Comment by javajosh
3 years ago
Given SPECTRE and rowhammer, I just don't believe that. This gives attackers full degrees of freedom to reactively search for a crack in the process space. With a normal statically compiled decoder, as an attacker you have a certain degree of freedom, but it is far less (unless one of your formats is a programmable environment, e.g. NGO's iOS exploit).
I, for one, would not be comfortable having content distributed as a blob that runs as a virtual machine that builds the software that decodes the content. Justine has made this practical. I can see the appeal. I just worry that we're trading in our jpgs for exes in a sandbox, and I'm not sure its worth the risk.
I'm flattered you think my hobby project might replace jpeg. Maybe one day we'll figure out how to do discrete cosine transform as a lambda expression. All I'm trying to accomplish here is sharing interesting ideas and inspiring the curiosity of programmers who dare to dream that things can be better than they are. It's not the the responsibility of the educational materials I provide free of charge to folks who love computer science to help you comply with hardening policies aimed at reducing risks relating to malicious actors exploiting the most recently disclosed weaknesses in your hardware. Powerful knowledge has many applications so it always makes me sad when people choose to focus on the negative ones.
If you want something that can provide that level of assurance then I'd suggest looking into Blinkenlights, which can be retooled to abstract a level of memory obfuscation and processor insulation that effectively neutralizes such threats, much stronger than alternatives like docker/gvisor/vms/etc., but at a cost of performance.
You are right, of course. I must have left my whimsy in my other pants. In my defense I imagined that you might, like, over the weekend, produce an 800 byte standard library that that includes trig and a lua interpreter. Blinkenlights looks amazing, and I will check it out.
I wouldn’t say that the OP has made this possible, there is nothing groundbreaking here it’s a cool trick that isn’t widely employed for the exact reasons you mentioned.