| OLD | NEW |
|---|
| 1 ================== | 1 ================== |
| 2 ARM 32-bit Sandbox | 2 ARM 32-bit Sandbox |
| 3 ================== | 3 ================== |
| 4 | 4 |
| 5 Native Client for ARM is a sandboxing technology for running | 5 Native Client for ARM is a sandboxing technology for running |
| 6 programs---even malicious ones---safely, on computers that use 32-bit | 6 programs---even malicious ones---safely, on computers that use 32-bit |
| 7 ARM processors. The ARM sandbox is an extension of earlier work on | 7 ARM processors. The ARM sandbox is an extension of earlier work on |
| 8 Native Client for x86 processors. Security is provided with a low | 8 Native Client for x86 processors. Security is provided with a low |
| 9 performance overhead of about 10% over regular ARM code, and as you'll | 9 performance overhead of about 10% over regular ARM code, and as you'll |
| 10 see in this document the sandbox model is beautifully simple, meaning | 10 see in this document the sandbox model is beautifully simple, meaning |
| (...skipping 444 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 455 | 455 |
| 456 For *indirect branch*, we can address the first problem by simply | 456 For *indirect branch*, we can address the first problem by simply |
| 457 masking some high-order bits off the address, like we did for *load* and | 457 masking some high-order bits off the address, like we did for *load* and |
| 458 *store*. The second problem is more subtle. Detecting every possible | 458 *store*. The second problem is more subtle. Detecting every possible |
| 459 route that every *indirect branch* might take is difficult. Instead, we | 459 route that every *indirect branch* might take is difficult. Instead, we |
| 460 take the approach pioneered by the original Native Client: we restrict | 460 take the approach pioneered by the original Native Client: we restrict |
| 461 the possible places that any *indirect branch* can land. On Native | 461 the possible places that any *indirect branch* can land. On Native |
| 462 Client for ARM, *indirect branch* can target any address that has its | 462 Client for ARM, *indirect branch* can target any address that has its |
| 463 bottom four bits clear---any address that's ``0 mod 16``. We call these | 463 bottom four bits clear---any address that's ``0 mod 16``. We call these |
| 464 16-byte chunks of code "bundles". The validator makes sure that no | 464 16-byte chunks of code "bundles". The validator makes sure that no |
| 465 pseudo-instruction straddles a bundle boundary. Compilers must pad with` | 465 pseudo-instruction straddles a bundle boundary. Compilers must pad with |
| 466 `nop``\ s to ensure that every pseudo-instruction fits entirely inside | 466 ``nop`` to ensure that every pseudo-instruction fits entirely inside one |
| 467 one bundle. | 467 bundle. |
| 468 | 468 |
| 469 Here is the *indirect branch* pseudo-instruction. As you can see, it | 469 Here is the *indirect branch* pseudo-instruction. As you can see, it |
| 470 clears the top two and bottom four bits of the address: | 470 clears the top two and bottom four bits of the address: |
| 471 | 471 |
| 472 .. naclcode:: | 472 .. naclcode:: |
| 473 :prettyprint: 0 | 473 :prettyprint: 0 |
| 474 | 474 |
| 475 bic rA, #0xC000000F | 475 bic rA, #0xC000000F |
| 476 bx rA | 476 bx rA |
| 477 | 477 |
| (...skipping 182 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 660 as it likes. | 660 as it likes. |
| 661 | 661 |
| 662 Each data bundle starts with a breakpoint instruction, ``bkpt``. This | 662 Each data bundle starts with a breakpoint instruction, ``bkpt``. This |
| 663 way, if an *indirect branch* tries to enter the data bundle, the process | 663 way, if an *indirect branch* tries to enter the data bundle, the process |
| 664 will take a fault and the trusted runtime will intervene (by terminating | 664 will take a fault and the trusted runtime will intervene (by terminating |
| 665 the program). For example: | 665 the program). For example: |
| 666 | 666 |
| 667 .. naclcode:: | 667 .. naclcode:: |
| 668 :prettyprint: 0 | 668 :prettyprint: 0 |
| 669 | 669 |
| 670 .p2align 4 |
| 670 bkpt #0x5BE0 ; Must be aligned 0 mod 16! | 671 bkpt #0x5BE0 ; Must be aligned 0 mod 16! |
| 671 .word 0xDEADBEEF ; Arbitrary constants are A-OK. | 672 .word 0xDEADBEEF ; Arbitrary constants are A-OK. |
| 672 svc #30 ; Trying to make a syscall? OK! | 673 svc #30 ; Trying to make a syscall? OK! |
| 673 str r0, [r1] ; Unmasked stores are fine too. | 674 str r0, [r1] ; Unmasked stores are fine too. |
| 674 | 675 |
| 675 So, we have a way for programs to create an arbitrary, even dangerous, | 676 So, we have a way for programs to create an arbitrary, even dangerous, |
| 676 chunk of data within their code. We can prevent *indirect branch* from | 677 chunk of data within their code. We can prevent *indirect branch* from |
| 677 entering it. We can also prevent fall-through from the code just before | 678 entering it. We can also prevent fall-through from the code just before |
| 678 it, by the ``bkpt``. But what about *direct branch* straight into the | 679 it, by the ``bkpt``. But what about *direct branch* straight into the |
| 679 middle? | 680 middle? |
| (...skipping 214 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 894 ^^^^^^^^^^^^^^ | 895 ^^^^^^^^^^^^^^ |
| 895 | 896 |
| 896 By now you're itching to see the sandbox validator's code and dissect | 897 By now you're itching to see the sandbox validator's code and dissect |
| 897 it. You'll have a disapointing read: at less that 500 lines of code | 898 it. You'll have a disapointing read: at less that 500 lines of code |
| 898 `validator.cc | 899 `validator.cc |
| 899 <http://src.chromium.org/viewvc/native_client/trunk/src/native_client/src/truste
d/validator_arm/validator.cc>`_ | 900 <http://src.chromium.org/viewvc/native_client/trunk/src/native_client/src/truste
d/validator_arm/validator.cc>`_ |
| 900 is quite simple to understand and much shorter than this document. It's | 901 is quite simple to understand and much shorter than this document. It's |
| 901 of course dependent on the `ARMv7 instruction table definition | 902 of course dependent on the `ARMv7 instruction table definition |
| 902 <http://src.chromium.org/viewvc/native_client/trunk/src/native_client/src/truste
d/validator_arm/armv7.table>`_, | 903 <http://src.chromium.org/viewvc/native_client/trunk/src/native_client/src/truste
d/validator_arm/armv7.table>`_, |
| 903 which teaches it about the ARMv7 instruction set. | 904 which teaches it about the ARMv7 instruction set. |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 173343004:
NaCl documentation: nits on ARM sandbox documentation (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src