flat assembler
Message board for the users of flat assembler.
Index
> Programming Language Design > Safety Forth Goto page Previous 1, 2 |
Author |
|
Ali.Z 16 Nov 2020, 04:01
if im not safe nor secure, then how could my code become secure?
plus, what is security and safety? _________________ Asm For Wise Humans |
|||
16 Nov 2020, 04:01 |
|
DimonSoft 18 Nov 2020, 21:43
sleepsleep wrote: in the beginning, there is only 0, then suddenly it becomes 1, or 1 exists, I can’t help quoting Joel (this blog post): Joel Spolsky wrote: You had ones? Lucky bastard! All we got were zeros. |
|||
18 Nov 2020, 21:43 |
|
Hugh-Aguilar 20 Nov 2020, 09:06
DimonSoft wrote:
The FASM forum appears to be a nest of trolls --- posting idiotic nonsense in an effort to get a response, so they an post more idiotic nonsense... Plus we have Revolution (a moderator!) telling me: "There is literally nothing that you can do..." This is how maintenance programmers pass the time when they aren't reading a real programmers source-code --- and then pretending that they wrote the source-code themselves, or at least made a positive contribution of some kind. I will NEVER provide maintenance programmers with source code! The purpose of Safety Forth is to allow real programmers to distribute code closed-source, while yet allowing users to download and run this closed-source code without fear that it is malware. I think this is possible. _________________ When all else fails, write the source. |
|||
20 Nov 2020, 09:06 |
|
Furs 20 Nov 2020, 13:12
Hugh-Aguilar wrote: The FASM forum appears to be a nest of trolls --- posting idiotic nonsense in an effort to get a response, so they an post more idiotic nonsense... Here's a refresher (again): revolution wrote: And still you haven't addressed Meltdown, Rowhammer or Spectre. No amount of VMs, or it's-not-asm-code defeats those attacks. You need something much different for those. Those are vulnerabilities in the CPU. Vulnerabilities exist because things aren't designed perfectly. That's why they are called vulnerabilities. You can have a perfect sandbox and still have it broken by vulnerabilities such as privilege escalations outside of your control. That's the point. |
|||
20 Nov 2020, 13:12 |
|
Hugh-Aguilar 21 Nov 2020, 18:24
Furs wrote:
That is not the point. The point is that Safety Forth can't be used to write malware. Safety Forth programs can be distributed closed-source and the user can feel confident that they aren't malware. It is possible that you guys don't know the difference between a programming language and an operating system (OS). Meltdown, Spectre and RowHammer make an OS insecure because somebody could theoretically write an asm program that accesses memory or files that it does not have authority to access. If Menuet is vulnerable to these kinds of attacks, that is a problem for the OS author (Ville) --- it is not my responsibility to defend the OS against attack --- all I can do is to ensure that Safety Forth isn't used for attacking the OS, which would make me complicit in the attack (likely causing Ville to ban Safety Forth from being run under Menuet). Above I said that Meltdown, Spectre and RowHammer could "theoretically" be used to access unauthorized memory. This has the smell of an urban legend. People vaguely theorize that such things could be done, then they write articles on the internet, then people like Revolution read these articles. This is just a bucket brigade of fake experts passing a bucket of B.S. up the line, which they then dump over my head. I really doubt that any of you have ever actually used Meltdown, Spectre and RowHammer successfully --- you are just typical internet experts talking up subjects that you don't know anything about. The internet is full of fake experts. For example, it is easy to find self-proclaimed experts on VLIW processors. They read articles on the internet about the subject, which they believe make them experts. After I wrote MFX for the MiniForth processor, I tried to talk to people about how an assembler for a VLIW processor works, and NOBODY understood anything that I was saying. It has been 25 years since I wrote MFX, and I have yet to find anybody who knows anything about the subject. Lockheed-Martin has a VLIW processor that they use to generate images from radar data. They apparently got the hardware working, but they couldn't figure out how to write an assembler for it. They are hand-coding the assembly programs using a spreadsheet --- the programmer has to mentally figure out which instructions can be packed into which opcodes --- I tried to explain to them how this could be automated, but they didn't seem to understand anything that I was saying. This is what happens when people derive their knowledge from reading articles --- they end up being a fake expert on a subject that they don't know anything about. _________________ When all else fails, write the source. |
|||
21 Nov 2020, 18:24 |
|
DimonSoft 21 Nov 2020, 21:02
Hugh-Aguilar wrote: The point is that Safety Forth can't be used to write malware. I guess it’s time to give your definition of the word “malware”. Hugh-Aguilar wrote: Safety Forth programs can be distributed closed-source and the user can feel confident that they aren't malware. Programs in any programming language can be distributed closed-source. There’re thousands of languages (mostly hobbyist and/or educational) that don’t support any data input/output except keyboard/screen. While it technically is much harder to write malware with those languages, very few (if any) of the authors claim their languages to be safe/secure/malware-free. There’s a reason. Hugh-Aguilar wrote: Above I said that Meltdown, Spectre and RowHammer could "theoretically" be used to access unauthorized memory. This has the smell of an urban legend. People vaguely theorize that such things could be done, I have the same feeling actually. And I personally treat side-channel attacks as just funny facts that prove Newton’s third law: nothing can be done without affecting something else. It’s like washing one’s hair and then complaining the amount of shampoo left has decreased… Hugh-Aguilar wrote: you are just typical internet experts talking up subjects that you don't know anything about. … but this logic is broken. Or can be used for you in the same way. I’m not trying to offend you. But claiming a programming language doesn’t allow to do something unsafe… That we (you and us) cannot tell outright how to do that doesn’t make it impossible, ’cause security/safety is not limited to how the program is written, it also depends on how the program is execute by the processor or sandbox, or other runtime environment (which still relies on the processor being vulnerability-free). Hugh-Aguilar wrote: Lockheed-Martin has a VLIW processor that they use to generate images from radar data. They apparently got the hardware working, but they couldn't figure out how to write an assembler for it. They are hand-coding the assembly programs using a spreadsheet --- the programmer has to mentally figure out which instructions can be packed into which opcodes --- I tried to explain to them how this could be automated, but they didn't seem to understand anything that I was saying. As far as I know, Intel Itanium had the same problem: people just were reluctant to write compilers that support all the cool stuff those processors support. What makes you think they didn’t understand your idea in your case? Maybe they just felt it was unnecessarily hard to implement as compared to the positive effect they would have in return? After all, technologies and ideas that increase the demand of workers tend to be more successful than those which decrease the demand: people are not willing to lose their job by being replaced with a machine, so they do their best to not let it happen. |
|||
21 Nov 2020, 21:02 |
|
Hugh-Aguilar 22 Nov 2020, 04:04
DimonSoft wrote:
malware: Programs that access memory or files that they are not authorized to access. DimonSoft wrote:
The reason is that those languages allow access to memory that they are not allowed to access and/or they allow user-written machine-code to be called that could do pretty much anything. I don't think that you are paying attention. I have said all of this multiple times now. Also, what I'm saying is very obvious and easy to understand. I think that you are just playing dumb and purposefully not understanding, waiting for me to get bored and stop responding, whereupon you will declare victory. I think that maintenance programmers hate and fear closed-source software more than anything else in the world, so they are in the business of howling that closed-source software is likely to be malware and should never be accepted by any user --- for obvious reasons, the maintenance programmers want all software to be open-source. _________________ When all else fails, write the source. |
|||
22 Nov 2020, 04:04 |
|
DimonSoft 22 Nov 2020, 09:37
Hugh-Aguilar wrote: The reason is that those languages allow access to memory that they are not allowed to access and/or they allow user-written machine-code to be called that could do pretty much anything. I’m sorry to tell you again that Java/.NET-like environments are neither secure nor safe although they are designed to forbid access to memory outside their management (they usually have some escape features like JNI or P/Invoke but those are not required to find and exploit vulnerabilities). Now let’s consider other feature-limited languages like Brainfuck, Logo, КуМир/ИнтАл, add yours to the list. AFAIK, noone of their respective authors claim their safety/security (at least for those I’m familiar with). The Meltdown/Spectre/RowHammer family of attacks is all about being unable to prevent access to arbitrary memory with plain bound checks. You were asked to dive into the topic a few times by now, but… Hugh-Aguilar wrote: I don't think that you are paying attention. Hugh-Aguilar wrote: I think that you are just playing dumb and purposefully not understanding, waiting for me to get bored and stop responding, whereupon you will declare victory. As for me personally, I just don’t care at all. As professional skills get higher, discussion experience also grows and at some point the value of making sure “I won” just becomes zero. Hugh-Aguilar wrote: I think that maintenance programmers hate and fear closed-source software more than anything else in the world, so they are in the business of howling that closed-source software is likely to be malware and should never be accepted by any user --- for obvious reasons, the maintenance programmers want all software to be open-source. Trying to put labels on people whom you don’t even know means you’re either trying to be a troll, or have reasons to be afraid of people who are trying to be helpful and mention things and facts you are not aware of. It’s not hard to find who I am and notice that I’m not a fan of open source at all. For obvious reasons: I can count good, reliable open source software with fingers of one hand, FASM taking one of them. So, I don’t count as “maintenance programmer” by your definition but still am worried when I see the claim to make a secure language by just doing what others tried for years and failed. In fact, this whole discussion is all about people being triggered by your claim that may only count as marketing. Most of us are just tired to explain numerous Java-boys who believe such claims for Java that they got trapped by marketing, guess what we feel when we see such claim anywhere else. |
|||
22 Nov 2020, 09:37 |
|
revolution 22 Nov 2020, 10:24
And still the OP has not explained how "Safety" Forth is going to prevent all Rowhammer/Spectre/Meltdown classes of attacks, or any future discoveries that are currently unknown.
I think that the OP doesn't understand what Rowhammer/Spectre/Meltdown are, seeing as how the only solutions posted so far will have no effect. If you want to be believed then show us what you have done to address those issues. Making claims that people "can't write malware" using language/compiler XYZ requires a lot of proof. A lot. Also there is the commonly known fact that "you can't prove a negative". So how you plan to prove the compiler is perfect and has no flaws, and can prevent exploitation of all possible flaws, known and unknown, in all systems, is looking very much like a hard ask IMO. |
|||
22 Nov 2020, 10:24 |
|
Furs 22 Nov 2020, 14:04
Hugh-Aguilar wrote: malware: Programs that access memory or files that they are not authorized to access. https://en.wikipedia.org/wiki/Privilege_escalation |
|||
22 Nov 2020, 14:04 |
|
Hugh-Aguilar 26 Nov 2020, 06:36
DimonSoft wrote:
Putting me in the same category as a "Java-boy" is an unfair troll attack. I have not gone to college, so I'm not really anybody's "pocket boy" (that is a Russian term, but I think the meaning is obvious). I don't program in Java, and I have no interest in Java because it is over-complicated and feature-bereft (no true closures), and pretty much the COBOL of the 21st century. My language design allows "quotations" that are anonymous functions defined inside of a parent function. The QXT (quotation execution token) can be passed into a HOF (higher order function) that will execute it. The quotation will have read/write access to the parent function's local variables, despite the fact that the HOF has local variables of its own. Java doesn't have anything like this --- Java is a useless toy primarily popular in colleges (it replaced Pascal as the primary teaching language of colleges). I already have (since 2016) quotations working under VFX Forth and SwiftForth, although my code is not ANS-Forth compliant. Pascal (actually Delphi) is a lot more powerful than Java because it has nested functions that are roughly comparable to quotations. This is why I suggested a Safety Pascal that would inter-operate with Safety Forth. I don't like Pascal though (I have experience in Quick Pascal under MS-DOS), so I don't want to get directly involved in Safety Pascal. I don't like C either, although GCC (not ANSI-C compliant) does have nested functions roughly comparable to quotations. I'm primarily a Forther.- Lets have a head-count: how many people use Menuet? Of these, how many people are interested in a high-level programming language that allows closed-source distribution of programs (as compared to FASM programs that have to be open-source to be distributed)? _________________ When all else fails, write the source. |
|||
26 Nov 2020, 06:36 |
|
DimonSoft 27 Nov 2020, 13:02
Hugh-Aguilar wrote:
Nobody did. I just mentioned that people with Java background tend to be among those who are vulnerable to the marketing claims like this and are willing to spread them around. That just explains why the same claim (especially mentioning Java) makes the community react this way. Hugh-Aguilar wrote: as compared to FASM programs that have to be open-source to be distributed Can you share/quote the source of this requirement? |
|||
27 Nov 2020, 13:02 |
|
Goto page Previous 1, 2 < Last Thread | Next Thread > |
Forum Rules:
|
Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.
Website powered by rwasa.