|
|
|
Google Sandboxing Tries to Make Browsing Safer
By: Larry Seltzer
2008-12-16
Article Rating:  / 6
There are 1 user comments on this Network Security & Hardware story.
Google Sandboxing Tries to Make Browsing Safer (
Page 1 of 2 ) When you've got as much money as Google, one thing you can do is throw it at projects you believe in. Google seems to believe in sandboxing as a security technique, and a lot of what it's doing is innovative.Google seems to be very interested in the concept of sandboxing. I count three
separate efforts the company is involved in. Who knows, they may actually
amount to something useful.
The Chrome browser is built around a sandboxed architecture in which browser
applications are locked down using Windows-specific features such as Job
objects and restricted tokens. I
wrote about this at length when Chrome debuted. It's not especially
innovative, but it's a step in the right direction.
Google bought GreenBorder
last year, a company that uses virtualization to sandbox programs and
specifically browsers. There hasn't been any news about this that I've seen
since the purchase, but the basic point is the same: Prevent anything that goes
wrong in the browser from affecting the rest of the system.
The newest and probably most interesting sandbox is the Google Native Client, known
casually in the company's docs as NaCl. (I'm not sure if the "salt"
reference has any meaning.) What is NaCl? Many of the quick reactions to it are
miles away from what I got out of Google's
white paper on the technology. (The white paper seems like a very honest
explanation of the technology to me, even if some of the writing is really
bad.)
Some wrote that it's a new ActiveXan easy mistake, perhaps, based on a very
superficial read of it as a way to run native code inside a browser, but the
similarities are only superficial. NaCl is designed with a very different
philosophy than ActiveX, which put no real restrictions on what the code in the
object can do, and whose only security feature is support for digital
signatures. NaCl has a sandbox, and a very restrictive one, more about which I
will write below.
Some wrote that NaCl is a harbinger of a Google operating system, and this
seems like a real stretch to me. NaCl is a fairly primitive feature; if the
operating system is the gorilla, NaCl is probably just the banana. (Of course,
Google may be writing other parts of Kong at the same time.) I think it's much
more plausible to view NaCl as a way for the company to make code running on any
operating system in any browser safer and more reliable.
NaCl is a run-time environment for native code to run inside a browser, any
browser on any operating system that runs on an x86 processor. It will probably
appear as a plug-in for Firefox and an ActiveX control for IE. Applications
that run in this environment, called modules, are heavily restricted: Many x86
instructions are prohibited, and there is no calling allowed into the host
operating system.
Other important features, like hardware exceptions, are disallowed, and this
is an interesting symbol of the primitive programming environment. Posix file
I/O is provided; I'm not sure if that's enough for everyone. NaCl does support
C++ software exceptions.
NaCl itself provides some system services through NPAPI (the Netscape Plugin
API) and a "service run-time"
interface that provides memory management, thread support and other such
features. There are actually two sandboxes, an "inner-sandbox" which
uses static x86 code analysis and x86 segmented memory to block dangerous
actions and force safe techniques onto programs.
Yes, you read that right: segments. They're actually bringing back the whole
segment:offset thing and far jumps that we thought went away with 32-bit code.
This will likely send many programmers to the windows on high floors, and I'm
not entirely clear on why it's worth adding a fair amount of complexity. (In
fact, it's the use of segmentation that makes support for hardware exceptions
impossible.) You can all read the white paper and explain it to me.
|
|
�������x}r㶲s\@♵MQGJɖ<֊myYSHHbL\$e/Oo<�xӅ|8{Ɩpi�Fh|Ggo�D.�01tE1�>=zo�HRco���L#sJ��:Az#:,t�}w5�k99�r
���z=�>�;|� �`OS{S
�uɄIPW�^ߗͩ6}^~l��.pѶ
⌲Q�m/5x�yO`nzN<�)_ERGB@T��4IXޢȱ�7{Xd�3�S�6B��|DJT%h�!�G�Qes�ady4*;U;a͏r;hP�;E�yaUh��/�@Z��#\DȁRh�=3d9c';���{ �-�Xd�UjL��bC2R!1k;T*�T*65-晚u@|͖|#XulAzf@h �ɠ�ݢ�&q!_C�p`iŭF�Wʉ��<{e6O(L|@�Au�ӱaGG�H5#o83Xt6
dݺ;VrP�
jrX(��?*����6�2��2;sPQTP8]uίs$Q�ww�ܖ4�T\vNoY\u?/.-�N���|'k[oD�Z.��JX<&ȇ¤�T|5 uz3P��%oJtXT�Z, Ԏ$0L"�AK�1zĢ(C$NߒL-~k~>CF,[�SAVU�衂ĠʠW:+֟�㽩S=k>]rvZ�9ސVcCR0@|Ӡd8�r,�
߱n\S;G`hGo__ ZP� E/$Li�.z��p-Alo�
K�h�,ru&S{~�$M��cΚb.L2o<|�J�$%/\PeP샚_[�2jFt*\($ɛ!"G�9x�W��,ʹ��c�䁉1SUҽTws
�[�t48;�Nއ]-7Du,.ɺ*35-wnx�Tw9qn?ܴ[wݽueko�Nj
�#\��LoZ`�\Z�ƪc*e(Y�bP)��V1�q+-~~b0B��m�]&
:fV|ϳ`:A!i�
vڔz?iS�ӧ0gPDjh|�(>hʋM�PsiOL�@s�Շt�u4A���ͣPo]=':� }!PA}H�)zN=��=H�6�ZЉ�χ�jc˦MB:��ǻ�ښB�<(Qҡ4|мa���y�jQ?]�*~h3`�-�Df>�o��9�#k
M�T<�ģL~q
C|'s\(L7^ ��ybA29 D�EM�i�@(�P!$�5N`��r���́l�bo(?LH�X)Zp։p
(=�Hp@)K+aGe�5n_
$�df2I-iG]Wm&D�r"e�L/G�7Mቚ6Z5oY*�URO4iMhFn�f#@�.'32H�`u�@?e!1q SQ����k��{�熳���O OzuO�
����V3=PX,ƃ=L{nlQԴa81 հ�|Ch�2!j0�MYg5Lj{
r�G#7�qlX9�`m=�څ\jWZuN/'ܑ-ӾZ�_e~�h�B=Ss��&A|5
�i!3'Xe�ofMf�Vʒrɕ�L� U�T�#!őMTb0vQؼUwPyScǰ�vB
Dw�U�Jm�L��ڥ���glQIBmA�:B �Qքu&t0}yD��㽝�� #
�A��\$�����@0 !/�Pb &@cVsE�s�V��-EAN-)�]�gwu$c�&УC�jzxp~9ë#_%p�po?IjZX6C(Jz\R*qVX�V�7wQ�)4Ku�� |k`ޝ?S}`�1gSp@o)��@g�!ڜA��7�Y�f�5��1_0kYu�/ ,9�i�Vb)F}tl#�e��
$$
2tܙ 0�>A,C��7Mt� �`B��E��:Ms�8-!z@z�zλWԴG���0L�j?:q~m�@"Os`�~�؇^gm/ JzX+*5 (K^3�b�RD��iƱ�4;D WI4b+��\W�.Vٸ�@İ/wy�U-'ۂa0"3Q)�ڃzҳbu�eyu�ٔi]\�}k�,ky��Ne�=C��\/�X wl~§gaɜ�}��եhsg8h$Δ�3�b ؑo�'�e�b
Z`L��j
`Ӗ
X�@.([�6[)wK�=�D"pL�~\�8v͵�W�n`�
kab_|Y*�J�4�H-U4�qMݗ?S~0X�� S?�PF�=teX܂��r;fֺ̬9_Ifi{�VŽ]2eH�$V�J3dNVڡ"$X+JJIx�v(P|�ȘKV�h=n�M\&e>M%%;W>W\���_a=n�h��/$ΆR%*m\䎿ߓN \�c}
�( JR> G�`I.��|akJZ�=����~/l?~u�a�a=&~t}�}/{,5.
X�U#R>&;MUK\6߷p��-�Z U>4 �2�`i8~{LC
}:JfWKfչz/:laE�z)0\
=9аI^
8͛+%E_7;&�u�߽�w�9&hh�WG,�Y#t!B^7-ͦ5��vpRd�Ȕst՟{0l%z�k��R_�KվĂ�$�"Z*M3$nX
*~v�ͣ ;}oE�9�¾�X�XPH�&_1wha�
c��{ ~�P)'$
�N)v�c/;��VBLR`2"�(BR.IHO�,jvo(�6�F�ы�ٿ�ݹ^
4~+ y,~y<~_dxD�%�'BYGg2�\IGҽ8 $CebS`Ӄ�.�s3�гi!�^��o��l�"tSݏ�#21
�*r֞S)ZDcsOӖO|^BB�YQ�TwJ գdL$�zdeٺfIl�x4e�RJɔ&]_?�z>SB&T5ۓ$-+I^O Eq�i�e*ʒ�*~IO`'1ۡX#�ۓ�]7G8+
(OLkrwisy�]ҹ|sXd�Ov�IJhEw�鳁᪖}�Y��ڇᕿ9Z�c:M���i��9"y0__T���;Nm3ytl=oݙ bI~8qD�42Thix�3ؾs=ahNх[e���Y�$3m�ԧڜ;M�y�zv`h) �.�0o�}-{xoC�V'+$c:��I"�I^QԼڭEdE)IW=ۋ7R^q�+���&i_�%3�-ћ�4/MZ_�RikǷJ�3wc$:^tN.�;V�)+aB/={{frcD�qqe�7�d[4|�miN��^Ҵ
%%��7lz~c:^_�Z �MqkE�}㽄I9;�r�|u\'\r%vRjf12`9z'Cv�$SϪ0C �:X;l)R5>,yXDddNJ]y�W2�ORJ!!�-�m�wu�rDg I&��CB�G%�y�,E-"'G�N�/�Rы�S,1�69��x<�ŘK0˚E``��]{�G�,W�[@hrbr_~vu�O�9G͜o�wv@v/bd�'�BpR '|N@<ͮ5)Nh'E
@[N�>e6BAŤ�R0!�R^:ъWuY�Ԣr\\�EV_j3�$zH5�@O$H���hTUkÒ,XW0�tE�@bL�d� a��(r@�:J�a�+mj!^�Bt=
E'U_~2`~
r(0+}�T>jʼni?�M��!:Sw�`V�خPۃA:q@>nA5�Zz�Fb@h[�D+Iqë�\��TF ^J_�G!zvBDc/Ix�a8e$9ҥc{QΗ fr 2$XI�!"�Eb �L� �
�XZKy; ʻӥr-].7ò#}�+Ӄ6 G?�,�,$�+Ue�4}XH�M�,`�_HXBூ:_�Wkit�4P�SٖF/j�Z.O@O=F�:JLI�tڇR4f�TƸ��A&!dLJL9 �4�D~j�i<#im[J<*�b�caR/g>�XҖCg��b Y�Y�(#��akZ��
;�[\/-��:E�snH,�hJ��\okK���Ca�+%`)�M��M��h
�h+y>�ua>46�N�Q��xb�CP�2C5Fwq'!^OffffrMVn�x��8ҩys�Uo�f˾�6�`ƣ-Ot9"���<�#��x�ww0��IsO@Q�;JU,2a�nZ7�Og&�'in(qD$N:s�'�ARea#zmKn9fN`�~M{GE8�*u�w���KS��E%�&�8h�6�`rGڼ0
�$�x�0[R٬/L{I��wio�بktF
p¬Z�l�lzs?SH2M1�#Ֆ�KjF6/5�4JxDQ�F@��%Q�$+
#>7N�
qKz/,WJ'f \3J:>Z*fS��BU!JI�xQ��i�px���% Q(4�SkKz6;5"K��6{W4oKז�5�� %��ku. �}�^c��wq6*dW_j�CKaRA�nn?R�$/&B�*R)�5䀠sȃj 7�6� M�+W��i(j<:�wI�-ffff}6Z|Km1Qmq,'T�҉*2}ȡe�zl^�Bi��f-2Ěja+I�iqnr�
W�Sƚy<��,o��'R
�8;1��-'j��1��;>+h�νc�o
C>b5?,rg闺U
oqvs|��miYɀ{|J8=0fQ\�S&p�]}�r�Ec�-c!l��B�߲O5�O�
Sv�_�{*�i�dCҏ"{p�
�
�j�U+
R�@�a]I��Yq{jS�l
vf4~��S�u&^�E[ǰD9 ?
MD)`G!�C~0�5RWҩ&��C[k�rH��G@M�-v~��
�Ɲ@ !�= �tX)aw�Ƕ <|tFc`HCB~�$5d�&��BaD0DO
rซan�#�ʱ,q|�=EYD�q.<3Kg e9L9'9we1i}(f�i�B4U�ĨW�I�l?�Q�X2x{�n���/͛I~�oYKC�qm.95�1E�>�R>&sjZ-�*9�>%�Rky�KN�t�c���[cǢ���ek[`�ɣ.�j}+zt
�JD:�
�f�Oku��llN��!Vi
�?7L8�Vi
�6vn&|.'ֻh
zR[o^;C'�ܬDIk
f߭2G܀���uQa�Na)kc,pWw,J����[[K`mj|eX�|>I��ܪzB��9�I�f[ZZcX(+J
�cʂ�ʗ7}yJM-TZI�ܣz �0r =��F%�x�]<�
Փ>.,Q�u$v�y)�aZ**5Ϛk0p*AE�L>IߜXbi'�1
m&0=xIc�;���eۡ�ǪcjkF�6J>� A��;Kx\
@�ݹHu+nA��,t:떤E�v"6B<\s˩Dyj�$Z(�Mϱz�sȑjۋuN퇩ў.,9)�ҸxfZ-+J5V\Hva~�X�ev��6��tN5[MFmSN�Dsnj̏XJ0o[1�K}�J�FV9G6ފb�j,~���eUh%mf^�hdt15�x*c��a<�cD�U<�1�1t+PjN�TL֏0Y�=CE3 ���_^bZ+=N�~C�&3�+��/4�'mR3-�gТ�7O�qy5aT0�|LBn�mxX8T��Dv��h�:���hTLu
ߜa�< �{S0�LIx##�}i3`^vk+�փފ> 2A@:-u@�y"vAf.B��0
>!��v�f\o{�~}C��+@�ܙ6���
�<�ySMW
/OaxC`�t6�qM;'6g<�>akH"�.*+ra S��
xtg#C�'�V>+�{�OgC.7L�h[�:�LZ�S4�pLz^PD7FDu*�t0��2w*%bH&��cP5
x�E
�?=7�nrn�-i`Kk0'��x
�D�x&�{U��I@�s43D�И0mݚ�1�u�"�cs�9��z!K��qf�yy��5?�P"Ы8�~�(a�E�d��@O��4
���!\�z%%n4WX�p_)ęQ48��1���z�q"O�g8ePOnN+@ S3` g;.�l9t:W��1�&��|Ǟ%n��wKM ፈRyN��]ƒ�$�BѽӜh6@_7=}?݉2���}x��И1�wT�0%Tk�L��|�+V0cE)'�v8nV?z.4!W�)WT�h����s##vGC�Ti`�5P }a3bqO4n0Ǡ�O{C&�'ӛuӽ"'-o¶V-J-�et[Nן:WU?83=X(Kyl21^�
Β^�9j^28SE1B"r4,x��j�E�^ϊ>*M`$$͞?
Nb�D0/�* F^�M/��7[vfc+.�t6xq;�/ϦKN�#CE@oAK�e~�5=V0<3�(:hO�v{itڹFRZl�"#�%#3ȿM߅nF>Rz}~�pjgB3Y�~Cg�>kwwZF�d�3|'r_z� ���Ve\/3 /�~/3{ %2c@�y yAȣW���3!<#�Kȿȇʘ+�ʘ..ȟn|fȗk��o~n2�e�e�Ϡ _?�}}Ƞ1+�1c|���3w�Y@�{�f�wAɵN2!ofY�7NOo\�8'�\$^��YOY:?�yV)@~�N͠
lc3\)���
Sܿw2~RA?wOBh\Jzp+*WgiU�viAưx.6�Q^/TZ�+ޤg��Rp\*�g�ل}�@C؞y#uO�� sOʺύh!҇�se5n�ν�U�mhӉzZ=Ě!�Fz�Vj?a�>pbW�=}sռ�\7߷Y=쓥̓>A7n"��B8�Cw0�d�p=s_\���vZ{�h!�+u7\1��1{�hգ{=ıiSr
P3�l1A�Щ
|�d�L$pgB-ҋ[�>\Ha��˺]&�/R�>h�8D�j�Nؖ1"�QUV*�ur$~^~9K5�6zw�~�=�˹F��:ʉp/�"C0t't@F±0N�np[�"&�@䄸�ީ`wƨ%&F\c`0��{]�î�+{bL I��U?�I[E�-'F�ôFo 9 ū*aсY�k{nD8�?c;-�A5+�_w!7@��*}�q���Aflk8ӕs�XQg
4?\
��Hn<[-ǚ19{K�D@x^�7�D6^aޟ"B|gĈ{/I^zeSO!2GTfg�JAXR!I]�y��0t;'�cr���C!�֬�Y`�_CBb� #;M�x>p�*q9w�I7�\,AOd=:q1~|,�,<ϩ }+,RDNKPsHO-N��5N�k&lۃ[�;�d�|EBUm�kC��1̅��ԟ"1P
Y=v�Xn�A�}F^<\�$%4-ϫ�1E%[M%�i{j9.]K`RJ��V�r.�=�`n6{Rš~ D$$E�'�_!| a��R1=�zH5|�t,C䷧c��c���%�Ϡb/;MZKV9j[۲"/�&�]
aъU$mJ��T~3(U��Xw|6(6�q�Bh�
��wG�w�
,��AQ6�I�cSW9D@0a�nwfښ�ˎ4)�
m'%8�4B�>ؼ�Qֺ%��L�k,>�i��Z)�yc<��Z��An0$ �o�)�iE1xu!AY��=-_��!0�p,\f hzl�}�π XsCQ%ɷ
�=͛+H�ʍt�/�A�Stk�
6�[ '"���ۂt�J-Ӵ>u¹":UXJٍ���h,8/# kt?�ƝMQ|��r"#�Ŗ�i3x|��@ = oF8�`y%K@0�4{�27�ǩWV�xx�}�ͺC�g�
f��k�O�dg�{�UM)�S_7mR��JE,:q` {];<�k{.
kWȁnaT�x�-��+@�>���{z��wn~#���1V`]cc�R6Ȥ{� y�C�`5RK�Eq�
sXǼȖwWRڱ!�;r/D?8��@
caL ��;fcJ
,�oԛ'TS*a#�o�*�;A^es�S$��˩Y)��ÊaNvLʹÞךWЀ/1O>Y{X/5bb8(/Z��0����
��9LMhc{p�fa�J)�m!��#��τ T4}�v! �C *#f" ţ�8ZL+bB�#ىZsR.)C395E>dS>C'@jF7\
�
d9Z\O>م�4&�;�k�9ώ�K~>t�� �\99�.s@|/I}XI|aA�t1G)W�#nrW���ĊN�t^z�k/oߙ�Y/5/;�K%H=C�
q\���3JdbQx'ξmwޟVdv/71X�Z~sO~jIaA�yiNQ�e7v���]7[dA|g�
.N|>Cy6��_���*?i�V�N$7Eѓ�em.P�zv�W۲M�*
_d%r�R�⊧�EiQm*'2Kf(1rlƝl n!%56|L=_�k�
EW�YnMu+��
|
Network Security & Hardware 
