DOCSLIB.ORG

Efficient Monitoring of Untrusted Kernel-Mode Execution

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

Efficient Monitoring of Untrusted Kernel-Mode Execution Abhinav Srivastava and Jonathon Giffin School of Computer Science, Georgia Institute of Technology fabhinav,[email protected] Abstract system call monitors ineffective, full kernel malware in- stances invoke kernel functionality with function calls Recent malware instances execute completely in the from a driver rather than with system calls from a pro- kernel as drivers; they do not contain any user-level ma- cess. In order to observe the behavior of kernel malware, licious processes. This design evades the system call security software instead must monitor the function-call monitoring used by many software security solutions, in- interface between drivers and the core kernel. cluding malware analyzers and host-based intrusion de- Previous research efforts focused on the interaction tectors that track only user-level processes. To trace the of drivers with the kernel through control and non- behavior of kernel malware instances, we design and im- control data. SBCFI [31], Autoscopy [32], and Hook- plement a hypervisor-based system called Gateway that Safe [49] protected control data (function and code monitors kernel APIs invoked by drivers. Gateway cre- pointers) allocated on heap, while RAD [10] and Stack- ates a hardened, non-bypassable monitoring interface Ghost [15] protected control data (return addresses) by isolating drivers in an address space separate from present on the stack. Sentry [40], Gibraltar [3], and Se- the kernel. To overcome the performance degradation mantic Integrity [30] protected a kernel’s non-control introduced by switches between these separate address data [8] from malicious modifications. Though these spaces, our design rewrites binary kernel and driver systems monitor and prevent illegal use of kernel data, code at runtime and generates new code on demand to they do not track use of kernel code by malicious drivers, optimize the address space transition speed. Our exper- which is equally important. A malicious kernel module imental measurements show performance overheads of can create illegitimate kernel control flows by directly 10% or better, with many overheads less than 1%. Our invoking arbitrary kernel functionality via calls, jumps, security evaluation shows that Gateway is able to mon- or returns to arbitrary addresses inside the kernel code. itor all kernel APIs invoked by malicious drivers across To complement the extensive previous research on the its non-bypassable interface. protection of kernel data, we investigate the use of ker- nel code by malicious drivers. We address the invisibility of full kernel malware 1. Introduction with a new system that monitors all control-flow inter- actions of drivers with the core kernel. We design and implement a security monitor called Gateway that mon- Recently developed malware instances push entire itors all kernel APIs invoked by drivers, passes their in- functionality out of malicious user-space processes vocations asynchronously to an arbitrary policy enforce- down into kernel drivers or modules. For example, ment utility, and ensures complete mediation of direct srizbi consists of a single kernel-mode driver imple- accesses from drivers to kernel code. Note that Gate- menting a full spam client with an HTTP based com- way’s non-bypassable interface applies to code entry mand and control infrastructure [21,45], and the lvtes points, and attacks targeting kernel data require other keylogger contains only a kernel-mode driver that inter- techniques to monitor or detect. Gateway protects itself cepts users’ keystrokes [7]. These malware instances from kernel-mode malware by utilizing a higher privi- are called full-kernel malware [23]. Existing host-based lege software layer created by a hypervisor. Gateway’s IDSs, honeypots, and other security utilities often mon- monitoring provides the foundation on which security itor process’ behavior at the system-call interface to de- software can be built in the same manner that system call tect malware and software attacks. To render existing monitoring provided the foundation for behavior-based interface, our design does not compromise security but application-level security software. provides significant improvements to performance. Security monitors, including Gateway, require the Gateway monitors kernel APIs invoked by drivers on monitored interface to be non-circumventable. Com- both the slow and fast paths. On the slow path, API modity operating systems publish interfaces to be used invocations from drivers cause page faults that are inter- by drivers and loadable modules to request services cepted by Gateway inside the hypervisor and logged for from the kernel. Operationally, this interface design higher-level security tools. Since the guest system’s ex- is similar to the system call interface, which is used ecution does not reach the hypervisor on the fast path, by userspace applications to request services from the the code on our transition pages logs API information in core kernel. However, unlike the system-call interface protected memory inside the guest VM. Gateway then boundary, which is explicitly trusted (all inputs are ver- periodically reads the logged information from the hy- ified) and enforced by the hardware, there is no mecha- pervisor. nism to enforce the implicitly trusted boundary between To demonstrate the feasibility of our ideas, we de- the core kernel and its drivers. veloped a prototype security monitor. Gateway provides The lack of a memory barrier inside operating sys- protection to a fully virtualized Linux 2.6 kernel run- tems allows kernel-mode malware to directly invoke ar- ning inside a guest VM created by the Xen hypervi- bitrary kernel functionality by simply calling or jump- sor, which utilizes the virtualization extensions present ing to arbitrary kernel code addresses. We thus harden in recent x86 hardware [4]. Gateway isolates all com- the existing interface so that it becomes fully non- modity Linux drivers present in the guest VM, performs bypassable. Gateway creates distinct virtual memory re- on-demand dynamic binary rewriting and runtime code gions for commodity monolithic kernels and their dri- generation, and monitors kernel APIs invoked by drivers vers in the same way that kernels manage distinct re- as control flows spanning the memory barrier occur. We gions for higher-level application software. This de- tested Gateway’s monitoring ability with two full-kernel sign isolates drivers in a different memory region and malware instances: the lvtes keylogger and a syn- requires them to invoke kernel code through published thetic kernel-mode bot. Our results show that Gateway entry points. To keep driver code and core kernel code is able to monitor and log all APIs invoked by malicious isolated throughout the execution of the system, Gate- drivers. We empirically show the significant difference way prevents DMA-capable devices from corrupting the between the kernel APIs invoked by legitimate drivers kernel’s code via malicious DMA writes [5]. and malware, information useful to full-kernel malware The creation of the non-bypassable interface via ad- detection or analysis. We also verified Gateway’s abil- dress space separation diminishes overall system perfor- ity to enforce the non-bypassable interface by testing it mance. Control-flows between drivers and the core ker- with a synthetic malware instance that tries to execute nel result in page faults managed by our hypervisor-level kernel functionality not provided by the published inter- software. The transition from execution in a guest vir- face. Gateway’s overhead on various workloads varies tual machine (VM) into the hypervisor is a world switch between 0% and 10%, with many measurements below (slow path) with significant performance overhead. We 1%. address this challenge by reducing the number of world Gateway’s API monitoring facilitates creation of switches when crossing the barrier between the kernel other security tools that restrict the use of kernel code and the drivers. Our solution establishes fast address by drivers. For example: an intrusion detection sys- space switching (fast path) by using on-demand runtime tem (IDS) can be built that enforces a policy restricting code generation and kernel and driver code rewriting. drivers’ uses of the kernel’s raw memory manipulation During execution, Gateway creates transition pages— functions. In another example, kernel-level anomaly de- read-only code pages shared by both the kernel and tectors similar to system-call based detectors can be de- driver address spaces—that contain short instruction se- veloped to identify malicious drivers by differentiating quences that switch address spaces without invoking the the patterns of kernel functions invoked by legitimate hypervisor. We overwrite control-flow instructions at drivers from those of the malware. Ptrace [22] allows runtime in the kernel’s and drivers’ code pages to redi- user-mode security tools to monitor system calls invoked rect control-flows spanning the memory barrier into the by processes for such anomaly detection. Like ptrace, transition pages. As we only generate transition code Gateway itself does not attempt to distinguish between for control flows correctly spanning the non-bypassable benign and malicious API invocations, but it rather pro- vides the mechanism and information enabling higher- level security software (anomaly and misuse detectors) safely. They used segmentation and programming lan- to make such decisions. guage
Recommended publications
  • RCU Usage in the Linux Kernel: One Decade Later

    RCU Usage in the Linux Kernel: One Decade Later

    RCU Usage In the Linux Kernel: One Decade Later Paul E. McKenney Silas Boyd-Wickizer Jonathan Walpole Linux Technology Center MIT CSAIL Computer Science Department IBM Beaverton Portland State University Abstract unique among the commonly used kernels. Understand- ing RCU is now a prerequisite for understanding the Linux Read-copy update (RCU) is a scalable high-performance implementation and its performance. synchronization mechanism implemented in the Linux The success of RCU is, in part, due to its high perfor- kernel. RCU’s novel properties include support for con- mance in the presence of concurrent readers and updaters. current reading and writing, and highly optimized inter- The RCU API facilitates this with two relatively simple CPU synchronization. Since RCU’s introduction into the primitives: readers access data structures within RCU Linux kernel over a decade ago its usage has continued to read-side critical sections, while updaters use RCU syn- expand. Today, most kernel subsystems use RCU. This chronization to wait for all pre-existing RCU read-side paper discusses the requirements that drove the devel- critical sections to complete. When combined, these prim- opment of RCU, the design and API of the Linux RCU itives allow threads to concurrently read data structures, implementation, and how kernel developers apply RCU. even while other threads are updating them. This paper describes the performance requirements that 1 Introduction led to the development of RCU, gives an overview of the RCU API and implementation, and examines how ker- The first Linux kernel to include multiprocessor support nel developers have used RCU to optimize kernel perfor- is not quite 20 years old.
  • Improving System Security Through TCB Reduction

    Improving System Security Through TCB Reduction

    Improving System Security Through TCB Reduction Bernhard Kauer March 31, 2015 Dissertation vorgelegt an der Technischen Universität Dresden Fakultät Informatik zur Erlangung des akademischen Grades Doktoringenieur (Dr.-Ing.) Erstgutachter Prof. Dr. rer. nat. Hermann Härtig Technische Universität Dresden Zweitgutachter Prof. Dr. Paulo Esteves Veríssimo University of Luxembourg Verteidigung 15.12.2014 Abstract The OS (operating system) is the primary target of todays attacks. A single exploitable defect can be sufficient to break the security of the system and give fully control over all the software on the machine. Because current operating systems are too large to be defect free, the best approach to improve the system security is to reduce their code to more manageable levels. This work shows how the security-critical part of theOS, the so called TCB (Trusted Computing Base), can be reduced from millions to less than hundred thousand lines of code to achieve these security goals. Shrinking the software stack by more than an order of magnitude is an open challenge since no single technique can currently achieve this. We therefore followed a holistic approach and improved the design as well as implementation of several system layers starting with a newOS called NOVA. NOVA provides a small TCB for both newly written applications but also for legacy code running inside virtual machines. Virtualization is thereby the key technique to ensure that compatibility requirements will not increase the minimal TCB of our system. The main contribution of this work is to show how the virtual machine monitor for NOVA was implemented with significantly less lines of code without affecting the per- formance of its guest OS.
  • LMAX Disruptor

    LMAX Disruptor

    Disruptor: High performance alternative to bounded queues for exchanging data between concurrent threads Martin Thompson Dave Farley Michael Barker Patricia Gee Andrew Stewart May-2011 http://code.google.com/p/disruptor/ 1 Abstract LMAX was established to create a very high performance financial exchange. As part of our work to accomplish this goal we have evaluated several approaches to the design of such a system, but as we began to measure these we ran into some fundamental limits with conventional approaches. Many applications depend on queues to exchange data between processing stages. Our performance testing showed that the latency costs, when using queues in this way, were in the same order of magnitude as the cost of IO operations to disk (RAID or SSD based disk system) – dramatically slow. If there are multiple queues in an end-to-end operation, this will add hundreds of microseconds to the overall latency. There is clearly room for optimisation. Further investigation and a focus on the computer science made us realise that the conflation of concerns inherent in conventional approaches, (e.g. queues and processing nodes) leads to contention in multi-threaded implementations, suggesting that there may be a better approach. Thinking about how modern CPUs work, something we like to call “mechanical sympathy”, using good design practices with a strong focus on teasing apart the concerns, we came up with a data structure and a pattern of use that we have called the Disruptor. Testing has shown that the mean latency using the Disruptor for a three-stage pipeline is 3 orders of magnitude lower than an equivalent queue-based approach.
  • A Thread Synchronization Model for the PREEMPT RT Linux Kernel

    A Thread Synchronization Model for the PREEMPT RT Linux Kernel

    A Thread Synchronization Model for the PREEMPT RT Linux Kernel Daniel B. de Oliveiraa,b,c, R^omulo S. de Oliveirab, Tommaso Cucinottac aRHEL Platform/Real-time Team, Red Hat, Inc., Pisa, Italy. bDepartment of Systems Automation, UFSC, Florian´opolis, Brazil. cRETIS Lab, Scuola Superiore Sant'Anna, Pisa, Italy. Abstract This article proposes an automata-based model for describing and validating sequences of kernel events in Linux PREEMPT RT and how they influence the timeline of threads' execu- tion, comprising preemption control, interrupt handling and control, scheduling and locking. This article also presents an extension of the Linux tracing framework that enables the trac- ing of kernel events to verify the consistency of the kernel execution compared to the event sequences that are legal according to the formal model. This enables cross-checking of a kernel behavior against the formalized one, and in case of inconsistency, it pinpoints possible areas of improvement of the kernel, useful for regression testing. Indeed, we describe in details three problems in the kernel revealed by using the proposed technique, along with a short summary on how we reported and proposed fixes to the Linux kernel community. As an example of the usage of the model, the analysis of the events involved in the activation of the highest priority thread is presented, describing the delays occurred in this operation in the same granularity used by kernel developers. This illustrates how it is possible to take advantage of the model for analyzing the preemption model of Linux. Keywords: Real-time computing, Operating systems, Linux kernel, Automata, Software verification, Synchronization.
  • Review Der Linux Kernel Sourcen Von 4.9 Auf 4.10

    Review Der Linux Kernel Sourcen Von 4.9 Auf 4.10

    Review der Linux Kernel Sourcen von 4.9 auf 4.10 Reviewed by: Tested by: stecan stecan Period of Review: Period of Test: From: Thursday, 11 January 2018 07:26:18 o'clock +01: From: Thursday, 11 January 2018 07:26:18 o'clock +01: To: Thursday, 11 January 2018 07:44:27 o'clock +01: To: Thursday, 11 January 2018 07:44:27 o'clock +01: Report automatically generated with: LxrDifferenceTable, V0.9.2.548 Provided by: Certified by: Approved by: Account: stecan Name / Department: Date: Friday, 4 May 2018 13:43:07 o'clock CEST Signature: Review_4.10_0_to_1000.pdf Page 1 of 793 May 04, 2018 Review der Linux Kernel Sourcen von 4.9 auf 4.10 Line Link NR. Descriptions 1 .mailmap#0140 Repo: 9ebf73b275f0 Stephen Tue Jan 10 16:57:57 2017 -0800 Description: mailmap: add codeaurora.org names for nameless email commits ----------- Some codeaurora.org emails have crept in but the names don't exist for them. Add the names for the emails so git can match everyone up. Link: http://lkml.kernel.org/r/[email protected] 2 .mailmap#0154 3 .mailmap#0160 4 CREDITS#2481 Repo: 0c59d28121b9 Arnaldo Mon Feb 13 14:15:44 2017 -0300 Description: MAINTAINERS: Remove old e-mail address ----------- The ghostprotocols.net domain is not working, remove it from CREDITS and MAINTAINERS, and change the status to "Odd fixes", and since I haven't been maintaining those, remove my address from there. CREDITS: Remove outdated address information ----------- This address hasn't been accurate for several years now.
  • Vx32: Lightweight User-Level Sandboxing on the X86

    Vx32: Lightweight User-Level Sandboxing on the X86

    Vx32: Lightweight User-level Sandboxing on the x86 Bryan Ford and Russ Cox Massachusetts Institute of Technology {baford,rsc}@pdos.csail.mit.edu Abstract 1 Introduction Code sandboxing is useful for many purposes, but most A sandbox is a mechanism by which a host software sandboxing techniques require kernel modifications, do system may execute arbitrary guest code in a confined not completely isolate guest code, or incur substantial environment, so that the guest code cannot compromise performance costs. Vx32 is a multipurpose user-level or affect the host other than according to a well-defined sandbox that enables any application to load and safely policy. Sandboxing is useful for many purposes, such execute one or more guest plug-ins, confining each guest as running untrusted Web applets within a browser [6], to a system call API controlled by the host application safely extending operating system kernels [5, 32], and and to a restricted memory region within the host’s ad- limiting potential damage caused by compromised ap- dress space. Vx32 runs guest code efficiently on several plications [19, 22]. Most sandboxing mechanisms, how- widespread operating systems without kernel extensions ever, either require guest code to be (re-)written in a type- or special privileges; it protects the host program from safe language [5,6], depend on special OS-specific facil- both reads and writes by its guests; and it allows the host ities [8, 15, 18, 19], allow guest code unrestricted read to restrict the instruction set available to guests. The key access to the host’s state [29, 42], or entail a substantial to vx32’s combination of portability, flexibility, and effi- performance cost [33,34,37].
  • Linux Foundation Collaboration Summit 2010

    Linux Foundation Collaboration Summit 2010

    Linux Foundation Collaboration Summit 2010 LTTng, State of the Union Presentation at: http://www.efficios.com/lfcs2010 E-mail: [email protected] Mathieu Desnoyers April 15th, 2010 1 > Presenter ● Mathieu Desnoyers ● EfficiOS Inc. ● http://www.efficios.com ● Author/Maintainer of ● LTTng, LTTV, Userspace RCU ● Ph.D. in computer engineering ● Low-Impact Operating System Tracing Mathieu Desnoyers April 15th, 2010 2 > Plan ● Current state of LTTng ● State of kernel tracing in Linux ● User requirements ● Vertical vs Horizontal integration ● LTTng roadmap for 2010 ● Conclusion Mathieu Desnoyers April 15th, 2010 3 > Current status of LTTng ● LTTng dual-licensing: GPLv2/LGPLv2.1 ● UST user-space tracer – Userspace RCU (LGPLv2.1) ● Eclipse Linux Tools Project LTTng Integration ● User-space static tracepoint integration with gdb ● LTTng kernel tracer – maintainance-mode in 2009 (finished my Ph.D.) – active development restarting in 2010 Mathieu Desnoyers April 15th, 2010 4 > LTTng dual-licensing GPLv2/LGPLv2.1 ● LGPLv2.1 license is required to share code with user-space tracer library. ● License chosen to allow tracing of non-GPL applications. ● Headers are licensed under BSD: – Demonstrates that these headers can be included in non-GPL code. ● Applies to: – LTTng, Tracepoints, Kernel Markers, Immediate Values Mathieu Desnoyers April 15th, 2010 5 > User-space Tracing (UST) (1) ● LTTng port to user-space ● Re-uses Tracepoints and LTTng ring buffer ● Uses Userspace RCU for control synchronization ● Shared memory map with consumer daemon ● Per-process per-cpu ring buffers Mathieu Desnoyers April 15th, 2010 6 > User-space Tracing (UST) (2) ● The road ahead – Userspace trace clock for more architectures ● Some require Linux kernel vDSO support for trace clock – Utrace ● Provide information about thread creation, exec(), etc..
  • Read-Copy Update (RCU)

    Read-Copy Update (RCU)

    COMP 790: OS Implementation Read-Copy Update (RCU) Don Porter COMP 790: OS Implementation Logical Diagram Binary Memory Threads Formats Allocators User Today’s Lecture System Calls Kernel RCU File System Networking Sync Memory Device CPU Management Drivers Scheduler Hardware Interrupts Disk Net Consistency COMP 790: OS Implementation RCU in a nutshell • Think about data structures that are mostly read, occasionally written – Like the Linux dcache • RW locks allow concurrent reads – Still require an atomic decrement of a lock counter – Atomic ops are expensive • Idea: Only require locks for writers; carefully update data structure so readers see consistent views of data COMP 790: OS Implementation Motivation (from Paul McKenney’s Thesis) 35 "ideal" "global" 30 "globalrw" 25 20 Performance of RW 15 lock only marginally 10 better than mutex 5 lock Hash Table Searches per Microsecond 0 1 2 3 4 # CPUs COMP 790: OS Implementation Principle (1/2) • Locks have an acquire and release cost – Substantial, since atomic ops are expensive • For short critical regions, this cost dominates performance COMP 790: OS Implementation Principle (2/2) • Reader/writer locks may allow critical regions to execute in parallel • But they still serialize the increment and decrement of the read count with atomic instructions – Atomic instructions performance decreases as more CPUs try to do them at the same time • The read lock itself becomes a scalability bottleneck, even if the data it protects is read 99% of the time COMP 790: OS Implementation Lock-free data structures
  • Advanced Development of Certified OS Kernels Prof

    Advanced Development of Certified OS Kernels Prof

    Advanced Development of Certified OS Kernels Zhong Shao (PI) and Bryan Ford (Co-PI) Department of Computer Science Yale University P.O.Box 208285 New Haven, CT 06520-8285, USA {zhong.shao,bryan.ford}yale.edu July 15, 2010 1 Innovative Claims Operating System (OS) kernels form the bedrock of all system software—they can have the greatest impact on the resilience, extensibility, and security of today’s computing hosts. A single kernel bug can easily wreck the entire system’s integrity and protection. We propose to apply new advances in certified software [86] to the development of a novel OS kernel. Our certified kernel will offer safe and application-specific extensibility [8], provable security properties with information flow control, and accountability and recovery from hardware or application failures. Our certified kernel builds on proof-carrying code concepts [74], where a binary executable includes a rigorous machine-checkable proof that the software is free of bugs with respect to spe- cific requirements. Unlike traditional verification systems, our certified software approach uses an expressive general-purpose meta-logic and machine-checkable proofs to support modular reason- ing about sophisticated invariants. The rich meta-logic enables us to verify all kinds of low-level assembly and C code [10,28,31,44,68,77,98] and to establish dependability claims ranging from simple safety properties to advanced security, correctness, and liveness properties. We advocate a modular certification framework for kernel components, which mirrors and enhances the modularity of the kernel itself. Using this framework, we aim to create not just a “one-off” lump of verified kernel code, but a statically and dynamically extensible kernel that can be incrementally built and extended with individual certified modules, each of which will provably preserve the kernel’s overall safety and security properties.
  • Tailored Application-Specific System Call Tables

    Tailored Application-Specific System Call Tables

    Tailored Application-specific System Call Tables Qiang Zeng, Zhi Xin, Dinghao Wu, Peng Liu, and Bing Mao ABSTRACT policies may be relaxed for setuid programs.1 Once a pro- The system call interface defines the services an operating gram is compromised, a uniform set of kernel services are system kernel provides to user space programs. An oper- potentially exposed to attackers as a versatile and handy ating system usually provides a uniform system call inter- toolkit. While a uniform system call interface simplifies op- face to all user programs, while in practice no programs erating system design, it does not meet the principle of least utilize the whole set of the system calls. Existing system privileges in the perspective of security, as the interface is call based sandboxing and intrusion detection systems fo- not tailored to the needs of applications. cus on confining program behavior using sophisticated finite state or pushdown automaton models. However, these au- Existing researches on system call based sandboxing and tomata generally incur high false positives when modeling intrusion detection focus on system call pattern checking program behavior such as signal handling and multithread- [16, 12, 31, 35, 7], arguments validation [35, 23, 25, 4, 3], ing, and the runtime overhead is usually significantly high. and call stack integrity verification [10, 15]. Some establish We propose to use a stateless model, a whitelist of system sophisticated models such as Finite State Automata (FSA) calls needed by the target program. Due to the simplicity [31, 35, 15, 13] and Pushdown Automata (PDA) [35, 14] we are able to construct the model via static analysis on by training [12, 31, 34, 10] or static analysis [35, 14, 15, the program's binary with much higher precision that in- 13], while others rely on manual configuration to specify the curs few false positives.
  • Connect User Guide Armv8-A Memory Systems

    Connect User Guide Armv8-A Memory Systems

    ARMv8-A Memory Systems ConnectARMv8- UserA Memory Guide VersionSystems 0.1 Version 1.0 Copyright © 2016 ARM Limited or its affiliates. All rights reserved. Page 1 of 17 ARM 100941_0100_en ARMv8-A Memory Systems Revision Information The following revisions have been made to this User Guide. Date Issue Confidentiality Change 28 February 2017 0100 Non-Confidential First release Proprietary Notice Words and logos marked with ® or ™ are registered trademarks or trademarks of ARM® in the EU and other countries, except as otherwise stated below in this proprietary notice. Other brands and names mentioned herein may be the trademarks of their respective owners. Neither the whole nor any part of the information contained in, or the product described in, this document may be adapted or reproduced in any material form except with the prior written permission of the copyright holder. The product described in this document is subject to continuous developments and improvements. All particulars of the product and its use contained in this document are given by ARM in good faith. However, all warranties implied or expressed, including but not limited to implied warranties of merchantability, or fitness for purpose, are excluded. This document is intended only to assist the reader in the use of the product. ARM shall not be liable for any loss or damage arising from the use of any information in this document, or any error or omission in such information, or any incorrect use of the product. Where the term ARM is used it means “ARM or any of its subsidiaries as appropriate”. Confidentiality Status This document is Confidential.
  • The Security Implications of Google Native Client

    The Security Implications of Google Native Client

    Home Careers Contact Blog Product Services Team The Security Implications Of Google Native Client Chris | May 15th, 2009 | Filed Under: New Findings What would it look like if Google tried to unseat Flash and obsolete all desktop applications? It would look a lot like Google Native Client (NaCl): a mechanism to download a game written in C/C++ from Id Software and run it in your browser, without giving Id Software the ability to take control of your computer. Google NaCl is, on its face, a crazy-talk idea. It’s a browser plugin that downloads native x86 code from a website and runs it on your machine. If this sounds familiar, it’s because Microsoft tried it over a decade ago with ActiveX. If you’re skeptical about the idea, it’s because ActiveX was a security calamity; O.K. an ActiveX control, and it owns your machine almost completely. So the primary obstacle between Google and the future of software delivery is security. Google has a lot of interesting ideas about how to overcome that obstacle. But security people unlikely to take Google’s word for it. So Google held a contest: “we’ll publish the source code, you’ll find flaws. The winner gets $0x2000 USD.” We took the bait. And things were looking great for us. Then Skynet noticed Google, decided it was a threat, and sent a Mark Dowd unit back through time to terminate it. The contest winner hasn’t been declared yet, but as we aren’t a murderous robot made out of liquid metal, we’re guessing we didn’t take first place.