First off, I hope that everyone's fourth of July was as good as mine. There's nothing quite like spending time with family and friends over the holidays to put your work-life relationship into perspective of what's important.
In any case, the security news didn't stop for the holidays, no, if anything it picked up. As if people were trying to fly things under my nose while I was enjoying the fireworks. Well, I'm playing catch up now, and one of the first things that caught my attention was a recent story posted on Slashdot about a talk with Adobe's Scott Petersen where he demonstrated a "new toolchain... that allows C code to be run by the Tamarin virtual machine."
The toolchain includes lots of other details, such as a custom POSIX system call API and a C multimedia library that provides access to Flash. And there's some things that Petersen had to add to Tamarin, such as a native byte array that maps directly to RAM, thereby allowing the VM's "emulation" of memory to have only a minor overhead over the real thing. The end result is the ability to run a wide variety of existing C code in Flash at acceptable speeds. Petersen demonstrated a version of Quake running in a Flash app, as well as a C-based Nintendo emulator running Zelda; both were eminently playable, and included sound effects and music.So, the geek in me wants to think that a Flash version of Quake is pretty sweet, but the security expert in me can only think of the following:
- Take Flash, a browser-based technology that is used in a huge percentage of computers out there, and more importantly, has had it's own fair share of flaws (see Pwn2Own Contest results from this year)
- Add the ability to "run a wide variety of existing C code in Flash", where C is clearly a language that has had devastating memory corruption flaws
- Add quotes like, "Petersen had to add to Tamarin, such as a native byte array that maps directly to RAM"
- Keep in mind that this will all be running in your browser, i.e. the playground for most of the major attacks of the last couple years
- And you get what?
- We tried the established: Java, VB
- We moved into the new: .NET, AJAX, XML (Web Services), Ruby on Rails, etc.
- Now we move into the new, which is actually the old: C