[dmorgan]

>(P)NaCl are specifically designed to allow execution of untrusted code without making it run on top of a VM or GC

And this is the argument he's making: that does not fly by browser vendors. They DON'T want to have code run OUTSIDE their VM/GC.

[BrendanEich]

Thanks for the support, but that's not what I meant. NaCl + Pepper is like a VM where the compiler does the heavy lifting so the native code can run safely (Software Fault Isolation, SFI -- wild pointers lead to a safe non-exploitable crash), rather than a JITting or MMU- or hypervisor-based VM doing the heavy lifting at runtime.

It's quite clever, but still enough of a new thing that Chrome also sandboxes NaCl'ed code out of process. Belt and braces are good. No silver bullets.

But a VM is as a VM does. This is part of Google's VM-set and not any other browsers. The rule still applies.

Truly unsafe native code in plugins (e.g., un-NaCl'ed Flash) runs out of process too, and sandboxed to some extent, but it can cause problems that are not contained (and did at the last CanSecWest Pwn2Own contest, IIRC).

[haberman]

He said "including Chrome." Chrome supports NaCl. This does not compute.

[BrendanEich]

It's not hard: Chrome sandboxes NaCl'ed code and links it against a runtime, Pepper. That's a "VM" by any other name.