C to be the next browser scripting language... wait, what?

C to be the next browser scripting language... wait, what?

Summary: First off, I hope that everyone's fourth of July was as good as mine.  There's nothing quite like spending time with family and friends over the holidays to put your work-life relationship into perspective of what's important.

SHARE:

First off, I hope that everyone's fourth of July was as good as mine.  There's nothing quite like spending time with family and friends over the holidays to put your work-life relationship into perspective of what's important.

 

In any case, the security news didn't stop for the holidays, no, if anything it picked up.  As if people were trying to fly things under my nose while I was enjoying the fireworks.  Well, I'm playing catch up now, and one of the first things that caught my attention was a recent story posted on Slashdot about a talk with Adobe's Scott Petersen where he demonstrated a "new toolchain... that allows C code to be run by the Tamarin virtual machine." 

 

The article states:

The toolchain includes lots of other details, such as a custom POSIX system call API and a C multimedia library that provides access to Flash. And there's some things that Petersen had to add to Tamarin, such as a native byte array that maps directly to RAM, thereby allowing the VM's "emulation" of memory to have only a minor overhead over the real thing. The end result is the ability to run a wide variety of existing C code in Flash at acceptable speeds. Petersen demonstrated a version of Quake running in a Flash app, as well as a C-based Nintendo emulator running Zelda; both were eminently playable, and included sound effects and music.
So, the geek in me wants to think that a Flash version of Quake is pretty sweet, but the security expert in me can only think of the following:
  1. Take Flash, a browser-based technology that is used in a huge percentage of computers out there, and more importantly, has had it's own fair share of flaws (see Pwn2Own Contest results from this year)
  2. Add the ability to "run a wide variety of existing C code in Flash", where C is clearly a language that has had devastating memory corruption flaws
  3. Add quotes like, "Petersen had to add to Tamarin, such as a native byte array that maps directly to RAM"
  4. Keep in mind that this will all be running in your browser, i.e. the playground for most of the major attacks of the last couple years
  5. And you get what?
A major set of flaws waiting to happen. So we've come full circle with dynamic web programming:
  • We tried the established: Java, VB
  • We moved into the new: .NET, AJAX, XML (Web Services), Ruby on Rails, etc.
  • Now we move into the new, which is actually the old: C
I can see what's coming next.  ADA and Prolog for web applications.  In any case, I know nothing of any plans that Adobe has to actually do this in real life, it might just be an interesting research project.  In fact, I don't fault Adobe for this idea, it's actually really cool and I don't want to be the voice stopping innovation of anything that is cool.  I'd just like to stress that if we're going to use C/C++ or any other older language for our web application programming, let's think about the ramifications and implement it in a way that helps developers program it securely.  So, kudos to Scott Petersen and Adobe for trying something innovative, now let's do it secure if we do it at all. [poll id=13] -Nate

Topics: Browser, Enterprise Software, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • C doesn't have memory corruption flaws

    C provides access to memory and leaves it as an exercise for the developer to program appropriately.
    croberts
    • Semantics

      Ok, so improper use of C can definitely result in memory corruption vulns. We arguing semantics here.

      -Nate
      nmcfeters
      • Not really Semantics

        When you walk off a cliff.. there is nothing wrong with your feet.

        What if i wanted to program a program did that memory corruption for educational purpopes par example?
        TedKraan
        • Yes, really, semantics

          That's a poor analogy. I can make analogies too. It's more like you were at the grand canyon and walked off the edge, no, you're correct it's not your feet's fault, but maybe the people who setup the grand canyon should've had a fence to prevent you from accidentally walking off the edge.

          -Nate
          nmcfeters
          • Well..

            I agree with you that this is a bad idea completely. Embedded C code in flash window in browsers is yet another caveat and a crulpit for a sea of problems.

            But as argumentation you give that C is a bad language. It isn't. And the fence in the analogy wouldn't be there, cause C doesn't limit you in any ways. Everything should be possible. (Yes, so also bad code, if you want that)
            TedKraan
  • Welcome back, pointer madness and memory leak.

    We web developers love to trade productivity, garbage collection and code maintainability / clarity / reuseability for some performance boost. NOT!!

    Would make a great April 1st announcement tho.
    LBiege
    • Haha

      Except who knows... I've seen weirder things happen.

      -Nate
      nmcfeters
  • RE: C to be the next browser scripting language... wait, what?

    The 57% who voted for assembly must be daft, because that guarantees compatibility problems between different machine architectures. Not everyone uns an X86.
    tiger99999
    • Yes, but

      that's how everything starts. You know what will come next? Microsoft .ASSEMBLY, an intermediate language that allows you to program in any assembly language and convert it to an intermediate language understood by all processors.

      Hhahaa.

      Nate
      nmcfeters
  • It'll never gain traction

    Does any programmer really want to go all the way back to the madness of pointers and managing memory manually?

    No thanks.

    Having a C-like syntax like Java or C# does is fine, but there's no way I'd want to go back to the madness of pointers.

    Personally, I doubt it'll gain traction. There's no compelling reason to use C as a scripting language.
    CobraA1
    • But

      It doesn't need "traction" to be a bad idea.
      If this ability were put into Acrobat's reader,
      the wolves would use it, even if everyone one
      else thinks it's dumb.

      Providing power to an environment equals
      providing opportunities for abuse, always.
      LGLisle
  • *shrugs*

    Lets look at this honestly; how is this any worse than
    Managed C++ which .NET offers. There will be limitations,
    the code will be sandboxed - and the great thing is that
    alot of code out there can be moved to a managed
    environment and provide improved security - heck,
    GNOME right now there is a debate over Java vs. .NET -
    why not avoid all that junk, keep the C everyone love and
    go with this idea?

    All they need to do now is opensource the flash plugin,
    and I'd be happy camper.
    Kaiwai
  • RE: C to be the next browser scripting language... wait, what?

    Dylan!
    richard@...
  • Erlang is the only rational language for parallel operations and web work..

    Erlang solves the problems on the web. It has built in parallel operations that make it quite robust for web work and general parallel software problems.
    progon
  • APL...

    If you're keen on danger, then pick a language where even the original programmer isn't totally sure what's going on. "Look, I got my entire server solution on one line!"

    (I learned programming on APL-SV in the musty-dusty past, so I'm quite fond of it, though I'm all C++/C# today)

    Mind you, that's only mostly tongue-in-cheek, if one is going to lean towards an interpretive scripting solution, might as well go whole hog and adopt a model that was designed for it, eh?
    grildrig
  • RE: C to be the next browser scripting language... wait, what?

    I honestly think we should get back to BASIC
    No, I'm stone cold serious!
    Basic is very easy to program, Though it is linear, I think there are ways to implement basic in such a way that it could be used efficiently.
    ZazieLavender