Some users of NaCl (web apps and non-web apps) may want to run [guest code] (guest_code.md) and be assured that its execution is deterministic.
Use cases: * Build systems: Run a compiler and be sure that it always produces the same output. * In this case, determinism across versions of NaCl is desirable. * This could be useful for a NaCl code generation service. * Enables dependable memoization. * High-integrity app containers: Although web apps are not confined, there could be web apps that host confined guest code. e.g. Host a text editor that cannot leak the text it edits to its creator over overt channels, and cannot receive new instructions from its creator at all. * In this case, determinism in the presence of other processes on the machine is important, and determinism across versions of NaCl matters less because the latter conveys little information. * Distributed protocols in which hosts need to be able to independently derive the same information from some shared inputs.
Confinement: Although it is not in general possible to prevent programs writing to covert channels (“wall-banging”), it is possible to prevent programs reading from covert channels (“wall-listening”) by denying access to sources of non-determinism. Hence though it is not possible to fully achieve information confinement (preventing a process from leaking data to a conspirator), it is possible to achieve authority confinement (preventing a process from receiving instructions from a conspirator).
%eax
, %ebx
, %ecx
and %edx
).NaClSyscallSeg
and the %cs value to lcall
. We could hide this code by using separate code/data segments (the “Harvard architecture” in DynamicLoadingOptions), but that uses up a lot of address space.NaClSwitch
to call
. We could hide this address by placing NaClSwitch outside the untrusted address space (plus guard regions) at a fixed offset, and by computing its address based on %r15 (on Google Code). See issue 1996 (on Google Code).Source | Need to constrain for confinement? | Need to constrain for build system determinism? |
---|---|---|
Timers | yes | yes |
Concurrency | yes | yes |
CPUID | no | yes |
Allocation success/failure | maybe: depends whether it makes system-wide allocation limits visible | yes |
Allocation layout | no | yes |
Short read/writes | depends what causes them | yes |
getpid() | yes, if launching new processes is allowed | yes |
Determinism only applies within a given target architecture. Assuring that, for example, ARM and x86-32 give the same results is out of scope.