
Vx32: portable, efficient, safe execution of untrusted x86 code - ingve
https://pdos.csail.mit.edu/~baford/vm/
======
comex
Fairly similar to Native Client [1], whose originally paper was released the
next year (2009): they both rely on x86 segment registers, for example. A core
difference is in how they guarantee that the guest instruction stream contains
no dangerous instructions such as system calls - which is hard, because x86
instructions are variable-length and unaligned, so you have to avoid the
situation where the guest code jumps to an address which is in the middle of
some legitimate-looking instruction, and the processor interprets the bytes
starting there as a different instruction. Direct jumps can be validated ahead
of time, but indirect jumps can't - including all function returns. Native
Client prevents this by requiring the sandboxed code to be compiled with
compiler passes that align all valid targets of indirect branches to a given
alignment, and insert mask instructions before indirect branches themselves;
then it validates that no instruction streams starting at any aligned offset
do anything dangerous. Vx32, on the other hand, wants to be able to run semi-
arbitrary existing x86 code, so it has to address this with a layer of
indirection. Rather than just validating instructions, it translates each
basic block to a modified set of instructions - essentially an x86-to-x86
emulator. Indirect jumps are translated to a hash table lookup (mapping
original code addresses to their corresponding translated versions), which
achieves safety at the cost of significant slowdown in some cases.

[1]
[http://static.googleusercontent.com/media/research.google.co...](http://static.googleusercontent.com/media/research.google.com/en//pubs/archive/34913.pdf)

~~~
userbinator
_such as system calls_

This sounds like something the CPU hardware should be handling, as x86 has 4
privilege levels ("ring 0 through "ring 3") while most OSes today only use 0
and 3. 3 could become "really untrusted" while what used to be in 3 moves to
2.

~~~
johncolanduoni
There are some problems with that that have arisen due to the long disuse of
the other privilege levels:

1\. The fast methods for system calls (syscall/sysret/sysenter/sysleave)
completely ignore these privilege levels and can only perform transitions
between 0 and 3. That means you have to use interrupts which are slow, and may
be even slower than 0/3 interrupt transitions because the processors aren't
used to dealing with them.

2\. You can't make much use of them for x86_64 programs, since these disable
segment based protection and the x86_64 page tables (you guessed it) only have
a single bit to select privilege level of a page. Somebody that remembers the
Intel manuals better can hopefully inform us if you can use them in x86
compatibility mode under a 64-bit kernel, but I'm going to guess you'll have
some wrinkles here.

I would be very surprised if these two issues don't kill any performance gains
you would get from avoiding the recompilation step.

~~~
bonzini
All x86 page tables have a single bit for page tables, not just 64-bit ones.

------
majke
People don't understand that vx32 allows you to implement scheduler in
userspace. It's not 1-to-1 mapping between host process and guest process
(like NaCL for example).

With vx32 you can have many-guest "processes" in one host process.

This is totally unique.

~~~
4ad
In fact Russ Cox (the author of vx32) has ported the Plan 9 kernel to vx32, so
you can run a whole Plan 9 instance under Linux or what have you.

------
et1337
My friend and I have a crazy idea that in the future, all songs will be binary
executable code running in a sandbox similar to Vx32 or NaCl. This would allow
you to edit parameters and change the song to fit the rest of your playlist.

The next step is to keep the binary locked away on a server and stream only
the resulting audio to the client, and suddenly you have a major piracy
disincentive.

~~~
catern
Maybe I don't understand. Is this a joke? Is it not already perfectly possible
to edit a song and make it fit your playlist? And how would streaming the
audio from a binary be a disincentive for piracy, except inasmuch as on-demand
streaming is more convenient than piracy?

~~~
et1337
Sure you can edit a finished, mixed song, but it takes a lot of skill, and
realistically no one's going to do it without stems. If a song is an
executable, it can expose user-friendly adjustable parameters. So one song
could have infinite variations. A pirate could record one of those variations
and share it, but that's much less valuable than the executable / stems.

~~~
wallacoloo
What kind of adjustable parameters? I'll admit I'm intrigued by the prospect
of songs that vary _slightly_ on each play-through (e.g. slightly different
drum fills, different solos, etc), but I suspect this is distinct from what
you're suggesting.

I'm also of the belief that piracy of digital arts is largely a cultural thing
& that attempts to prevent it by force will never be more than marginally
successful at best. That said, I have zero evidence to back it up. It's
something I'd like to investigate, but I don't know how.

~~~
jack1243star
An example would be dynamic soundtracks in games, which can change during
gameplay. (New Doom, FTL, etc.)

------
johncolanduoni
What is the difference between this and, say, qemu's user mode emulation? IIRC
qemu (for both system and user emulation) uses Tiny Code Generator in a
similar manner when not using hardware virtualization.

Is it just a different API geared towards a different purpose, or are there
significant differences in the implementation (e.g. a greater focus on
security)?

~~~
ris
QEmu's user mode emulation is not sandboxed AFAIK and can't run in-process (of
the controlling process).

------
mankash666
How does this compare to Google's Nacl/Pnacl

~~~
Lerc
I made a wrapper for a NPAPI plugin for it back in the day.

Back then I was trying to make a decent performing system out of the XO-1.
Flash performance on the XO-1 was terrible so sandboxed in-browser native
seemed quite appealing.

This video shows some of the things I was working on at the time.
[https://youtu.be/58UmxHryq8E?t=157](https://youtu.be/58UmxHryq8E?t=157) The
time offset jumps to the VX32 part.

------
SixSigma
if you didn't notice, plan9 was ported to run under this : 9vx [1]

which you might find in your Linux package manager, e.g. AUR on Arch [2]

[1] [https://swtch.com/9vx/](https://swtch.com/9vx/)

[2]
[https://wiki.archlinux.org/index.php/9vx](https://wiki.archlinux.org/index.php/9vx)

~~~
yiyus
That port of Plan9 is quite old and will not work with the newest sources. It
has received may updates since them. I added a good bunch of features as part
of a GSoC project.

Nowadays, it is being maintained by David du Colombier at github:
[https://github.com/0intro/vx32](https://github.com/0intro/vx32)

~~~
SixSigma
I still use "the blacksmith eats with a wooden spoon"

------
lightedman
I've had this for over two decades.

It's called a laptop I don't mind reformatting.

~~~
geofft
How do you tell whether you need to reformat it?

~~~
lightedman
You give it an internal VLAN and watch for the malware trying to use it
(assuming you disabled your physical network card on-system first before
executing the code.)

It's a system set up to act like it's got internet connections, but it does
not. You use sneakernet to transfer files.

~~~
geofft
What if the malware generates files that infect other machines?

