Google 'Arctic Sea' – Chrome native code, ahoy!

Mozilla spies 'threat' to interwebs future

SANS - Survey on application security programs

Google has released the first official version of the software development kit for Native Client, its controversial plug-in for running native code inside the browser.

In a blog post, Google product manager Christian Stefansen called the release an "important milestone" in Google's efforts to make native code as portable and secure as JavaScript. "A big goal of this release is to enable developers to start building Native Client modules for Chrome applications," he said.

According to the release notes, the SDK is now known as "Arctic Sea". This is a departure from the project's usual household condiments theme. Google refers to Native Client as NaCl, and it uses a new plug-in interface called Pepper.

The project is designed to speed the performance of web applications, allowing apps coded in, say, C or C++ to be securely transfered over the web and executed inside the browser. JavaScript still lags behind the performance of native code, and Google is keen to work around it. The plug-in is also an "important part" of Google's upcoming Chrome OS, which only runs web-based applications.

"While the [Chrome] team has made JavaScript tremendously faster over the last two years, there's a lot of applications out there that have existing audiences that are [written in native code, such as C and C++], and there are a few that are specialized applications that need every last bit of performance the hardware can offer," Google engineering director Linus Upson told us in December. "Native Client is a way of addressing both those issues."

But the project doesn't sit particularly well with Opera and Mozilla and others who have a particularly strong belief that web applications should adhere to open industry standards. "Our mission is to promote an Open Web Platform which is the most compelling environment for modern applications," Mozilla says in a draft of its 2011 Firefox roadmap.

"Increasingly this vision is being threatened by application development models which bypass the Web in favour of directly connecting with Internet based resources in closed proprietary models." These models, the Mozilla roadmap says, include "plug-in balkanization" by the likes of Adobe Flash, the royalty-encumbered H.264 video codec, and, yes, Google's Native Client.

When we asked Google's Linus Upson about such objections to the technology, he pointed out that Native Client is open source. This really didn't address the issue. But he then expanded his defense, saying that in Google's conversations with Opera and Mozilla, the browser makers praised Native Client's design, and Upson believes they will eventually use it.

"We're starting to use Native Client internally in Chrome to help secure more and more of the browser. I wouldn't be surprised if more and more browser vendors do the same," he said. "What Native Client can do is to make it so that if you write a bug in your code – we all write bugs – it doesn't become a security vulnerability. It's an additional later of security."

Native Client is designed to ensure that each application module meets a set of structural criteria for dissembling instructions, and that it can't contain certain instruction sequences. Plus, it uses the new Pepper plug-in API, an update to the Netscape Plug-in Application Programming Interface (NPAPI) still in use with browsers like Chrome and Firefox.

"[NPAPI] is loosely specified, limited in capability and varies across browsers and operating systems. This can lead to incompatibilities, reduction in performance and some security headaches," Google has said. "[Pepper] aims to address the shortcomings of the current browser plug-in model."

Upson also believes that although Native Client is outside today's web stack, it can maintain the sort of webiness Mozilla wants. "When it comes to running programs over the web in Native Client, we're very sensitive to maintaining the qualities of the web that have made it so successful," he said.

"One of those things is that you can write applications that can run on any computer. One of the reasons we haven't widely deployed Native Client so far is we're working on something called Portable Native Client, so you're not tied to any one particular instruction set, so people can build whole new CPUs, whole new chip architectures, and [applications] won't get tied to those."

Portable Native Client – PNaCl, pronounced "pinnacle" – is a way of distributing portable versions of Native Client executables across all processors. Currently, Native Client works only with 32-bit and 64-bit x86 processors. PNaCL is designed to compile C, C++, and other languages into the Low Level Virtual Machine (LLVM) bitcode format, which allows for translation into the client to translate the code into its own native instruction set.

But for this to work across the web, browsers makers must also build the Native Client into their browsers. At the moment, the plug-in is only available with Chrome. It's turned off by default, but you can turn it on using the browser's "about:flags" dialog.

The Arctic Sea Native Client SDK includes new Pepper interfaces for compute, audio, and 2D Native Client modules – these are "close" to stable, according to Google. The company says it has beefed security as well, improving the auto-update mechanism (for making changes to the plug-in itself) and the outer sandbox (which works alongside an inner sandbox). In the "coming months," Google adds, it will add APIs for 3D graphics, local file storage, WebSockets, peer-to-peer networking, and more.

The Pepper plug-in interface is also used by the version of Adobe Flash that's now bundled with Chrome – and when Google first announced its Flash embrace, it described both Adobe and Mozilla as backers of the technology. "We are working with Adobe, Mozilla and the broader community to help define the next generation browser plug-in API," Google said in a blog post.

But not long after this announcement, Mozilla chief technology officer Brendan Eich told The Register that the open source outfit has "no official position on Pepper."

"We work by consensus in most standards bodies, including informal ones such as plugin-futures, where consensus means general agreement. Until and unless Pepper achieves consensus, it's not accurate to say that Mozilla or anyone else is 'on-board with ... Pepper,'" Eich said.

Google may see Native Client as the future of the high-performance web applications. We suspect it's even using the technology to build a new version of its Google Apps office suite. But the rest of the web may see things very differently. ®

3 Big data security analytics techniques

More from The Register

next story
OpenBSD founder wants to bin buggy OpenSSL library, launches fork
One Heartbleed vuln was too many for Theo de Raadt
Got Windows 8.1 Update yet? Get ready for YET ANOTHER ONE – rumor
Leaker claims big release due this fall as Microsoft herds us into the CLOUD
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Ubuntu 14.04 LTS: Great changes, but sssh don't mention the...
Why HELLO Amazon! You weren't here last time
Patch iOS, OS X now: PDFs, JPEGs, URLs, web pages can pwn your kit
Plus: iThings and desktops at risk of NEW SSL attack flaw
Next Windows obsolescence panic is 450 days from … NOW!
The clock is ticking louder for Windows Server 2003 R2 users
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
Apple inaugurates free OS X beta program for world+dog
Prerelease software now open to anyone, not just developers – as long as you keep quiet
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.