Abstract: Methods, systems, and computer program products are provided for machine-specific instruction set translation. One example method includes identifying computing devices, each device having a respective software component installed, the software component including a translator component for translating a program in a portable format to a machine-specific instruction set, and a sandbox component for executing programs translated to the machine-specific instruction set on the computing device using software-based fault isolation; identifying computing devices having a given hardware configuration; and transmitting another translator component and another sandbox component to each of the identified computing devices. Each of the identified computing devices having the given hardware configuration is configured to receive the components and to configure its software component to use the received components in lieu of the corresponding components.

Abstract: Methods, systems, and computer program products are provided for machine-specific instruction set translation. One example method includes identifying computing devices, each device having a respective software component installed, the software component including a translator component for translating a program in a portable format to a machine-specific instruction set, and a sandbox component for executing programs translated to the machine-specific instruction set on the computing device using software-based fault isolation; identifying computing devices having a given hardware configuration; and transmitting another translator component and another sandbox component to each of the identified computing devices. Each of the identified computing devices having the given hardware configuration is configured to receive the components and to configure its software component to use the received components in lieu of the corresponding components.

Abstract: Methods, systems, and computer program products are provided for machine-specific instruction set translation. One example method includes identifying computing devices, each device having a respective software component installed, the software component including a translator component for translating a program in a portable format to a machine-specific instruction set, and a sandbox component for executing programs translated to the machine-specific instruction set on the computing device using software-based fault isolation; identifying computing devices having a given hardware configuration; and transmitting another translator component and another sandbox component to each of the identified computing devices. Each of the identified computing devices having the given hardware configuration is configured to receive the components and to configure its software component to use the received components in lieu of the corresponding components.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for preserving code safety of application code that is received in a portable, instruction-set-neutral format. One aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving a portable code file that is implemented in an instruction-set-neutral and source code independent format; translating the portable code file into native object code for execution on a particular instruction set architecture; generating a native executable for the particular instruction set architecture using the native object code; and validation the native executable using a trusted validator prior to execution of the native executable.

Abstract: Methods, systems, and apparatus, including computer programs encoded on a computer storage medium, for providing a translation service that generates native object code by translating an intermediate representation of application code in a portable code format. One aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving a translation service request for a native executable for a particular instruction set architecture from a requestor, where the translation service request includes data specifying portable code in an instruction-set neutral format; obtaining the portable code; translating the portable code into native object code for execution on the particular instruction set architecture; generating a native executable for the particular instruction set architecture; and returning the native executable to the requestor.

Abstract: Methods, systems, and computer program products are provided for machine-specific instruction set translation. One example method includes identifying computing devices, each device having a respective software component installed, the software component including a translator component for translating a program in a portable format to a machine-specific instruction set, and a sandbox component for executing programs translated to the machine-specific instruction set on the computing device using software-based fault isolation; identifying computing devices having a given hardware configuration; and transmitting another translator component and another sandbox component to each of the identified computing devices. Each of the identified computing devices having the given hardware configuration is configured to receive the components and to configure its software component to use the received components in lieu of the corresponding components.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that use predicated store instructions and predicated control flow instructions, wherein each predicated instruction from the predicated store instructions and the predicated control flow instructions is executed if a mask condition associated with the predicated instruction is met.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction.

Abstract: Methods, systems, and apparatuses, including computer programs, for safely executing a native code module for an ARM 64-bit instruction set. The native code module contains native code that is executed within a secure runtime environment that isolates the native code module from sensitive data and resources on the computing system. The native code module is validated by a validator prior to execution within the secure runtime environment to ensure that the native code module complies with a set of security constraints.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that use predicated store instructions and predicated control flow instructions, wherein each predicated instruction from the predicated store instructions and the predicated control flow instructions is executed if a mask condition associated with the predicated instruction is met.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction.

Abstract: Analyzing a first binary version of a program and unwind information associated with the first binary version of the program, performing optimization on the first binary version of the program to produce a second binary version of the program based at least in part on the results of the analysis, and generating new unwind information for the second binary version of the program based at least in part on the results of the analysis and at least in part on the optimization performed.

Abstract: Some embodiments provide a system that executes a native code module. During operation, the system obtains the native code module. Next, the system loads the native code module into a secure runtime environment. Finally, the system safely executes the native code module in the secure runtime environment by using a set of software fault isolation (SFI) mechanisms that constrain store instructions in the native code module. The SFI mechanisms also maintain control flow integrity for the native code module by dividing a code region associated with the native code module into equally sized code blocks and data blocks and starting each of the data blocks with an illegal instruction.

Abstract: Analyzing a first binary version of a program and unwind information associated with the first binary version of the program, performing optimization on the first binary version of the program to produce a second binary version of the program based at least in part on the results of the analysis, and generating new unwind information for the second binary version of the program based at least in part on the results of the analysis and at least in part on the optimization performed.

Abstract: Analyzing a first binary version of a program and unwind information associated with the first binary version of the program, performing optimization on the first binary version of the program to produce a second binary version of the program based at least in part on the results of the analysis, and generating new unwind information for the second binary version of the program based at least in part on the results of the analysis and at least in part on the optimization performed.

Abstract: Analyzing a first binary version of a program and unwind information associated with the first binary version of the program, performing optimization on the first binary version of the program to produce a second binary version of the program based at least in part on the results of the analysis, and generating new unwind information for the second binary version of the program based at least in part on the results of the analysis and at least in part on the optimization performed.

Abstract: Executable code is modified to include prefetch instructions for certain loads. The targeted loads preferably include those loads for which a compiler cannot compute a stride (which represents the difference in memory addresses used in consecutive executions of a given load). Whether prefetch instructions should be included for such loads is determined preferably by running the code with a training data set which determines the frequency of strides for each subsequent execution of a load. If a stride occurs more than once for a load, then that load is prefetched by inserting a prefetch instruction into the executable code for that load. Further, a stride value is associated with the inserted prefetch. Preferably, the stride value is the most frequently occurring stride, which can be determined based on the results of the training data set. Alternatively, the stride can be computed during run-time by the code itself.