benefit in Native Client of opening the system to third-party
Native Client applies concepts of software fault isolation
that have been extensively discussed in the research literature.
Our data integrity scheme is a straightforward application of
segmented memory as implemented in the Intel 80386.6 Our
control flow integrity technique builds on the seminal work
by Wahbe, Lucco, Anderson, and Graham,
27 also applying
techniques described by McCamant and Morrisett.
Perhaps the most prevalent use of native code in Web
content is via Microsoft’s ActiveX.
7 ActiveX controls
rely on a trust model to provide security, with controls
cryptographically signed using Microsoft’s proprietary
17 and only permitted to run once a
user has indicated they trust the publisher. This dependency on the user making prudent trust decisions is
commonly exploited. ActiveX provides no guarantee that
a trusted control is safe. Even when the control itself is
not inherently malicious, defects in the control can be
exploited, often permitting execution of arbitrary code. In
contrast, Native Client is designed to prevent such exploitation, even for flawed NaCl modules.
This paper has described Native Client, a system for incorporating untrusted x86 native code into an application
that runs in a Web browser. In addition to creating a barrier against undesirable side effects, Native Client enables
modules that are portable both across operating systems
and across Web browsers, and it supports performance-oriented features such as threading and vectorization instructions. We believe the NaCl inner sandbox is extremely
robust; regardless, we provide additional redundant mechanisms to provide defense-in-depth.
In our experience we have found porting existing Linux/
gcc code to Native Client is straightforward, and that the
performance penalty for the sandbox is small, particularly
in the compute-bound scenarios for which the system is
By describing Native Client here and making it available
as open source, we hope to encourage community scrutiny
and contributions. We believe this feedback together with
our continued diligence will enable us to create a system
that achieves improved safety over previous native code
Many people have contributed to the direction and the
development of Native Client; we acknowledge a few of
them here. The project was conceived based on an idea
from Matt Papakipos. Jeremy Lau, Brad Nelson, John
Grabowski, Kathy Walrath, and Geoff Pike have made valuable contributions to the implementation and evaluation
of the system. Thanks also to Danny Berlin, Chris DiBona,
and Rebecca Ward. Doug Evans is responsible for our
GDB implementation. We thank Sundar Pichai and Henry
Bridge for their role in shaping the project direction. We
would also like to thank Dick Sites for his thoughtful feedback on an earlier version of this paper.
1. accetta, M., baron, r., bolosky,
W., Golub, d., rashid, r., tevanian,
a., young, M. Mach: A New Kernel
Foundation for UNIX Development.
2. burns, J. developing secure mobile
applications for android. http://
3. Campbell, K., Gordon, l., loeb,
M., Zhou, l. the economic cost of
publicly announced information
security breaches: empirical
evidence from the stock market. J.
Comp. Secur. 11, 3 (2003), 431–448.
4. Cheriton, d.r. the V distributed
system. Commun. ACM 31 (1988),
5. Cohen, F.b. defense-in-depth against
computer viruses. Comp. Secur. 11, 6
6. Crawford, J. Gelsinger, P.
Programming 80386. sybex Inc.
7. denning, a. ActiveX Controls Inside
Out. Microsoft Press
8. directorate for Command, Control,
Communications and Computer
systems, u.s. department of
defense Joint staff. Information
assurance through defense-in-depth.
technical report, directorate for
Command, Control, Communications
and Computer systems, u.s.
department of defense Joint staff,
9. douceur, J.r., elson, J., Howell, J.,
lorch, J.r. leveraging legacy code
to deploy desktop applications on
the web. In Proceedings of the
2008 Symposium on Operating
System Design and Implementation
10. Ford, b., Cox, r. Vx32: lightweight
user-level sandboxing on the x86.
In 2008 USENIX Annual Technical
Conference (June 2008).
11. Goldberg, I., Wagner, d., thomas, r.,
brewer, e.a. a secure enviroment
for untrusted helper applications.
In Proceedings of the 6th USENIX
Security Symposium (1996).
12. Golub, d., dean, a., Forin, r., rashid,
r. unIx as an application program.
In Proceedings of the Summer 1990
USENIX Conference (1990),
13. Joy, W., Cooper, e., Fabry, r., leffler,
s., McKusick, K., Mosher, d. 4. 2 bsd
system manual. technical report,
Computer systems research Group,
university of California, berkeley,
14. Kaspersky, K., Chang, a. remote
code execution through Intel CPu
bugs. In Hack In The Box (HITB)
2008 Malaysia Conference.
15. McCamant, s., Morrisett, G. efficient,
verifiable binary sandboxing for a
CIsC architecture. technical report
16. McCamant, s., Morrisett, G.
evaluating sFI for a CIsC
architecture. In 15th USENIX
17. Microsoft Corporation. signing and
checking code with authenticode.
18. Microsoft Corporation. structured
exception handling. http://msdn.
19. netscape Corporation. Gecko plugin
aPI reference. http://developer.
20. Provos, n. Improving host security
with system call policies. In
USENIX Security Symposium
21. reinders, J. Intel Thread Building
Blocks. o’reilly & associates,
22. savage, M. Cost of computer
viruses top $10 billion already
this year. Channel Web, aug.
23. small, C. MisFIt: a tool for
constructing safe extensible C++
systems. In Proceedings of the
Third USENIX Conference on
24. stroustrup, b. The C++ Programming
Language: Second Edition.
25. tarreau, W. ptrace documentation.
26. u. s. department of defense,
Computer security Center. trusted
computer system evaluation criteria,
27. Wahbe, r., lucco, s., anderson, t.e.,
Graham, s.l. efficient software-based fault isolation. ACM SIGOPS
Oper. Sys. Rev. 27, 5 (dec. 1993),
Bennet Yee, David sehr, Gregory Dardyk, J. Bradley chen,
Robert muth, Tavis ormandy, shiki okasaka, neha narula, and
nicholas fullagar, Google, Inc., Mountainview, Ca.