Site Network: | | Jongsma & Jongsma

Innovation in Information Security

Coverage of important Information Security and Information Technology news and events from the research team at S?nnet Beskerming.

Username: | Password: Contact us to request an account

Google's Answer to ActiveX

Over the years there have been a number of technologies promised that would allow computer users and web developers the opportunity to run the same interactive code across multiple platforms, with native execution and related speed benefits. Early attempts at providing this capability were largely limited to single operating system families, such as Microsoft's ActiveX, which, while it achieves this capability, is only for Windows systems.

Until now, the only real technology that has come close to providing a semi-native code experience on a truly cross platform level has been Java, through the sandboxed byte-code that can be delivered through the web and then interpreted using the local interpreter. For many years the sort of Java web applications that were being developed and distributed amounted to little more than intellectual curiosities, but that was at a time that predated even the first Web 2.0 application (Outlook Web Access) by three years (1995 for Java, versus 1998 for OWA).

More recently, Flash and Shockwave have developed the capability to run detailed applications without suffering too much performance hit, though there is very limited interaction with the local system (due to their evolutionary history as web plugins).

Each of the different solution types have had serious vulnerabilities affect them over the years, with the most concerning being vulnerabilities that allows code to escape the 'sandbox' that the downloaded content is meant to run in (where it is somewhat isolated from the underlying system - hopefully to prevent information leakage and system compromise, but this didn't always work).

A new technology will soon join the mix, with Google inviting analysis and testing of their Native Client technology. Google's stated intent with Native Client is to provide the capability to web developers to be able to develop more feature rich cross-platform web applications that can utilise more resources on the client side than just the HTML/XHTML interpreter and JavaScript, and have more capability reach than Flash / ActiveX / Java.

As with earlier technologies, Native Code will run inside a sandbox, designed to limit interaction with the underlying system to only the approved API calls. Probably of more interest to application security researchers is the claim by Google that static analysis techniques will be in use when running downloaded code, in an effort to preventatively neutralise malicious / vulnerable code. Effectively the interpreter will decompile incoming Native Code content and then assess the resulting x86 (no mention of other architecture support) commands as to whether they can reach underlying system resources that they shouldn't.

While this relies on content having been developed in accordance with Google guidelines, it will be an interesting technology to keep track of and see how it copes when anybody can throw code at it.

With the project to be released under the BSD licence, it shouldn't be too long before multiple architectures are supported and there are plugins supporting it running on most available software platforms.

12 December 2008

Social bookmark this page at eKstreme.
Alternatively, Bookmark or Share via AddThis

Do you like how we cover Information Security news? How about checking out our company services, delivered the same way our news is.

Let our Free OS X Screen Saver deliver the latest security alerts and commentary to your desktop when you're not at your system.

Comments will soon be available for registered users.