News Column

Researchers Submit Patent Application, "Native Code Module Security for Arm Instruction Set Architectures", for Approval

January 30, 2014



By a News Reporter-Staff News Editor at Computer Weekly News -- From Washington, D.C., VerticalNews journalists report that a patent application by the inventors Muth, Robert (New York, NY); Schmipf, Karl (Santa Cruz, CA); Sehr, David C. (Cupertino, CA); Biffle, Cliff L. (Berkeley, CA), filed on September 10, 2013, was made available online on January 16, 2014.

The patent's assignee is Google Inc.

News editors obtained the following quote from the background information supplied by the inventors: "The present embodiments relate to techniques for safely executing native code modules. More specifically, the present embodiments relate to a method and system for safely executing native code modules within ARM instruction set architectures.

"Easy access to computers and plentiful network bandwidth have facilitated sharing of information and applications. For instance, a user of a computing device (e.g., personal computer, mobile phone, personal digital assistant, etc.) may easily install and execute an application downloaded from a web site or received from a friend as an email attachment. However, installing and executing such applications on a given computing device typically involves a level of trust that is granted on an all-or-nothing basis by the operating system of the computing device. Furthermore, bugs in the operating system may inadvertently allow applications to access resources As a result, some (e.g., native) applications may have full access to the operating system and/or resources of the computing device, while other (e.g., web) applications may have little to no direct access to the operating system and/or resources of the computing device.

"Such coarse application of trust may negatively impact the execution of all applications on the computing device. For example, native applications may produce unwanted side effects by modifying files on the computing device and/or engaging in computation or communication outside of the tasks or features requested by the user. On the other hand, web applications may execute one to two orders of magnitude slower than native applications and may provide limited functionality to the user.

"Hence, what is needed is a finer-grained application of trust to software executing on computing devices."

As a supplement to the background information on this patent application, VerticalNews correspondents also obtained the inventors' summary information for this patent application: "Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction.

"In some embodiments, the secure runtime environment is for an ARM instruction set architecture.

"In some embodiments, the system also validates the native code module using one or more of the SFI mechanisms prior to executing the native code module in the secure runtime environment.

"In some embodiments, maintaining control flow integrity for the native code module further involves at least one of: (i) restricting control flow instructions to branch-and-link instructions and branch-and-exchange instructions; (ii) validating direct control flow instructions; (iii) disabling Thumb instructions; and (iv) masking destination addresses associated with indirect control flow instructions.

"In some embodiments, masking destination addresses associated with indirect control flow instructions involves clearing a set of upper bits and a set of lower bits in each of the destination addresses.

"In some embodiments, a transfer of control flow to the illegal instruction causes the native code module to discontinue execution.

"In some embodiments, constraining store instructions in the native code module involves: (i) bounding an address space and a call stack of the native code module with a set of unmapped pages; (ii) enforcing storage of valid data addresses in a stack pointer; (iii) computing a store address by combining a valid base register with an immediate offset; and (iv) masking non-stack-relative store instructions.

"In some embodiments, enforcing storage of valid data addresses in the stack pointer involves enabling store instructions that increment or decrement the stack pointer without masking and masking direct updates to the stack pointer to keep a value of the stack pointer within the call stack.

"In some embodiments, the unmapped pages enable stack-relative store instructions without masking if the immediate offset is smaller than a size of one or more of the unmapped pages.

"In some embodiments, the SFI mechanisms are configured to mask instructions in the native code module by: (i) executing a mask instruction prior to executing each instruction from the instructions; and (ii) storing an execution condition of the instruction in a condition code field of the mask instruction.

BRIEF DESCRIPTION OF THE FIGURES

"FIG. 1 shows a schematic of an embodiment of a system.

"FIG. 2 shows an address space in accordance with an embodiment.

"FIG. 3A shows an exemplary data block in accordance with an embodiment.

"FIG. 3B shows an exemplary code block in accordance with an embodiment.

"FIG. 4 shows a flowchart illustrating the process of executing a native code module in accordance with an embodiment.

"In the figures, like reference numerals refer to the same figure elements."

For additional information on this patent application, see: Muth, Robert; Schmipf, Karl; Sehr, David C.; Biffle, Cliff L. Native Code Module Security for Arm Instruction Set Architectures. Filed September 10, 2013 and posted January 16, 2014. Patent URL: http://appft.uspto.gov/netacgi/nph-Parser?Sect1=PTO2&Sect2=HITOFF&u=%2Fnetahtml%2FPTO%2Fsearch-adv.html&r=47&p=1&f=G&l=50&d=PG01&S1=20140109.PD.&OS=PD/20140109&RS=PD/20140109

Keywords for this news article include: Software, Google Inc..

Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC


For more stories covering the world of technology, please see HispanicBusiness' Tech Channel



Source: Computer Weekly News


Story Tools