13

I was wondering if there were any possible risks in using Google Native Client.

I know it is sandboxed, but the idea still seems risky, and at least leaves another route open for compromising your browser.

curiousguy
  • 5,028
  • 3
  • 25
  • 27
Magnus
  • 1,154
  • 10
  • 18
  • Are you worried about loading it in your browser as a plugin (`--enable-nacl` in Chromium)? If it fails to properly sandbox, then an attacker could execute arbitrary code as a, depending on your OS, a reduced privilege account or as the account running the browser. – Mike Samuel Nov 19 '10 at 02:22

2 Answers2

9

According to the diagram on the NACL site, the NACL code runs with the same privileges as the renderer which is a reduced privilege process.

If NACL fails, an attacker can take over the renderer, giving them access to resources in the same renderer process (set of frames that could be in the same domain after some set of document.domain sets).

"The Security Architecture of the Chromium Browser" by Barth, Jackson, Reis, et al. says

Process Granularity. Roughly speaking, Chromium uses a separate instance of the rendering engine for each tab that displays content from the web, ...

It would take a double hull breach to get more privileges than the renderer process.

But the render process has significant authority.

Even though an attacker cannot be able to tamper with other tabs, they can probably tamper with websites in the current tab, including possibly simulating events to load other domains into the owned tab. As long as a renderer can cause page transitions, owning any renderer allows you to craft credential (cookie) carrying requests to any domain. This opens all the same holes as XSRF, but possibly with the ability to keylog if the user interacts with the resulting page.

Mike Samuel
  • 3,873
  • 17
  • 25
  • 3
    @Mike, thanks, very helpful. But... beware that if the attacker can take over the renderer process, they *can* tamper with all web sites (breaching the same-origin policy), since Chrome's privilege separation [does not isolate one web site from another](http://lackingrhoticity.blogspot.com/2010/12/chrome-sandbox-common-misconception.html). Therefore, a breach of the NaCl sandbox would be bad. Fortunately, it would not be catastrophic: thanks to Chrome's privilege separation, even if the NaCl sandbox was breached, the attacker couldn't delete all your files and destroy your computer. – D.W. Jan 12 '11 at 02:29
  • 2
    @D.W. According to "The Security Architecture of the Chromium Browser" by Barth, Jackson, Reis, et al.: "Process Granularity. Roughly speaking, Chromium uses a separate instance of the rendering engine for each tab that displays content from the web, ..." So they may not be able to tamper with other tabs, but they can probably tamper with websites in the current tab, including possibly simulating events to load other domains into the owned tab. – Mike Samuel Jan 12 '11 at 04:31
  • The "Security Architecture ..." paper is available at http://seclab.stanford.edu/websec/chromium/chromium-security-architecture.pdf – Mike Samuel Jan 12 '11 at 04:34
  • 2
    @Mike, exactly. I think you are agreeing with me. If the attacker can compromise one rendering instance, he can modify the content in that tab, so if he can load other domains into the compromised tab, he can compromise those other domains, too. In my original comment, I linked to a more detailed explanation from Mark Seaborn. [Here's the link again](http://lackingrhoticity.blogspot.com/2010/12/chrome-sandbox-common-misconception.html). Barth et al explicitly say: "an attacker who compromises the rendering engine can act on behalf of any web site". – D.W. Jan 19 '11 at 18:33
  • 1
    @D.W., Yep. As long as a renderer can cause page transitions, owning any renderer allows you to do anything you to take advantage of existing credentials to any domain. – Mike Samuel Jan 19 '11 at 18:41
  • @D.W. and @Mike - These comments are great and need to be incorporated into answers for better visibility. – nealmcb May 11 '11 at 16:18
  • 1
    @nealmcb, I tried to incorporate D.W.'s comments into the text. – Mike Samuel May 11 '11 at 17:01
2

Your question is already answered here: Is Google Chrome a more secure browser?. You should use search.

Updated: narrowing answer, I want to point to following link: http://code.google.com/contests/nativeclient-security/index-old.html, which would be good starting point for further study. As every large software project, it has its bugs, so, we can judge its safety by looking on Google Chrome or other projects that uses it.

Community
  • 1
  • That question doesn't mention Native Client at all - it only talks about general chrome security. – Magnus Nov 18 '10 at 21:11
  • Then you should clarify what do you expect to hear - something from someone who tested source code for vulnerabilities, some "risky" technologies it uses, else. By the way, NaCl is sandboxing technology, or you mean something else? –  Nov 18 '10 at 21:20