| OLD | NEW |
|---|
| 1 {{+bindTo:partials.standard_nacl_article}} | 1 {{+bindTo:partials.standard_nacl_article}} |
| 2 | 2 |
| 3 <section id="nacl-sfi-model-on-x86-64-systems"> | 3 <section id="nacl-sfi-model-on-x86-64-systems"> |
| 4 <span id="x86-64-sandbox"></span><h1 id="nacl-sfi-model-on-x86-64-systems"><span
id="x86-64-sandbox"></span>NaCl SFI model on x86-64 systems</h1> | 4 <span id="x86-64-sandbox"></span><h1 id="nacl-sfi-model-on-x86-64-systems"><span
id="x86-64-sandbox"></span>NaCl SFI model on x86-64 systems</h1> |
| 5 <div class="contents local" id="contents" style="display: none"> | 5 <div class="contents local" id="contents" style="display: none"> |
| 6 <ul class="small-gap"> | 6 <ul class="small-gap"> |
| 7 <li><a class="reference internal" href="#summary" id="id5">Summary</a></li> | 7 <li><a class="reference internal" href="#summary" id="id5">Summary</a></li> |
| 8 <li><a class="reference internal" href="#binary-format" id="id6">Binary Format</
a></li> | 8 <li><a class="reference internal" href="#binary-format" id="id6">Binary Format</
a></li> |
| 9 <li><a class="reference internal" href="#runtime-invariants" id="id7">Runtime In
variants</a></li> | 9 <li><a class="reference internal" href="#runtime-invariants" id="id7">Runtime In
variants</a></li> |
| 10 <li><a class="reference internal" href="#text-segment-rules" id="id8">Text Segme
nt Rules</a></li> | 10 <li><a class="reference internal" href="#text-segment-rules" id="id8">Text Segme
nt Rules</a></li> |
| 11 <li><a class="reference internal" href="#list-of-pseudo-instructions" id="id9">L
ist of Pseudo-instructions</a></li> | 11 <li><a class="reference internal" href="#list-of-pseudo-instructions" id="id9">L
ist of Pseudo-instructions</a></li> |
| 12 </ul> | 12 </ul> |
| 13 | 13 |
| 14 </div><section id="summary"> | 14 </div><h2 id="summary">Summary</h2> |
| 15 <h2 id="summary">Summary</h2> | |
| 16 <p>This document addresses the details of the Software Fault Isolation | 15 <p>This document addresses the details of the Software Fault Isolation |
| 17 (SFI) model for executable code that can be run in Native Client on an | 16 (SFI) model for executable code that can be run in Native Client on an |
| 18 x86-64 system. An overview of this model can be found in the paper: | 17 x86-64 system. An overview of this model can be found in the paper: |
| 19 <a class="reference external" href="https://research.google.com/pubs/archive/356
49.pdf">Adapting Software Fault Isolation to Contemporary CPU Architectures</a>. | 18 <a class="reference external" href="https://research.google.com/pubs/archive/356
49.pdf">Adapting Software Fault Isolation to Contemporary CPU Architectures</a>. |
| 20 The primary focus of the SFI model is a Windows x86-64 system but the | 19 The primary focus of the SFI model is a Windows x86-64 system but the |
| 21 same techniques can be applied to run identical x86-64 binaries on | 20 same techniques can be applied to run identical x86-64 binaries on |
| 22 other x86-64 systems such as Linux, Mac, FreeBSD, etc, so the | 21 other x86-64 systems such as Linux, Mac, FreeBSD, etc, so the |
| 23 description of the SFI model tries to abstract away system | 22 description of the SFI model tries to abstract away system |
| 24 dependencies when possible.</p> | 23 dependencies when possible.</p> |
| 25 <p>Please note: throughout this document we use the AT&T notation for | 24 <p>Please note: throughout this document we use the AT&T notation for |
| 26 assembler syntax, in which the target operand appears last, e.g. <code>mov | 25 assembler syntax, in which the target operand appears last, e.g. <code>mov |
| 27 src, dst</code>.</p> | 26 src, dst</code>.</p> |
| 28 </section><section id="binary-format"> | |
| 29 <h2 id="binary-format">Binary Format</h2> | 27 <h2 id="binary-format">Binary Format</h2> |
| 30 <p>The format of Native Client executable binaries is identical to the | 28 <p>The format of Native Client executable binaries is identical to the |
| 31 x86-64 ELF binary format (<a class="reference external" href="http://en.wikipedi
a.org/wiki/Executable_and_Linkable_Format">[0]</a>, <a class="reference external
" href="http://www.sco.com/developers/devspecs/gabi41.pdf">[1]</a>, <a class="re
ference external" href="http://www.sco.com/developers/gabi/latest/contents.html"
>[2]</a>, <a class="reference external" href="http://downloads.openwatcom.org/ft
p/devel/docs/elf-64-gen.pdf">[3]</a>) for | 29 x86-64 ELF binary format (<a class="reference external" href="http://en.wikipedi
a.org/wiki/Executable_and_Linkable_Format">[0]</a>, <a class="reference external
" href="http://www.sco.com/developers/devspecs/gabi41.pdf">[1]</a>, <a class="re
ference external" href="http://www.sco.com/developers/gabi/latest/contents.html"
>[2]</a>, <a class="reference external" href="http://downloads.openwatcom.org/ft
p/devel/docs/elf-64-gen.pdf">[3]</a>) for |
| 32 Linux or BSD with a few extra requirements. The additional rules that | 30 Linux or BSD with a few extra requirements. The additional rules that |
| 33 a Native Client ELF binary must follow are:</p> | 31 a Native Client ELF binary must follow are:</p> |
| 34 <ul class="small-gap"> | 32 <ul class="small-gap"> |
| 35 <li>The ELF magic OS ABI field must be 123.</li> | 33 <li>The ELF magic OS ABI field must be 123.</li> |
| 36 <li>The ELF magic OS ABI VERSION field must be 5.</li> | 34 <li>The ELF magic OS ABI VERSION field must be 5.</li> |
| 37 <li>The ELF e_flags field must be 0x200000 (32-byte alignment).</li> | 35 <li>The ELF e_flags field must be 0x200000 (32-byte alignment).</li> |
| 38 <li>There must be exactly one PT_LOAD text segment. It must begin at | 36 <li>There must be exactly one PT_LOAD text segment. It must begin at |
| 39 0x20000 (128 kB) and be marked RX (no W). The contents of the text | 37 0x20000 (128 kB) and be marked RX (no W). The contents of the text |
| 40 segment must follow <a class="reference internal" href="#x86-64-text-segment-rul
es"><em>Text Segment Rules</em></a>.</li> | 38 segment must follow <a class="reference internal" href="#x86-64-text-segment-rul
es"><em>Text Segment Rules</em></a>.</li> |
| 41 <li>There can be at most one PT_LOAD data segment marked R.</li> | 39 <li>There can be at most one PT_LOAD data segment marked R.</li> |
| 42 <li>There can be at most one PT_LOAD data segment marked RW.</li> | 40 <li>There can be at most one PT_LOAD data segment marked RW.</li> |
| 43 <li>There can be at most one PT_GNU_STACK segment. It must be marked RW.</li> | 41 <li>There can be at most one PT_GNU_STACK segment. It must be marked RW.</li> |
| 44 <li>All segments must end before limit address (4 GiB).</li> | 42 <li>All segments must end before limit address (4 GiB).</li> |
| 45 </ul> | 43 </ul> |
| 46 </section><section id="runtime-invariants"> | |
| 47 <h2 id="runtime-invariants">Runtime Invariants</h2> | 44 <h2 id="runtime-invariants">Runtime Invariants</h2> |
| 48 <p>To ensure fault isolation at runtime, the system must maintain a | 45 <p>To ensure fault isolation at runtime, the system must maintain a |
| 49 number of runtime <em>invariants</em> across the lifetime of the running | 46 number of runtime <em>invariants</em> across the lifetime of the running |
| 50 program. Both the <em>Validator</em> and the <em>Service Runtime</em> are | 47 program. Both the <em>Validator</em> and the <em>Service Runtime</em> are |
| 51 responsible for maintaining the invariants. See the paper for the | 48 responsible for maintaining the invariants. See the paper for the |
| 52 rationale for the invariants:</p> | 49 rationale for the invariants:</p> |
| 53 <ul class="small-gap"> | 50 <ul class="small-gap"> |
| 54 <li><code>RIP</code> always points to valid instruction boundary (the validator
must | 51 <li><code>RIP</code> always points to valid instruction boundary (the validator
must |
| 55 ensure this with direct jumps and direct calls).</li> | 52 ensure this with direct jumps and direct calls).</li> |
| 56 <li><code>R15</code> (aka <code>RBASE</code> and <code>RZP</code>) is never modi
fied by code (the | 53 <li><code>R15</code> (aka <code>RBASE</code> and <code>RZP</code>) is never modi
fied by code (the |
| (...skipping 22 matching lines...) Expand all Loading... |
| 79 guaranteed to obey the invariant.</li> | 76 guaranteed to obey the invariant.</li> |
| 80 </ul> | 77 </ul> |
| 81 </div></blockquote> | 78 </div></blockquote> |
| 82 <ul class="small-gap"> | 79 <ul class="small-gap"> |
| 83 <li>Trampoline/springboard code is mapped to a non-writable region in | 80 <li>Trampoline/springboard code is mapped to a non-writable region in |
| 84 the <em>untrusted 84GB region</em>; each trampoline/springboard is 32-byte | 81 the <em>untrusted 84GB region</em>; each trampoline/springboard is 32-byte |
| 85 aligned and fits within a single <em>bundle</em>.</li> | 82 aligned and fits within a single <em>bundle</em>.</li> |
| 86 <li>The OS must not put any internal structures/code into the untrusted | 83 <li>The OS must not put any internal structures/code into the untrusted |
| 87 region at any time (not using OS dynamic linker, etc)</li> | 84 region at any time (not using OS dynamic linker, etc)</li> |
| 88 </ul> | 85 </ul> |
| 89 </section><section id="text-segment-rules"> | 86 <h2 id="text-segment-rules"><span id="x86-64-text-segment-rules"></span>Text Seg
ment Rules</h2> |
| 90 <span id="x86-64-text-segment-rules"></span><h2 id="text-segment-rules"><span id
="x86-64-text-segment-rules"></span>Text Segment Rules</h2> | |
| 91 <ul class="small-gap"> | 87 <ul class="small-gap"> |
| 92 <li>The validation process must ensure that the text segment complies | 88 <li>The validation process must ensure that the text segment complies |
| 93 with the following rules. The validation process must complete | 89 with the following rules. The validation process must complete |
| 94 successfully strictly before executing any instruction of the | 90 successfully strictly before executing any instruction of the |
| 95 untrusted code.</li> | 91 untrusted code.</li> |
| 96 <li>The following instructions are illegal and must be rejected by the | 92 <li>The following instructions are illegal and must be rejected by the |
| 97 validator (the list is not exhaustive as the validator uses a | 93 validator (the list is not exhaustive as the validator uses a |
| 98 whiteist, not a blacklist; this means there is a large but finite | 94 whiteist, not a blacklist; this means there is a large but finite |
| 99 list of instructions the validator allows, not a small list of | 95 list of instructions the validator allows, not a small list of |
| 100 instructions the validator rejects):</li> | 96 instructions the validator rejects):</li> |
| (...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 187 add %rZP, %rsp ; restoration of %RSP from %RBP with adjust | 183 add %rZP, %rsp ; restoration of %RSP from %RBP with adjust |
| 188 sub ..., %esp | 184 sub ..., %esp |
| 189 add %rZP, %rsp ; stack space allocation | 185 add %rZP, %rsp ; stack space allocation |
| 190 add ..., %esp | 186 add ..., %esp |
| 191 add %rZP, %rsp ; stack space deallocation | 187 add %rZP, %rsp ; stack space deallocation |
| 192 and $XX, %rsp ; alignment; XX must be between -128 and -1 | 188 and $XX, %rsp ; alignment; XX must be between -128 and -1 |
| 193 pushq ... | 189 pushq ... |
| 194 popq ... ; except pop %RSP, pop %RBP | 190 popq ... ; except pop %RSP, pop %RBP |
| 195 </pre> | 191 </pre> |
| 196 </div></blockquote> | 192 </div></blockquote> |
| 197 </section><section id="list-of-pseudo-instructions"> | |
| 198 <h2 id="list-of-pseudo-instructions">List of Pseudo-instructions</h2> | 193 <h2 id="list-of-pseudo-instructions">List of Pseudo-instructions</h2> |
| 199 <p>Pseudo-instructions were introduced to let the compiler maintain the | 194 <p>Pseudo-instructions were introduced to let the compiler maintain the |
| 200 invariants without needing to know the code alignment rules. The | 195 invariants without needing to know the code alignment rules. The |
| 201 assembler guarantees 32-bit alignment for all <em>pseudo-instructions</em> in | 196 assembler guarantees 32-bit alignment for all <em>pseudo-instructions</em> in |
| 202 the table below. In addition, to the pseudo-instructions, one | 197 the table below. In addition, to the pseudo-instructions, one |
| 203 pseudo-operand prefix is introduced: <code>%nacl</code>. Presence of the | 198 pseudo-operand prefix is introduced: <code>%nacl</code>. Presence of the |
| 204 <code>%nacl</code> operand prefix ensures that:</p> | 199 <code>%nacl</code> operand prefix ensures that:</p> |
| 205 <ul class="small-gap"> | 200 <ul class="small-gap"> |
| 206 <li>The instruction <code>"%mov %eXX, %eXX"</code> is added immediatel
y before the | 201 <li>The instruction <code>"%mov %eXX, %eXX"</code> is added immediatel
y before the |
| 207 actual command using prefix <code>%nacl</code> (where <code>%eXX</code> is a 32-
bit | 202 actual command using prefix <code>%nacl</code> (where <code>%eXX</code> is a 32-
bit |
| (...skipping 107 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 315 </tr> | 310 </tr> |
| 316 <tr> | 311 <tr> |
| 317 <td>[rep] stos %?ax,%nacl:(%rdi),%rZP<br/> | 312 <td>[rep] stos %?ax,%nacl:(%rdi),%rZP<br/> |
| 318 <i>(sandboxed stos)</i></td> | 313 <i>(sandboxed stos)</i></td> |
| 319 <td>mov %edi,%edi<br/> | 314 <td>mov %edi,%edi<br/> |
| 320 lea (%rZP,%rdi,1),%rdi<br/> | 315 lea (%rZP,%rdi,1),%rdi<br/> |
| 321 [rep] stos %?ax,(%rdi)<br/> | 316 [rep] stos %?ax,(%rdi)<br/> |
| 322 </td> | 317 </td> |
| 323 </tr> | 318 </tr> |
| 324 </tbody> | 319 </tbody> |
| 325 </table></section></section> | 320 </table></section> |
| 326 | 321 |
| 327 {{/partials.standard_nacl_article}} | 322 {{/partials.standard_nacl_article}} |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 438403003:
[NaCl SDK Docs] Only generate one top-level <section> element. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src