Modern browsers already include a mechanism for executing native code in the form of plug-ins. But according to Google's research paper, this route is no better than ActiveX. Experts and end-users alike view plug-ins with distrust, which seriously limits their effectiveness.
A sand castle
Google claims that its Native Client improves upon any of these past technologies by building a "sandbox" security layer around native code downloaded from Web sites. You can think of it as a kind of "virtualization lite" -- except that Native Client avoids the overhead of full-blown virtualization environments such as VMware by placing strict limitations on what kind of code is allowed to run.
As such, the notion that Native Client will execute unmodified native x86 code is a little misleading. While C source may indeed run without modification, you'll need to compile it with special versions of the Gnu C compiler and its related tool chain before it will run in the Native Client. Programs and libraries written in hand-coded assembly language will almost certainly require patches.
Native Client's cleverest security hack is to limit memory access using 80386 memory segmentation. Each process is assigned its own unique memory address space, rendering it impossible for malicious code to attack memory used by the OS or other processes. To further reinforce this, certain processor instructions and system calls are banned, the code must handle returns from subroutines using a specific method, and modules running in the Native Client can only communicate with the world outside its sandbox through a provided set of APIs.
To make sure code follows the rules, Native Client relies on static source code analysis to spot security defects and potentially harmful routines before any instructions are executed. According to Google, the rules it enforces on code at compilation time make disassembling and analyzing Native Client binaries a breeze, and the overhead imposed by this verification pass is minuscule compared to the overhead of actually downloading the component.
In addition, Google's engineers are still working on adding a second, "outer" sandbox that will trap malicious behaviors that escape the code verification and memory protection layers.
It's a sound idea with a lot of promise. Given the pedigrees of Google engineers, Native Client may yet prove to be one browser extension idea that's so crazy that it just might work.