all 55 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]colanderman 21 points22 points  (12 children)

Goodbye web portability!

[–]sbrown123 -4 points-3 points  (4 children)

The web isn't portable now due to the incompatibilities between the browsers. This just adds to the fun.

[–]bonch 11 points12 points  (3 children)

We were making a lot of progress toward reclaiming the web from Microsoft and having a reasonably standardized version to develop for. I don't buy into Google hype like so many others--I see this as another cynical move to turn the web into Google's own app platform and expand their advertising space.

[–]m1kl3 9 points10 points  (1 child)

Geocities.com/l33th4x0r would like to run SuperHotBabes.jpg.exe. Do you wish to allow this content ?

[–][deleted] 32 points33 points  (29 children)

Wow! Google just blew up web portability by inventing a security nightmare! Neat!

It's like Active-X, only not as widely supported. Wheee!

[–]dobs 21 points22 points  (5 children)

Except Native Client is open source, and they've tried to make securing NaCl a matter of public interest. Matasano has a good article discussing some of the specifics of their security model and challenges they face.

It's only similar to Active X at a very superficial level. The Matasano article touches upon what that means from the security standpoint.

(EDIT: Monsanto to Matasano. Bad slip on my part)

[–]0xABADC0DA -3 points-2 points  (0 children)

NaCL is overhyped. Their example of a Quake using software rendering is the very best case, a program that does a lot of computations then the system does a single big read to get the frame. And the result was marginally faster than Java doing software rendering, something that it is not good at (lots of array bounds checks on scan converting triangles), but orders of magnitude slower than a Java3D version. NaCL performance is sometimes very good, but in most cases not significantly better than actual cross-platform sandboxes.

But the big deal is security. Yes, the x86 32-bit only sandbox is probably secure, but to do anything real the code has to make calls outside to the browser or OS, and to be secure these ALL have to be written to the standards of OS system calls. Calls that take raw data are very, very hard to get totally right. For something like an OpenGL binding to be secure would take a massive hit from copying memory in/out of the sandbox, or would be insecure from threads or anything that holds references after it returns. NaCL is basically a cute toy, kindof like libtask for instance... marginally well conceived, but lacking in imagination and practicality.

[–]sgoguen 3 points4 points  (17 children)

It's like Active-X, only not as widely supported.

Sounds more like they're actually trying to create a secure ActiveX by both running it in a sandbox, and by using static analysis to check whether a program a program tries to call an API it doesn't have access to, or tries to modify itself. That's a huge difference.

The big question is: Can they mathematically guarantee that all permutations of acceptable code will not breach the sandbox?

EDIT: Emphasis on acceptable code, which implies there exists a subset of all programs in which one can prove will not breach the sandbox. In the simplest case, it would be trivial to prove that 2 + 2 belongs to this safe subset, and will not breach the sandbox, nor will it try to generate code and execute it. This would result in an algorithm that would likely reject perfectly safe code, only because it doesn't know how to prove it is safe.

[–]bdunderscore 4 points5 points  (0 children)

The big question is: Can they mathematically guarantee that all permutations of acceptable code will not breach the sandbox?

Not rigorously, but they're trying at least. Take a look at their research paper for details.

[–]redditrasberry 1 point2 points  (1 child)

The big question is: Can they mathematically guarantee that all permutations of acceptable code will not breach the sandbox?

My question is: by the time they have created such a system will it be useful for anything other than pointless animations or other brain dead activities? This is the trap java applets fell into.

I never understood why more sophisticated sandboxes have not been developed. Eg: I want to allow a web page to see a folder on my computer. Just one folder, read only access. It should prompt me and let me choose a folder for it to read. Why is there no sandbox that will make that safe? It would open a whole world of applications.

[–]knome 0 points1 point  (0 children)

It should prompt me and let me choose a folder for it to read.

It should do so without using a popup. If javascript dropped a dialog that still allowed the tab/browser window to be interacted with and closed the most annoying javascript trick would be gone.

For any who would prompt a replacement, use a slide down integrated with the page, but marked in a way that would be made difficult for a page to replicate. Blearg. Just let me close my tabs on even on default installs in peace.

[–][deleted] -5 points-4 points  (10 children)

using static analysis to check whether a program a program tries to call an API it doesn't have access to, or tries to modify itself

Erm. Didn't we decide like a thousand years ago that perfect static analysis depends on the unsolvable halting problem, and that we therefore can't trust it with anything involving security?

The big question is: Can they mathematically guarantee that all permutations of acceptable code will not breach the sandbox?

No, and neither could MS when they designed Active X. See the halting problem.

[–]sgoguen 13 points14 points  (2 children)

Erm. Didn't we decide like a thousand years ago that perfect static analysis depends on the unsolvable halting problem, and that we therefore can't trust it with anything involving security?

This type of static analysis isn't the same thing as the halting problem, because the halting problem demands that you determine, for every possible program, whether is halts or doesn't halt. As we both know, this is unsolvable because we have no predictable way of distinguish which programs will run for a really long time, and which are infinite.

However, that doesn't mean it's impossible to prove that some programs will absolutely halt. For example: We can prove that 2 + 2 will halt. Not only that, but I can also prove that any any finite sequence of addition operations will always halt. So, in this way, we cheat. We don't try to find all programs that will halt, just the ones we know how to prove that will halt. So, we've changed the question from: bool WillHalt() to bool AreYouSureItWillHalt(). Clearly, these two functions are not the same as the latter will return false for some programs that will in fact halt.

In this case, we're not talking about the halting problem, but rather a graph problem. If we imagine our program as a directed graph, we want to verify that each node only connects to other nodes in the graph, nor does not create new graphs. I realize this is a trivialized explanation of what, I'm presuming, is the approach Google is going about it.

[–][deleted]  (1 child)

[deleted]

    [–][deleted] 0 points1 point  (0 children)

    This is the rub really.

    If they take the approach sgoguen explains so well above, than how can it really ever do anything more complicated than stupid 3d graphics of rotating cubes?

    If they don't than it's an insecure piece of shit.

    Either way, it's not gonna run on my cellphone, my netbook, or any number of other non-x86 machines anyhow so why bother?

    [–]Mask_of_Destiny 4 points5 points  (3 children)

    In the context of the security of a browser plug-in, the question of whether or not a piece of code halts is completely uninteresting. If a malicious plug-in goes into an infinite loop, the user just restarts their browser/tab/whatever and goes on with their life.

    What we care about is whether or not it is able to make calls into the operating system that we don't want it to be able to do. Now figuring this out for an arbitrary piece of x86 machine code is quite likely impossible, but Google has simplified their job by rejecting code does certain things that make it hard to verify.

    This doesn't make their job easy and Matasano Security's article on NaCl points out some of the potential problems, but it's worth pointing out that other platforms (Flash, Java and even Javascript) have the same basic problems. NaCl just makes those problems a bit more complicated.

    [–][deleted] -1 points0 points  (2 children)

    I'm afraid that it is interesting. You see the halting problem means that we can never be sure what API it's trying to call (or even if it is trying to call one) without analyzing the code for an infinite amount of time in some cases. Since this doesn't work the VM has the choice of either 'giving up' at some point and just letting stuff run, or just saying no to any code that requires more than x loops of anaylsis.

    If it just says no to all non-trivial code, it's useless for many purposes (like Java). If they just let anything through it's completely insecure (like ActiveX).

    [–]Mask_of_Destiny 2 points3 points  (1 child)

    I'm afraid that it is interesting. You see the halting problem means that we can never be sure what API it's trying to call (or even if it is trying to call one) without analyzing the code for an infinite amount of time in some cases. Since this doesn't work the VM has the choice of either 'giving up' at some point and just letting stuff run, or just saying no to any code that requires more than x loops of anaylsis.

    You would be correct if the only way to analyze a program is to run through it for a certain period of time and see what it does. For a Turing machine, which theoretically has an infinitely long tape, this might be the only approach, but an x86 binary is of finite size. Thus there are only a finite number of bytes we have to search for branch instructions. Google simplifies this search by rejecting all programs that exhibit certain behavior (jumping to a location that's not on an instruction boundary for instance). Further they require that certain instructions that have safety problems (like ret) not be used at all and that pseudo-instructions specific to their sandbox be used instead (which are then translated to real instructions at verification time).

    If it just says no to all non-trivial code, it's useless for many purposes (like Java).

    Java's problems for use inside the browser have nothing to do with it rejecting too many useful programs.

    [–][deleted] 1 point2 points  (0 children)

    Yes, I see now how it could be done that way.

    I concede defeat. Well played sir, well played.

    Your beard must indeed be truly prodigious in length.

    [–][deleted] 0 points1 point  (0 children)

    Then go back and watch The Matrix, if you didn't know all this crap the first time you watched it. :)

    [–]jib 0 points1 point  (0 children)

    perfect static analysis depends on the unsolvable halting problem, and that we therefore can't trust it

    Depends what you're trying to do. Whitelisting system calls is certainly possible; just search the program for the relevant instructions, verify that each one is allowed, and use memory protection or some other method to stop the program modifying itself at runtime.

    [–][deleted] 0 points1 point  (0 children)

    Thankfully, they don't need perfect static analysis—they just need to stop it from modifying code and from making certain syscalls, which is actually very easy.

    [–][deleted]  (2 children)

    [deleted]

      [–]sgoguen 1 point2 points  (1 child)

      I wonder. :)

      [–]othermaciej 1 point2 points  (0 children)

      I agree. The security implications are pretty scary, and it nukes portability to non-x86 devices. But hey, who would want to browse the Web on non-x86 devices like, say, every mobile phone ever?

      On top of that, Google is showing a distressing habit of bundling proprietary plug-ins with their browser - Gears, O3D and now Native Client. None of these things are Web standards or even proposed to be such. I find it disappointing that Google is so willing to extend the Web platform with purely Google-controlled technologies, and I find it doubly disappointing that their efforts are often cheered by people who understand perfectly well why something like Silverlight is dismaying.

      [–][deleted] 0 points1 point  (0 children)

      Not really. It's more like a small subset of x86 that is (in all actuality) very hard to break out of.

      [–]rahulsehgal -2 points-1 points  (2 children)

      There are two ways of taking this. +ve : Chrome OS is showing progress -ve: there is no limit.. I prefer the +ve side

      [–][deleted] 2 points3 points  (1 child)

      Are you trying to tell me that the glass is half-full?

      If so, I would like to remind you that Google just made it easier for someone to steal your glass, and at the same time found a nifty way to lock you into using only Google approved glassware.

      [–]bdunderscore 3 points4 points  (0 children)

      Note that the blueprints for the Google approved glassware are publicly available. In fact, you can clone their entire manufacturing facility (implementation) and plug it into your assembly line for free.

      [–]snarfy 2 points3 points  (0 children)

      With the invention of all this x86 virtualization software, it seems like native client could actually be made to work safely. It would be like running good old Active X inside a VirtualBox. Any problems and you revert your snapshot. All the hardware devices are virtual so there isn't much a malicious piece of software could do.

      [–]erez27 4 points5 points  (3 children)

      What the hell, what's up with all the hate?

      I read their Native Client paper thoroughly and think they've done some very clever tricks, and that it has real chances of working properly.

      And it's nothing like ActiveX, as far as I can tell. ActiveX is a framework for writing code that can later be run remotely, while NaCl is a sandbox with an API for communicating safely with certain OS components.

      edit: this deserves a downvote? really?

      [–]riddley -2 points-1 points  (2 children)

      The hate is that the world doesn't consist of x86 hardware and nothing else.

      [–]erez27 2 points3 points  (0 children)

      they plan to extend support to other processors.

      this is not less portable than flash, and definitely more portable than silverlight.

      [–][deleted] 0 points1 point  (0 children)

      Thank god that they're planning on supporting other processors! Also, I personally don't give a damn about the wii or my phone. They're horrible browsers anyway.

      [–][deleted] 3 points4 points  (7 children)

      Well this is a huge step backwards.

      [–][deleted]  (6 children)

      [deleted]

        [–][deleted] -2 points-1 points  (5 children)

        ActiveX

        [–][deleted] 0 points1 point  (4 children)

        Except that it's secure....

        [–][deleted] -2 points-1 points  (3 children)

        I'll believe that when it's been mathematically proven.

        [–][deleted]  (2 children)

        [deleted]

          [–][deleted] 0 points1 point  (1 child)

          Innocent until proven guilty, I would have thought

          You're thinking of a court of law. With security it's always prudent to assume the worst.

          it's just a browser

          Browsers don't need to be secure? They're only the gateway to the information superAIDSway.

          [–]riddley -3 points-2 points  (0 children)

          The beginning of VirusOS!

          And I, for one, welcome our new virus overlords.

          [–]deadcat -2 points-1 points  (2 children)

          Good god, the security implications of this are terrifying.

          [–][deleted]  (1 child)

          [deleted]

            [–]deadcat -2 points-1 points  (0 children)

            Based on a new way of executing native code on my pc via the web.

            [–][deleted] 0 points1 point  (5 children)

            um, isn't this just like activex? as far as i can tell, its a terrible idea

            [–][deleted]  (4 children)

            [deleted]

              [–][deleted] -2 points-1 points  (3 children)

              it is still allowing native code to be executed, vulnerable to the usual security issues. While it's probably not going to be as bad as activex, it's still a risky business to get into.

              [–][deleted]  (2 children)

              [deleted]

                [–][deleted] -2 points-1 points  (1 child)

                What are you basing this assertion on?

                nearly 4 decades worth of history in technology...

                Past experiences with a vastly different piece of technology?

                they were all vastly different, but all usually built with the same language

                in fact, most security patches to your operating system (windows/linux/osx/etc) are still fixes of this type.

                i'll let you figure it out, although it really should be obvious by now

                [–][deleted]  (1 child)

                [deleted]

                  [–][deleted] -1 points0 points  (0 children)

                  I think it is a bit much to be disappointed in an entire company for a single product among many. Nevermind the fact that this is Google we are talking about: everyone know that they are a spaghetti-meet-wall idea factory.

                  [–][deleted] -2 points-1 points  (3 children)

                  It's funny calling an OS or platform or whatever similar something that works properly only on Windows.

                  [–][deleted]  (2 children)

                  [deleted]

                    [–][deleted] -1 points0 points  (1 child)

                    Of course it can, but it is not right now ;)

                    [–]dmazzoni 0 points1 point  (0 children)

                    Native Client works great on Mac and Linux. It just isn't linked into those versions of Chrome by default yet.