Google Native Client challenges Microsoft and Adobe RIAs

If only they can get the security to work


Google is entering the rich-client game with a project allowing online applications to tap your desktop through the browser.

The search giant has revealed its Native Client project, intended to run native code from web-based applications on x86 Windows, Mac, and Linux. Native Client will use JavaScript in the browser.

Google has so far devised a version of Native Client for Ubuntu - the flavor of Linux that Google runs. Versions of Native Client for Windows XP and Mac OS X have been developed and tested. Native Client works with Firefox, Safari, Opera, and Google Chrome, with plans to support ARM and PowerPC.

Google has released the open-source Native Client code to take feedback from the security community, in addition to those in the broader open-source community.

The company has proposed a system of two sandboxes - called the inner and outer sandboxes - to prevent untrusted modules from the web running amok on your machine. Google has proposed a model where application calls are made using ptrace in Linux and Mac OS X. Access control lists have been proposed for Native Client on Windows.

You can read more about the proposed Native Client architecture here (warning: PDF).

Why all the security? Native Client wants code from web-based applications such as photo sharing and editing to run natively on your x86 machine. Currently, you use a combination of JavaScript in the browser with the resources of the service-providers' servers.

However, Google wants consumers do be able to do things such as modify photos hosted on photo-sharing websites using their machine's processor and memory, rather than flogging the service provider's servers and or going out over the network - both of which produce delays.

Brad Chen, with Google's Native Client Team, blogged: "With the ability to seamlessly run native code on the user's machine, you could instead perform the actual image processing on the desktop CPU, resulting in a much more responsive application by minimizing data transfer and latency."

Also, Google wants such applications to be "browser neutral". In other words, to allow application and content creators to build their applications without needing to tweak for different browsers' idiosyncrasies or different levels of support for web standards.

Many will see Google's Native Client in terms of a head-to-head with Microsoft and a challenge to the Windows desktop - and there's certainly an element of truth to that view. Native Client could potentially provide more options for Windows-application developers interested in putting their software online and freeing themselves of dependency on the desktop or being tied into Microsoft's Silverlight browser-based plug-in for video and audio.

The challenge will be in how far Microsoft is willing to work with Google on making its Windows APIs open and available to talk to the sandbox architecture. That'll be one reason why Google is reaching out to the security community: to garner feedback and assistance.

Adobe Systems' Flash and AIR, though, are the real competitors here. Adobe is working on the same goals with AIR: to let applications on the internet or intranets access the data and processing resources on your PC and present server-side information in visually slick and pleasing ways.

Also, Flash and AIR are used to present online video and photo content, while there's a potential rivalry between' Adobe's presentation technology and JavaScript. And, finally, Google doesn't like the fact that Adobe's Flash Player remains a closed-source product.®


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading

Biting the hand that feeds IT © 1998–2022