Well bother business-wise? I mostly included them for completeness. I'm a bit fan of PNaCL but its not really taken off.
So technically bother, then? NaCL programs are just as susceptible to buffer-overflow as conventional programs, its just they are better sandboxed. Exploit mitigation is a belt-and-braces thing, and I can't see why Google wouldn't be enabling this pass right now as we speak.
You have something compiled in NaCL like the Flash plugin and it can control the camera and stuff and you are hoping that an attacker can't feed it some malformed JPEG or something that makes it use the caps it has in a bad way etc.
It's not that they're better sandboxed; it's that regardless of whether memory corruption exploits work, in the NaCL security model, if the sandbox doesn't work, you're fucked regardless. So why bother with hardened runtimes?
Your threat model seems to be that anyone who sends input to a sandboxed app should be assumed to have full control of it. But the apps frequently process input without wanting to give the sender of that input access to all its resources.
By your analysis, Gmail could implement a feature that lets a sender run arbitrary JavaScript in the recipient's browser, and this would have no security impact as long as the JavaScript sandbox was not escaped. But in reality this would be a huge breach, because there are valuable things inside the sandbox that attackers should not have access to.
Put another way, this wouldn't help defend Chrome from NaCl, but it would help defend the NaCl app from it's clients. This would be in Google's interest to implement because it would make the platform more attractive to developers.
That seems like an uncommon scenario for the kinds of things NACL gets used for. These are intrinsically server-controlled applications, when they're applications at all (my real sense of what NACL is about is "another tool to migrate away from things like Flash and plugins; ie: a platform for video codecs).
I see your point. I guess you're saying, there could be a photo editing app in which Alice can send pictures to Bob, and Mallory might send a malicious picture to Alice that coerces her client into betraying all its photos.
The buffer overflow in NaCL extension that comes with Chrome e.g. Flash may be just the a stepping stone in a Pwnium entry that escapes the sandbox through yet another webGL validation bug or something.
Why would Google want to not bother applying a belt-and-braces exploit mitigation that costs 0% CPU?
One NaCL use case is a plugin downloaded by the page
But NaCL is also used to isolate "built in" embeddables e.g. Flash, which I have used as an example of a NaCL plugin that comes with chrome in both the previous posts?
Another example is the voice activation plugin that got them into so much trouble recently...
Imagine you walk past your colleagues computers saying things like "let's google something naughty" loudly...
And now let's extend that to playing an audio snippet that invokes a stack smash? :)
I'm still not following how hardening Nacl against memory corruption bugs can help Chrome, given that Nacl-enabled Chrome already runs content-controlled Nacl code.
Are the pdf viewer or flash players 'content-controlled'?
Are not google-bundled plugins allowed to run even when the user doesn't allow third-party NaCL plugins to run?
Its belt and braces. Why wouldn't chrome bother to enable a pass that costs 0% runtime performance? After all the money and time Google have sunk into other runtime checks like ASan, why wouldn't they also enable this?
It made me think: what other 'exploit mitigations' do Google put into NaCL, even though its sandboxed? So I quickly gooogled to see if they use ASLR inside NaCL, for example. Here's what I found:
"for the threat model where a NaCl module might process untrusted input, it would be nice to provide ASLR for the NaCl module so untrusted input won't (easily) be able to take control of the NaCl module (if/when the NaCl module has bugs). (this is a different threat model that the usual one in NaCl, where the NaCl module is untrusted. here we are trying to make sure that a NaCl module, which is executing code on the behalf of some domain/web site, isn't easily pwned, even if the NaCl runtime is itself okay.)"
>>Google will be able to do likewise for NaCL apps.
They might be able to apply that over all of android - and that will automatically apply over java based apps.From there it's just a matter of incentives, to rapidly create change in rest of the apps.
Or, the other way around, for x86_64 in mobile devices.
Now they already can, technically (via fat binaries, they've already been through multiple architectural transitions), the interesting part is they could now go through these transitions without developers having to be involved.
yes. developers will be able to submit apps as LLVM Bitcode which means that Apple can switch to ARM for some new device and recompile the app without the developer having to resubmit it.
It also means the end of Universal binaries as Apple can thin the compiled app for each target device.
the PPC switch over was painful, as was the 32 versus 64 bit era. They want to avoid that in the future.
It's easy to loose sight of the fact that we are talking about 64bit OS X here... The diff between ir that targeted x86-64 and arm64 and so on is something Apple has some control over.
I know, I play with a hobby llvm backend that retargets.
> This means that apps can automatically “take advantage of new processor capabilities we might be adding in the future, without you re-submitting to the store.”
It doesn't. Bitcode is arch specific and unportable. It allows some instruction-set level optimizations, but not changing e.g. endianness (exactly what x64 and arm differ in) or type sizes.
ARM cores, although technically bi-endian, are in practice little-endian.
I play writing LLVM backends, and its entirely viable to even do things like rewrite float80 and other assumptions that a front-end has made for a particular target.
But what about things like non-aligned memory access (allowed on x86, not allowed on ARM)? Porting code across architectures can't be as easy as just swapping LLVM backends, when not even recompiling the code is sufficient.
There will be ISAs sufficiently different that you cannot make bitcode generated when targetting one not be massaged to fit another, but they are not mainstream. The mainstream are all increasingly similar 64-bit targets.
Google will be able to do likewise for NaCL apps.