSFIeld, an extension of the PittSFIeld tool which which makes use of hardware memory protection to supports the x64 instruction set.1 separate zones of trust into distinct address spaces. To our knowledge, BakerSFIeld is the first imple- Efficiency in this world is gained by the use of special mentation of SFI for the x64 instruction set. x64 hardware (e.g. MMUs and TLBs). However, these methods are limited by the presence of hardware to 1Throughout the paper, we will use x64 to denote the 64-bit support them and interaction across address spaces can extensions to the x86 instruction set variously referred to as 64-bit be very expensive. Additionally, security policies are x86, AMD64, and x86-64. brings several advantages over standard x86. First, flow references) to go through a dedicated register. in the x64 architecture there are 16 general-purpose Then by choosing a memory region whose size and registers, rather than the 8 in x86. This can allow for alignment are the same power of two, it is very easy more aggressive compiler optimization. Second, 64-bit to guarantee that any memory access will lie within integer arithmetic is relevant in many use cases, such that region. Simply by requiring that certain bits of that as cryptographic computations. Finally, modern x86 register always remain constant, it is possible to ensure processors make good use of advanced hardware tech- that memory accesses are safe. For static references, niques such as superscalar execution and instruction- this can be checked offline. For indirect references, level parallelism. As 64-bit chips make their way out it is necessary to insert some instructions to test and of the datacenter and into even low-end laptops, sup- set these bits. The calculations to ensure this property port for the x64 instruction set becomes increasingly require only bit operations, generally one and and one important. Finally, because x86 memory segmentation or. is largely unavailable in x64, optimizations which In addition to developing the concept of SFI, Wahbe rely on it are no longer valid. Thus, producing high- et al. provide a prototype implementation for the MIPS performance sandboxed code is a challenge. and Alpha architectures and measure a protection This paper: overhead of about 20% for both architectures. They 1) Describes vulnerabilities and improvements in also implemented a low latency system for cross- the PittSFIeld SFI tool for the x86, improving fault-domain RPC. They also include several important security and reliability. optimizations: they use unmapped guard pages on 2) Provides a novel SFI implementation based on either side of a fault domain in order to allow for PittSFIeld which supports the x64 instruction set. offsets from a register without needing to compute 3) Provides a platform-independent code rewriting the effective address; they treat the stack pointer as toolkit that acts on assembly source generated a dedicated sandbox register because it is heavily used by an unmodified compiler and which, after and never needs to leave the fault domain; finally, transformation, can be built using a standard they also avoid always sandboxing the stack pointer assembler. by counting references to it. 4) Analyzes in detail the performance of this The techniques of Wahbe et al. do not, however, method on standard benchmarks. In particular, work for all architectures. Implicit in their technique we consider the performance benefit of using 64- is a reliance on the fact that the instructions read bit arithmetic. and verified are also the instructions available on any execution path. This is naturally true for RISC The paper is laid out as follows. Section II describes architectures with constant-length instruction words. the development of prior approaches to SFI and related However, x86 has variable-length instruction words, low-level isolation technologies. Section II provides an and any byte in instruction memory might constitute overview of the SFI techniques used in BakerSFIeld. the start of an instruction. In order to apply the Wahbe Section IV describes the BakerSFIeld architecture and et al. techniques directly, it would be necessary to code modification strategy. Section V describes the check all alternate parsings of the instruction stream optimizations present in BakerSFIeld, while Section VI that could be reached on some execution path. To solve describes the results of running our tool in various this, McCamant and Morrisett proposed artificially im- circumstances on a standard set of SFI benchmarks posing alignment constraints, choosing a power-of-two taken from the PittSFIeld project. Finally, Section VII number of bytes and padding groups of instructions concludes. such that no instruction bridges two aligned blocks. In II. BACKGROUND AND RELATED WORK this way, jumps can be checked to ensure that they target the beginning of an aligned instruction group, A. SFI: RISC and CISC and reliable disassembly can be assured. Their imple- The original concept of Software Fault Isolation mentation, PittSFIeld, is the basis of our BakerSFIeld came from Wahbe, Lucco et al. [1]. The key idea was tool, and it will be described in greater detail below. simple: adjust all memory accesses (including control Wahbe et al. thought of their mechanism as applying primarily to untrusted extension code. Today, as Inter- setting) and checking the proofs can be significant. net applications become ever-more full-featured, it is Both PCC and SFI may impose runtime overhead, if only natural to ask how to isolate code which shares the proof checkers for the respective systems get in the an address space with trusted components. Browsers, way of certain compiler optimizations. for example, are still in large part single-process Typed assembly language, TAL [5] is relevant to SFI applications. Yee, Sehr, et al. [3] provide a novel in much the same way. Here, invariants are expressed implementation of the PittSFIeld techniques which is as types, and proofs of invariants correspond to inhab- geared towards the support of mobile native code itants of those types. In this way, TAL might be seen modules that can be embedded into web sites. Native as an intermediate position: the type system provides Client also supports a rich communication framework added high-level expressiveness, but might incur some for inter-fault-domain communication and has a rather additional effort on the part of the programmer. advanced trusted runtime to manage fault domains and their interaction with the underlying system. Like [1], C. Securing Untrusted Binaries Native Client uses a modified compiler tool chain to After the initial SFI work, much work has been generate sandbox-compliant code, requiring developers done on a variety of methods to secure systems against to maintain separate infrastructure to produce sand- untrusted binaries via confinement. We review some of boxed and non-sandboxed modules. Additionally, Na- this work here. tive Client uses x86 memory segmentation to provide MiSFIT [6] combined the techniques of Wahbe et data integrity, a technique which is not applicable in al.
Recommended publications
  • System Programming Guide

    System Programming Guide

    Special Edition for CSEDU12 Students Students TOUCH -N-PASS EXAM CRAM GUIDE SERIES SYSTEM PROGRAMMING Prepared By Sharafat Ibn Mollah Mosharraf CSE, DU 12 th Batch (2005-2006) TABLE OF CONTENTS APIS AT A GLANCE ....................................................................................................................................................................... 1 CHAPTER 1: ASSEMBLER, LINKER & LOADER ................................................................................................................................ 4 CHAPTER 2: KERNEL ..................................................................................................................................................................... 9 CHAPTER 3: UNIX ELF FILE FORMAT ............................................................................................................................................ 11 CHAPTER 4: DEVICE DRIVERS ...................................................................................................................................................... 16 CHAPTER 5: INTERRUPT .............................................................................................................................................................. 20 CHAPTER 6: SYSTEM CALL ........................................................................................................................................................... 24 CHAPTER 7: FILE APIS ................................................................................................................................................................
  • Improving System Security Through TCB Reduction

    Improving System Security Through TCB Reduction

    Improving System Security Through TCB Reduction Bernhard Kauer March 31, 2015 Dissertation vorgelegt an der Technischen Universität Dresden Fakultät Informatik zur Erlangung des akademischen Grades Doktoringenieur (Dr.-Ing.) Erstgutachter Prof. Dr. rer. nat. Hermann Härtig Technische Universität Dresden Zweitgutachter Prof. Dr. Paulo Esteves Veríssimo University of Luxembourg Verteidigung 15.12.2014 Abstract The OS (operating system) is the primary target of todays attacks. A single exploitable defect can be sufficient to break the security of the system and give fully control over all the software on the machine. Because current operating systems are too large to be defect free, the best approach to improve the system security is to reduce their code to more manageable levels. This work shows how the security-critical part of theOS, the so called TCB (Trusted Computing Base), can be reduced from millions to less than hundred thousand lines of code to achieve these security goals. Shrinking the software stack by more than an order of magnitude is an open challenge since no single technique can currently achieve this. We therefore followed a holistic approach and improved the design as well as implementation of several system layers starting with a newOS called NOVA. NOVA provides a small TCB for both newly written applications but also for legacy code running inside virtual machines. Virtualization is thereby the key technique to ensure that compatibility requirements will not increase the minimal TCB of our system. The main contribution of this work is to show how the virtual machine monitor for NOVA was implemented with significantly less lines of code without affecting the per- formance of its guest OS.
  • Assembly Language Programming for X86 Processors Pdf

    Assembly Language Programming for X86 Processors Pdf

    Assembly language programming for x86 processors pdf Continue The x86, 7e collection language is for use in undergraduate programming courses in a speaking language and introductory courses in computer systems and computer architecture. This name is also suitable for built-in systems of programmers and engineers, communications specialists, game programmers and graphic programmers. It is recommended to know another programming language, preferably Java, C or C. Written specifically for the 32- and 64-bit Intel/Windows platform, this complete and complete learning of the acoustics language teaches students to write and fine-tune programs at the machine level. This text simplifies and demystiifies concepts that students need to understand before they laugh at more advanced courses in computer architecture and operating systems. Students practice theory using machine-level software, creating an unforgettable experience that gives them confidence to work in any OS/machine-oriented environment. Additional learning and learning tools are available on the author's website in where both teachers and students can access chapter goals, debugging tools, additional files, starting work with the MASM and Visual Studio 2012 tutorial, and more. Learning and Learning Experience This program represents the best learning and learning experience for you and your students. This will help: Teach Effective Design Techniques: Top-Down Demonstration Design Program and Explanation allows students to apply techniques for multiple programming courses. Put Theory into practice: Students will write software at machine level, preparing them to work in any OS/machine oriented environment. Tailor text to fit your course: Instructors can cover additional chapter themes in different order and depth.
  • Hiding Process Memory Via Anti-Forensic Techniques

    Hiding Process Memory Via Anti-Forensic Techniques

    DIGITAL FORENSIC RESEARCH CONFERENCE Hiding Process Memory via Anti-Forensic Techniques By: Frank Block (Friedrich-Alexander Universität Erlangen-Nürnberg (FAU) and ERNW Research GmbH) and Ralph Palutke (Friedrich-Alexander Universität Erlangen-Nürnberg) From the proceedings of The Digital Forensic Research Conference DFRWS USA 2020 July 20 - 24, 2020 DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. https://dfrws.org Forensic Science International: Digital Investigation 33 (2020) 301012 Contents lists available at ScienceDirect Forensic Science International: Digital Investigation journal homepage: www.elsevier.com/locate/fsidi DFRWS 2020 USA d Proceedings of the Twentieth Annual DFRWS USA Hiding Process Memory Via Anti-Forensic Techniques Ralph Palutke a, **, 1, Frank Block a, b, *, 1, Patrick Reichenberger a, Dominik Stripeika a a Friedrich-Alexander Universitat€ Erlangen-Nürnberg (FAU), Germany b ERNW Research GmbH, Heidelberg, Germany article info abstract Article history: Nowadays, security practitioners typically use memory acquisition or live forensics to detect and analyze sophisticated malware samples. Subsequently, malware authors began to incorporate anti-forensic techniques that subvert the analysis process by hiding malicious memory areas. Those techniques Keywords: typically modify characteristics, such as access permissions, or place malicious data near legitimate one, Memory subversion in order to prevent the memory from being identified by analysis tools while still remaining accessible.
  • Enclave Security and Address-Based Side Channels

    Enclave Security and Address-Based Side Channels

    Graz University of Technology Faculty of Computer Science Institute of Applied Information Processing and Communications IAIK Enclave Security and Address-based Side Channels Assessors: A PhD Thesis Presented to the Prof. Stefan Mangard Faculty of Computer Science in Prof. Thomas Eisenbarth Fulfillment of the Requirements for the PhD Degree by June 2020 Samuel Weiser Samuel Weiser Enclave Security and Address-based Side Channels DOCTORAL THESIS to achieve the university degree of Doctor of Technical Sciences; Dr. techn. submitted to Graz University of Technology Assessors Prof. Stefan Mangard Institute of Applied Information Processing and Communications Graz University of Technology Prof. Thomas Eisenbarth Institute for IT Security Universit¨atzu L¨ubeck Graz, June 2020 SSS AFFIDAVIT I declare that I have authored this thesis independently, that I have not used other than the declared sources/resources, and that I have explicitly indicated all material which has been quoted either literally or by content from the sources used. The text document uploaded to TUGRAZonline is identical to the present doctoral thesis. Date, Signature SSS Prologue Everyone has the right to life, liberty and security of person. Universal Declaration of Human Rights, Article 3 Our life turned digital, and so did we. Not long ago, the globalized commu- nication that we enjoy today on an everyday basis was the privilege of a few. Nowadays, artificial intelligence in the cloud, smartified handhelds, low-power Internet-of-Things gadgets, and self-maneuvering objects in the physical world are promising us unthinkable freedom in shaping our personal lives as well as society as a whole. Sadly, our collective excitement about the \new", the \better", the \more", the \instant", has overruled our sense of security and privacy.
  • Vx32: Lightweight User-Level Sandboxing on the X86

    Vx32: Lightweight User-Level Sandboxing on the X86

    Vx32: Lightweight User-level Sandboxing on the x86 Bryan Ford and Russ Cox Massachusetts Institute of Technology {baford,rsc}@pdos.csail.mit.edu Abstract 1 Introduction Code sandboxing is useful for many purposes, but most A sandbox is a mechanism by which a host software sandboxing techniques require kernel modifications, do system may execute arbitrary guest code in a confined not completely isolate guest code, or incur substantial environment, so that the guest code cannot compromise performance costs. Vx32 is a multipurpose user-level or affect the host other than according to a well-defined sandbox that enables any application to load and safely policy. Sandboxing is useful for many purposes, such execute one or more guest plug-ins, confining each guest as running untrusted Web applets within a browser [6], to a system call API controlled by the host application safely extending operating system kernels [5, 32], and and to a restricted memory region within the host’s ad- limiting potential damage caused by compromised ap- dress space. Vx32 runs guest code efficiently on several plications [19, 22]. Most sandboxing mechanisms, how- widespread operating systems without kernel extensions ever, either require guest code to be (re-)written in a type- or special privileges; it protects the host program from safe language [5,6], depend on special OS-specific facil- both reads and writes by its guests; and it allows the host ities [8, 15, 18, 19], allow guest code unrestricted read to restrict the instruction set available to guests. The key access to the host’s state [29, 42], or entail a substantial to vx32’s combination of portability, flexibility, and effi- performance cost [33,34,37].
  • The Confinement Principle

    The Confinement Principle

    Isolaon The confinement principle Original slides were created by Prof. Dan Boneh 1 Running untrusted code We often need to run buggy/unstrusted code: – programs from untrusted Internet sites: • apps, extensions, plug-ins, codecs for media player – exposed applications: pdf viewers, outlook – legacy daemons: sendmail, bind – honeypots Goal: if application “misbehaves” ⇒ kill it 2 Approach: confinement Confinement: ensure misbehaving app cannot harm rest of system • Can be implemented at many levels: – Hardware: run application on isolated hw (air gap) app 1 app 2 Network 2 air gap network 1 ⇒ difficult to manage, expensive 3 Approach: confinement Confinement: ensure misbehaving app cannot harm rest of system • Can be implemented at many levels: – Virtual machines: isolate OS’s on a single machine What are some of the drawbacks of this approach? app1 app2 OS1 OS2 Virtual Machine Monitor (VMM) 4 Approach: confinement Confinement: ensure misbehaving app cannot harm rest of system • Can be implemented at many levels: – Process: System Call Interposition Isolate a process in a single operating system process 1 process 2 Operang System 5 Approach: confinement Confinement: ensure misbehaving app cannot harm rest of system • Can be implemented at many levels: – Threads: Software Fault Isolation (SFI) • Isolating threads sharing same address space – Application: e.g. browser-based confinement 6 Implementing confinement Key component: reference monitor – Mediates requests from applications • Implements protection policy • Enforces isolation and
  • Advanced Development of Certified OS Kernels Prof

    Advanced Development of Certified OS Kernels Prof

    Advanced Development of Certified OS Kernels Zhong Shao (PI) and Bryan Ford (Co-PI) Department of Computer Science Yale University P.O.Box 208285 New Haven, CT 06520-8285, USA {zhong.shao,bryan.ford}yale.edu July 15, 2010 1 Innovative Claims Operating System (OS) kernels form the bedrock of all system software—they can have the greatest impact on the resilience, extensibility, and security of today’s computing hosts. A single kernel bug can easily wreck the entire system’s integrity and protection. We propose to apply new advances in certified software [86] to the development of a novel OS kernel. Our certified kernel will offer safe and application-specific extensibility [8], provable security properties with information flow control, and accountability and recovery from hardware or application failures. Our certified kernel builds on proof-carrying code concepts [74], where a binary executable includes a rigorous machine-checkable proof that the software is free of bugs with respect to spe- cific requirements. Unlike traditional verification systems, our certified software approach uses an expressive general-purpose meta-logic and machine-checkable proofs to support modular reason- ing about sophisticated invariants. The rich meta-logic enables us to verify all kinds of low-level assembly and C code [10,28,31,44,68,77,98] and to establish dependability claims ranging from simple safety properties to advanced security, correctness, and liveness properties. We advocate a modular certification framework for kernel components, which mirrors and enhances the modularity of the kernel itself. Using this framework, we aim to create not just a “one-off” lump of verified kernel code, but a statically and dynamically extensible kernel that can be incrementally built and extended with individual certified modules, each of which will provably preserve the kernel’s overall safety and security properties.
  • Computer Architectures an Overview

    Computer Architectures an Overview

    Computer Architectures An Overview PDF generated using the open source mwlib toolkit. See http://code.pediapress.com/ for more information. PDF generated at: Sat, 25 Feb 2012 22:35:32 UTC Contents Articles Microarchitecture 1 x86 7 PowerPC 23 IBM POWER 33 MIPS architecture 39 SPARC 57 ARM architecture 65 DEC Alpha 80 AlphaStation 92 AlphaServer 95 Very long instruction word 103 Instruction-level parallelism 107 Explicitly parallel instruction computing 108 References Article Sources and Contributors 111 Image Sources, Licenses and Contributors 113 Article Licenses License 114 Microarchitecture 1 Microarchitecture In computer engineering, microarchitecture (sometimes abbreviated to µarch or uarch), also called computer organization, is the way a given instruction set architecture (ISA) is implemented on a processor. A given ISA may be implemented with different microarchitectures.[1] Implementations might vary due to different goals of a given design or due to shifts in technology.[2] Computer architecture is the combination of microarchitecture and instruction set design. Relation to instruction set architecture The ISA is roughly the same as the programming model of a processor as seen by an assembly language programmer or compiler writer. The ISA includes the execution model, processor registers, address and data formats among other things. The Intel Core microarchitecture microarchitecture includes the constituent parts of the processor and how these interconnect and interoperate to implement the ISA. The microarchitecture of a machine is usually represented as (more or less detailed) diagrams that describe the interconnections of the various microarchitectural elements of the machine, which may be everything from single gates and registers, to complete arithmetic logic units (ALU)s and even larger elements.
  • Tailored Application-Specific System Call Tables

    Tailored Application-Specific System Call Tables

    Tailored Application-specific System Call Tables Qiang Zeng, Zhi Xin, Dinghao Wu, Peng Liu, and Bing Mao ABSTRACT policies may be relaxed for setuid programs.1 Once a pro- The system call interface defines the services an operating gram is compromised, a uniform set of kernel services are system kernel provides to user space programs. An oper- potentially exposed to attackers as a versatile and handy ating system usually provides a uniform system call inter- toolkit. While a uniform system call interface simplifies op- face to all user programs, while in practice no programs erating system design, it does not meet the principle of least utilize the whole set of the system calls. Existing system privileges in the perspective of security, as the interface is call based sandboxing and intrusion detection systems fo- not tailored to the needs of applications. cus on confining program behavior using sophisticated finite state or pushdown automaton models. However, these au- Existing researches on system call based sandboxing and tomata generally incur high false positives when modeling intrusion detection focus on system call pattern checking program behavior such as signal handling and multithread- [16, 12, 31, 35, 7], arguments validation [35, 23, 25, 4, 3], ing, and the runtime overhead is usually significantly high. and call stack integrity verification [10, 15]. Some establish We propose to use a stateless model, a whitelist of system sophisticated models such as Finite State Automata (FSA) calls needed by the target program. Due to the simplicity [31, 35, 15, 13] and Pushdown Automata (PDA) [35, 14] we are able to construct the model via static analysis on by training [12, 31, 34, 10] or static analysis [35, 14, 15, the program's binary with much higher precision that in- 13], while others rely on manual configuration to specify the curs few false positives.
  • The Security Implications of Google Native Client

    The Security Implications of Google Native Client

    Home Careers Contact Blog Product Services Team The Security Implications Of Google Native Client Chris | May 15th, 2009 | Filed Under: New Findings What would it look like if Google tried to unseat Flash and obsolete all desktop applications? It would look a lot like Google Native Client (NaCl): a mechanism to download a game written in C/C++ from Id Software and run it in your browser, without giving Id Software the ability to take control of your computer. Google NaCl is, on its face, a crazy-talk idea. It’s a browser plugin that downloads native x86 code from a website and runs it on your machine. If this sounds familiar, it’s because Microsoft tried it over a decade ago with ActiveX. If you’re skeptical about the idea, it’s because ActiveX was a security calamity; O.K. an ActiveX control, and it owns your machine almost completely. So the primary obstacle between Google and the future of software delivery is security. Google has a lot of interesting ideas about how to overcome that obstacle. But security people unlikely to take Google’s word for it. So Google held a contest: “we’ll publish the source code, you’ll find flaws. The winner gets $0x2000 USD.” We took the bait. And things were looking great for us. Then Skynet noticed Google, decided it was a threat, and sent a Mark Dowd unit back through time to terminate it. The contest winner hasn’t been declared yet, but as we aren’t a murderous robot made out of liquid metal, we’re guessing we didn’t take first place.
  • Leveraging Legacy Code to Deploy Desktop Applications on the Web

    Leveraging Legacy Code to Deploy Desktop Applications on the Web

    Leveraging Legacy Code to Deploy Desktop Applications on the Web John R. Douceur, Jeremy Elson, Jon Howell, and Jacob R. Lorch Microsoft Research Abstract Our vision is to deliver feature-rich, desktop-class ap- Xax is a browser plugin model that enables developers plications on the web. We believe that the fastest and to leverage existing tools, libraries, and entire programs easiest way to create such apps is to leverage the ex- to deliver feature-rich applications on the web. Xax em- isting code bases of desktop applications and libraries, ploys a novel combination of mechanisms that collec- thereby exploiting the years of design, development, and tively provide security, OS-independence, performance, debugging effort that have gone into them. This ex- and support for legacy code. These mechanisms include isting code commonly expects to run in an OS pro- memory-isolated native code execution behind a narrow cess and to access OS services. However, actually run- syscall interface, an abstraction layer that provides a con- ning the code in an OS process would defeat the OS- sistent binary interface across operating systems, sys- independence required by web apps; and it would also tem services via hooks to existing browser mechanisms, impede code security, because large and complex OS and lightweight modifications to existing tool chains and system-call (or syscall) interfaces are difficult to secure code bases. We demonstrate a variety of applications and against privilege-escalation vulnerabilities [15]. libraries from existing code bases, in several languages, There is thus a trade-off between OS-independence, produced with various tool chains, running in multiple security, and legacy support.