Google’s Native Client Security Contest Found (Minor) Flaws

72
Article Source Ars Technica
July 8, 2009, 5:00 pm

Google is working on an experimental project called Native Client (NaCl) that aims to provide support for securely executing native code in Web browsers. Google released its NaCl prototype under the open source BSD license last year and launched a contest to encourage security researchers to look for vulnerabilities. The contest results, which were announced on Tuesday, uncovered several security issues that Google is working to resolve.

NaCl provides a sandboxed runtime environment for portable x86 binaries. Google also makes available a custom build toolchain based on GCC that can be used to compile existing C code into NaCl executables. These executables can then be embedded in Web content to make their functionality accessible through JavaScript. The value of NaCl is that it lets Web developers use native code on the client side for performance-sensitive operations, such as video encoding, that are too heavy for JavaScript. Google contends that NaCl’s advanced code validation features and sandboxing make it significantly more secure than similar technologies, such as ActiveX.