Google 'Arctic Sea' – Chrome native code, ahoy!

Mozilla spies 'threat' to interwebs future

The Power of One Brief: Top reasons to choose HP BladeSystem

Google has released the first official version of the software development kit for Native Client, its controversial plug-in for running native code inside the browser.

In a blog post, Google product manager Christian Stefansen called the release an "important milestone" in Google's efforts to make native code as portable and secure as JavaScript. "A big goal of this release is to enable developers to start building Native Client modules for Chrome applications," he said.

According to the release notes, the SDK is now known as "Arctic Sea". This is a departure from the project's usual household condiments theme. Google refers to Native Client as NaCl, and it uses a new plug-in interface called Pepper.

The project is designed to speed the performance of web applications, allowing apps coded in, say, C or C++ to be securely transfered over the web and executed inside the browser. JavaScript still lags behind the performance of native code, and Google is keen to work around it. The plug-in is also an "important part" of Google's upcoming Chrome OS, which only runs web-based applications.

"While the [Chrome] team has made JavaScript tremendously faster over the last two years, there's a lot of applications out there that have existing audiences that are [written in native code, such as C and C++], and there are a few that are specialized applications that need every last bit of performance the hardware can offer," Google engineering director Linus Upson told us in December. "Native Client is a way of addressing both those issues."

But the project doesn't sit particularly well with Opera and Mozilla and others who have a particularly strong belief that web applications should adhere to open industry standards. "Our mission is to promote an Open Web Platform which is the most compelling environment for modern applications," Mozilla says in a draft of its 2011 Firefox roadmap.

"Increasingly this vision is being threatened by application development models which bypass the Web in favour of directly connecting with Internet based resources in closed proprietary models." These models, the Mozilla roadmap says, include "plug-in balkanization" by the likes of Adobe Flash, the royalty-encumbered H.264 video codec, and, yes, Google's Native Client.

When we asked Google's Linus Upson about such objections to the technology, he pointed out that Native Client is open source. This really didn't address the issue. But he then expanded his defense, saying that in Google's conversations with Opera and Mozilla, the browser makers praised Native Client's design, and Upson believes they will eventually use it.

"We're starting to use Native Client internally in Chrome to help secure more and more of the browser. I wouldn't be surprised if more and more browser vendors do the same," he said. "What Native Client can do is to make it so that if you write a bug in your code – we all write bugs – it doesn't become a security vulnerability. It's an additional later of security."

Native Client is designed to ensure that each application module meets a set of structural criteria for dissembling instructions, and that it can't contain certain instruction sequences. Plus, it uses the new Pepper plug-in API, an update to the Netscape Plug-in Application Programming Interface (NPAPI) still in use with browsers like Chrome and Firefox.

"[NPAPI] is loosely specified, limited in capability and varies across browsers and operating systems. This can lead to incompatibilities, reduction in performance and some security headaches," Google has said. "[Pepper] aims to address the shortcomings of the current browser plug-in model."

Upson also believes that although Native Client is outside today's web stack, it can maintain the sort of webiness Mozilla wants. "When it comes to running programs over the web in Native Client, we're very sensitive to maintaining the qualities of the web that have made it so successful," he said.

"One of those things is that you can write applications that can run on any computer. One of the reasons we haven't widely deployed Native Client so far is we're working on something called Portable Native Client, so you're not tied to any one particular instruction set, so people can build whole new CPUs, whole new chip architectures, and [applications] won't get tied to those."

Portable Native Client – PNaCl, pronounced "pinnacle" – is a way of distributing portable versions of Native Client executables across all processors. Currently, Native Client works only with 32-bit and 64-bit x86 processors. PNaCL is designed to compile C, C++, and other languages into the Low Level Virtual Machine (LLVM) bitcode format, which allows for translation into the client to translate the code into its own native instruction set.

But for this to work across the web, browsers makers must also build the Native Client into their browsers. At the moment, the plug-in is only available with Chrome. It's turned off by default, but you can turn it on using the browser's "about:flags" dialog.

The Arctic Sea Native Client SDK includes new Pepper interfaces for compute, audio, and 2D Native Client modules – these are "close" to stable, according to Google. The company says it has beefed security as well, improving the auto-update mechanism (for making changes to the plug-in itself) and the outer sandbox (which works alongside an inner sandbox). In the "coming months," Google adds, it will add APIs for 3D graphics, local file storage, WebSockets, peer-to-peer networking, and more.

The Pepper plug-in interface is also used by the version of Adobe Flash that's now bundled with Chrome – and when Google first announced its Flash embrace, it described both Adobe and Mozilla as backers of the technology. "We are working with Adobe, Mozilla and the broader community to help define the next generation browser plug-in API," Google said in a blog post.

But not long after this announcement, Mozilla chief technology officer Brendan Eich told The Register that the open source outfit has "no official position on Pepper."

"We work by consensus in most standards bodies, including informal ones such as plugin-futures, where consensus means general agreement. Until and unless Pepper achieves consensus, it's not accurate to say that Mozilla or anyone else is 'on-board with ... Pepper,'" Eich said.

Google may see Native Client as the future of the high-performance web applications. We suspect it's even using the technology to build a new version of its Google Apps office suite. But the rest of the web may see things very differently. ®

Seven Steps to Software Security

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
KDE releases ice-cream coloured Plasma 5 just in time for summer
Melty but refreshing - popular rival to Mint's Cinnamon's still a work in progress
NO MORE ALL CAPS and other pleasures of Visual Studio 14
Unpicking a packed preview that breaks down ASP.NET
Cheer up, Nokia fans. It can start making mobes again in 18 months
The real winner of the Nokia sale is *drumroll* ... Nokia
Put down that Oracle database patch: It could cost $23,000 per CPU
On-by-default INMEMORY tech a boon for developers ... as long as they can afford it
Another day, another Firefox: Version 31 is upon us ALREADY
Web devs, Mozilla really wants you to like this one
Google shows off new Chrome OS look
Athena springs full-grown from Chromium project's head
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.