--
You received this message because you are subscribed to the Google Groups "Native-Client-Discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to native-client-di...@googlegroups.com.
To post to this group, send email to native-cli...@googlegroups.com.
Visit this group at https://groups.google.com/group/native-client-discuss.
For more options, visit https://groups.google.com/d/optout.
In NaCl you can't just map any executable code into the untrusted address space, because everything has to be validated before it can be executed. NaCl has a syscall (mostly for JIT-style use cases) nacl_dyncode_create ( see for example https://chromium.googlesource.com/native_client/src/native_client/+/master/src/untrusted/nacl/nacl_dyncode.h and its tests in https://chromium.googlesource.com/native_client/src/native_client/+/master/tests/dynamic_code_loading/ ). In that case you generate valid code in memory and load it.mmap can also be used to load valid code; see for example https://chromium.googlesource.com/native_client/src/native_client/+/master/src/untrusted/elf_loader/elf_loader.cThere's no definitive list of whitelisted instructions other than the validator implementation, but it's not too hard to read once you find it and figure out how; see for example https://chromium.googlesource.com/native_client/src/native_client/+/master/src/trusted/validator_ragel/instruction_definitions/general_purpose_instructions.def and the other definitions in that directory.
Also is it possible to create user namespace ?
Good question. We are talking about system which has no concept of "users" thus I'm not even sure what kind of "namespaces" could we talk about.
Basically sitation is simple: cut out Browser and PPAPI - and what you have left is something useful for running tests, nothing more.There were attempts to expand NaCl to make it more useful as standalone thing - but this was is veeery rudimentary.
Right, but sel_ldr only implement very few syscalls:Bascially enough to start up the program which then is expected to talk to browser via PPAPI to do high-level things (graphics, networking, etc).
And again, there’s nothing that look like the ᴘᴘᴀᴘɪ in my case.
And again, there’s nothing that look like the ᴘᴘᴀᴘɪ in my case.Exactly - and that would limit the things that you could do severely.
You are assuming that you could change NX attributes of a page. Under NaCl it's impossible. Full stop. End of discussion. There are some regions where code resides (RX) and there are other, different, regions where data resides (could be R or RW, never RX or RWX).
That's because of structure of NaCl sandbox on x86 (32-bit) but since this assumption is baked in quite a few places... it's true for x86-64 and arm, too.mmap would only work in certain limited circumstances - the environment then is supposed to validate code in a binary file first and mark is as "kosher" (maybe problem with that mechanism is how you've achieved your security breach?). Of course you could only mmap such pages in the region where code is expected.
And mprotect does not work at all. You are supposed to use nacl_dyncode_create mostly.
Le lundi 12 septembre 2016 17:43:48 UTC+2, khim a écrit :You are assuming that you could change NX attributes of a page. Under NaCl it's impossible. Full stop. End of discussion. There are some regions where code resides (RX) and there are other, different, regions where data resides (could be R or RW, never RX or RWX).I didn’t known, it could have validated the code and refuse the permission change if the code fails validation if PROT_EXEC was gaven…
That's because of structure of NaCl sandbox on x86 (32-bit) but since this assumption is baked in quite a few places... it's true for x86-64 and arm, too.mmap would only work in certain limited circumstances - the environment then is supposed to validate code in a binary file first and mark is as "kosher" (maybe problem with that mechanism is how you've achieved your security breach?). Of course you could only mmap such pages in the region where code is expected.Do you mean I need to use MAP_FIXED if I use PROT_EXEC ?
Other wise my security breach isn’t that spectacular, I can read and write everywhere it’s allowed, and because of it I only control the 20 functions pointers along their parameter. The problem is I’m toped to to 4 arguments (I mean don’t have the control of functions and I couldn’t found to pass the arguments in registers)
And mprotect does not work at all. You are supposed to use nacl_dyncode_create mostly.Yeah, with 3 parameters, I think this should be the best candidate… However. I’m unsure it’s included on the native clients build powering google servers that uses python.
So maybe I’ll need mmap.
The doc says the *destination should be in a code region but how to I determine if a specific address is a code region (I recognize I don’t fully known what it is). Is it possible for *dest to overwrite existing but no longer used data ?
Can the result contains native validated cpu opcodes were I can jump to directly, or do I need handling each instructions (I don’t how jit works but if I understand correctly the initial purpose of nacl_dyncode_create is to an executable place that contains jit data not native cpu instructions)
Also, same thing as trampoline : at which address to I need to jump in order to perform the NaClSysDyncodeCreate call ? (since I can’t determine default address)