A new tool developed by a team of Harvard researchers, could step up security and ensure enhanced performance for commonly used web and mobile applications.
Called RockSalt, the clever bit of code can verify that native computer programming languages comply with a particular security policy.
The use of native code, especially in an online environment, however, opens up the door to hackers who can exploit vulnerabilities and readily gain access to other parts of a computer or device. An initial solution to this problem was offered over a decade ago by computer scientists at the University of California, Berkeley, who developed software fault isolation (SFI), according to a Harvard statement.
SFI forces native code to “behave” by rewriting machine code to limit itself to functions that fall within particular parameters. This “sandbox process” sets up a contained environment for running native code. A separate “checker” programme can then ensure that the executable code adheres to regulations before running the program.
While considered a major breakthrough, the solution was limited to devices using RISC chips, a processor more common in research than in consumer computing.
In 2006, Morrisett developed a way to implement SFI on the more popular CISC-based chips, like the Intel x86 processor. The technique was adopted widely. Google modified the routine for Google Chrome, eventually developing it into Google Native Client (or “NaCl”).
When bugs and vulnerabilities were found in the checker for NaCl, Google sent out a call to arms. Morrissett once again took on the challenge, turning the problem into an opportunity for his students. The result was RockSalt, an improvement over NaCl, built using Coq, a proof development system.