Hi,I couldn’t found what are the functions which handle instructions validation…
So how are they validated in the case of ᴀᴍᴅ64 ? does ɴaᴄl start disassembling at each 4 bytes boundary or does it to disassemble starting at each jump target ?
It disassembles each 16-byte chunk separately. It remembers the instruction boundaries and then checks jump targets.
The whole thing is described in some details in src/trusted/validator_ragel/docs/validator_internals.html
Le vendredi 9 septembre 2016 21:04:15 UTC+2, khim a écrit :It disassembles each 16-byte chunk separately. It remembers the instruction boundaries and then checks jump targets.But, isn’t the boundary of the target of jump be 4 bytes both on ɪᴀ‑32 and on ᴀᴍᴅ64 ?
The whole thing is described in some details in src/trusted/validator_ragel/docs/validator_internals.htmlBut of which project name… May you post a link please ?
No. It must either be 16-byte boundary or, if it's static jump, an instruction boundary. Both of these possibilities are considered by validator.
Le samedi 10 septembre 2016 00:43:36 UTC+2, khim a écrit :No. It must either be 16-byte boundary or, if it's static jump, an instruction boundary. Both of these possibilities are considered by validator.By an instruction boundary, do you mean the end of a previous instruction ?
Do you also mean static jump can both jump on instruction boundary and on 16 bytes boundary ? or does static jump can only jump on instruction boundary ?
Do you also mean static jump can both jump on instruction boundary and on 16 bytes boundary ? or does static jump can only jump on instruction boundary ?Code must be split in 16-byte bundles and each 16th byte must be start of the instruction thus every jump at 16-byte aligned address is valid (static or dynamic). nacl-as will add "nops" as required to enforce that. Static jumps can also jump on 16-byte unaligned address if it's point between two instructions.
--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-di...@googlegroups.com.
To post to this group, send email to native-cli...@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.
Le samedi 10 septembre 2016 02:57:39 UTC+2, khim a écrit :Do you also mean static jump can both jump on instruction boundary and on 16 bytes boundary ? or does static jump can only jump on instruction boundary ?Code must be split in 16-byte bundles and each 16th byte must be start of the instruction thus every jump at 16-byte aligned address is valid (static or dynamic). nacl-as will add "nops" as required to enforce that. Static jumps can also jump on 16-byte unaligned address if it's point between two instructions.And on the reverse, I think it’s impossible to static jump at a 16 byte aligned address if it’s in the middle of an instruction. Isn’t it ?
Otherwise, I guess finding the 0xCD80 (int 0x80) hex sequence at r15+0x164f170 would be a red flag. (with 0x164f170 being in a range with execute permissions)
If any instruction (or undivisible instruction sequence) crosses 16-byte boundary then the whole file is declared "invalid" and execution does not even start. Because, as Derek pointed out, in such a case indirect jump would be able to jump there, too.
Otherwise, I guess finding the 0xCD80 (int 0x80) hex sequence at r15+0x164f170 would be a red flag. (with 0x164f170 being in a range with PROT_EXEC permissions)
In the case of x86_64 we also use NX bit, but yes, that's really suspicious. If your loader allows such configuration then your sandbox is broken.
And anyway, on return, it would fall to the next instruction which is probably invalid.
But that's not Native Client security model. On Native Client we ENSURE that it's IMPOSSIBLE to jump into the middle of instruction. Code which makes such things possible is just flat-out rejected. This ensures the viability of sandbox. If you run your code without validation enabled then you are just doing ritual dances which bring you complexity, but don't give you security.
No. It must either be 16-byte boundary or, if it's static jump, an instruction boundary. Both of these possibilities are considered by validator.
--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsub...@googlegroups.com.
To post to this group, send email to native-client-discuss@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.
see sel_config.h NACL_BLOCK_SHIFT. the block size is 16 for arm, 32 for x86-{32,64}. https://chromium.googlesource.com/native_client/src/native_client.git/+/master/src/trusted/service_runtime/nacl_config.h
--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsub...@googlegroups.com.
To post to this group, send email to native-client-discuss@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.
Le lundi 12 septembre 2016 23:36:06 UTC+2, Bennet Yee a écrit :see sel_config.h NACL_BLOCK_SHIFT. the block size is 16 for arm, 32 for x86-{32,64}. https://chromium.googlesource.com/native_client/src/native_client.git/+/master/src/trusted/service_runtime/nacl_config.hThis explains everything. So khim is wrong.
However, I don’t see the point of enforcing alignment on ᴀʀᴍ since it’s already done by the hardware.
Last question : do ɴaᴄl pseudo codes have their own opcodes or they are just combined instructions.
If any instruction (or undivisible instruction sequence) crosses 16-byte boundary then the whole file is declared "invalid" and execution does not even start. Because, as Derek pointed out, in such a case indirect jump would be able to jump there, too.
--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsub...@googlegroups.com.
To post to this group, send email to native-client-discuss@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.
http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/34913.pdf section 3.1, figure 3.
--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsub...@googlegroups.com.
To post to this group, send email to native-client-discuss@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.
http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/34913.pdf section 3.1, figure 3.
--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-discuss+unsub...@googlegroups.com.
To post to this group, send email to native-client-discuss@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.
disassembly is done using a DFA. see native_client/src/trusted/validator_ragel/ after youdespite the README in src/trusted/validator_ragel/ saying it's not in use, the BUILD.gn in src/ builds it. for x86 both 32 and 64 bits, rdfa_validator is used.