GitHub - p-march/nacl-v8: NaCl port of V8

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
README		README
nacl-r3669-checkout.patch		nacl-r3669-checkout.patch
nacl-r3669-v8.patch		nacl-r3669-v8.patch
nacl-v8-ia32-2.2.19.patch		nacl-v8-ia32-2.2.19.patch
nacl-v8-ia32-3.1.4.patch		nacl-v8-ia32-3.1.4.patch
nacl-v8-x64-2.2.19.patch		nacl-v8-x64-2.2.19.patch
nacljit.pdf		nacljit.pdf
run.sh		run.sh
sunspider-r27790.patch		sunspider-r27790.patch
v8-ia32-2.2.19.patch		v8-ia32-2.2.19.patch
v8-ia32-3.1.4.patch		v8-ia32-3.1.4.patch
v8-x64-2.2.19.patch		v8-x64-2.2.19.patch

Repository files navigation

This is a research project which goal is to allow Native Client SFI sandbox
to support sandboxing self-modifying code. The details are in nacljit.pdf.

Native Client (NaCl) is a production quality SFI sandbox used in the Google
Chrome browser to safely run untrusted (downloaded from the network) x86 code
in isolated environment (sandbox) so that the untrusted code cannot tamper with
the browser's components and disclosed sensitive data from them, e.g.,
sensitive data of web pages, web applications, user sensitive data such as
bookmarks, cookies, browsing history.

V8 is a JavaScript engine employed by the Google Chrome browser and node.js
projects. It heavily relies on runtime code modification to implement
dynamic optimizations such as inline caching. This patches modify NaCl and the
V8 engine to allow NaCl to run V8 in a sandboxed environment with the support
of dynamically modifiable code at acceptable performance cost as demonstrated
by benchmarks.

Major V8 modifications:
- Splitting JavaScript Code objects to separate code and meta-data. NaCl does
  not allow data in code segments. In CrankShaft we masquerade some data in the
  code segments with PUSH(immediate) instructions, so that the data appears as
  valid inductions, but these instructions are never executed under normal
  operation of V8.
- Fixing uses of JavaScript Code objects to reflect the separating of code
  and data in these objects.
- Changing allocation and deallocation of the executable memory for the
  JavaScript Code objects. The memory must be provided from a special region
  marked by NaCl for dynamically-loaded code.
- All code insertion/deletion/self-modification is performed via NaCl service
  runtime calls.
- Code emitted by V8 complies with NaCl security constraints (e.g. sandboxing
  of indirect jumps, instruction alignment).

Details of NaCl and V8 modifications are in the technical paper (nacljit.pdf)
which appears in 2011 ACM SIGPLAN Conference on Programming Language Design and
Implementation.

Supported OSes: Linux, Mac OS X
Tested on Ubuntu 10.10 (kernel 2.6.35-28-generic), OS X 10.7.0

Make sure that the following packages are available:
- scons (http://www.scons.org)
- gclient (http://code.google.com/p/gclient/)
- svn

./run.sh

- checks out Native Client revision 3669 and builds sel_ldr
- checks out V8 revision 4925 and builds unmodified V8-ia32 in v8-ia32-2.2.19
- checks out V8 revision 6795 (CrankShaft) and builds unmodified V8-ia32 in
  v8-ia32-3.1.4
- checks out V8 revision 4925 and build NaCl V8-ia32 in nacl-v8-ia32-2.2.19
- checks out V8 revision 6795 (CrankShaft) and builds NaCl V8-ia32 in
  nacl-v8-ia32-3.1.4
- if platform is x86_64, checks out V8 revision 4925 and builds unmodified
  V8-x64 in v8-x64-2.2.19
- if platform is x86_64, checks out V8 revision 4925 and builds NaCl V8-x64 in
  nacl-v8-x64-2.2.19
- runs V8 Benchmark Suite and SunSpider100 Benchmark Suite for previously build
  V8s.

To run V8 Benchmark Suite for a specific V8
cd <V8's directory, e.g. nacl-v8-ia32-3.1.4>
./run.sh release benchmark

To run SunSpider100 Benchmark Suite for a specific V8
cd <V8's directory, e.g. nacl-v8-ia32-3.1.4>
./run.sh release sunspider