flat assembler
Message board for the users of flat assembler.

Index > Main > Anybody managed to make an NaCl demo in fasm?

Goto page 1, 2  Next
Author
Thread Post new topic Reply to topic
michikaze



Joined: 03 May 2014
Posts: 5
michikaze 03 May 2014, 12:04
I wonder if somebody already tried to do this.
Post 03 May 2014, 12:04
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20333
Location: In your JS exploiting you and your system
revolution 03 May 2014, 12:05
What is NaCl? (Aside from being a molecule essential to life)
Post 03 May 2014, 12:05
View user's profile Send private message Visit poster's website Reply with quote
michikaze



Joined: 03 May 2014
Posts: 5
michikaze 03 May 2014, 12:31
http://en.wikipedia.org/wiki/Google_Native_Client
This thing helps to run machine code applications inside Chrome brouser. Apps can be in x86, x64 machine code, ARM, MIPS< or in the LLVM bytecode.
I'm played with SDK a bit, now I have to understand the file format apps are stored in and to use fasm to make them.
Post 03 May 2014, 12:31
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20333
Location: In your JS exploiting you and your system
revolution 03 May 2014, 12:35
michikaze wrote:
http://en.wikipedia.org/wiki/Google_Native_Client
This thing helps to run machine code applications inside Chrome brouser.
Oh dear, that sounds awful (the opposite of awefull). Remote sites able to run arbitrary code in the client is a security disaster waiting to happen. Hehe, I guess it will all be sandboxed or something, just like Java was supposed to be sandboxed and look at how successful that wasn't at stopping exploits.
Post 03 May 2014, 12:35
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 03 May 2014, 12:47
Yes, really bad idea, normally for an evil corporation, pushing its product and willing to do anything to conquer new markets.
Post 03 May 2014, 12:47
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
michikaze



Joined: 03 May 2014
Posts: 5
michikaze 03 May 2014, 14:45
@revolution
Don't know, I think it's a bit better than virtual machines. And much better than just downloading exe files from unknown sites.
Yes, it's sandboxed, don't know details. Quoting wikipedia:
Quote:
The x86-32 implementation of Native Client is notable for its novel sandboxing method which makes use of the x86 architecture's rarely-used segmentation facility.

and also NaCl filtrates some dangerous opcodes from code before executing it.

Related article.
http://www.chromium.org/nativeclient/how-tos/how-to-write-assembler-for-x86-nacl-platform
Post 03 May 2014, 14:45
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20333
Location: In your JS exploiting you and your system
revolution 03 May 2014, 15:19
michikaze wrote:
Don't know, I think it's a bit better than virtual machines. And much better than just downloading exe files from unknown sites.
There is a big difference. When we download something we consciously choose to do it and we have the option to examine it (perhaps with an AV, or debugger or whatever). But with a website we have no such choices and we get something we didn't even ask for that automatically runs without any action on our part. Perhaps the difference appears to be subtle but it is very significant and important distinction.
Post 03 May 2014, 15:19
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 03 May 2014, 16:20
The web browser is a web browser. Not an OS. So, it should not run programs. The OS should.
Post 03 May 2014, 16:20
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
michikaze



Joined: 03 May 2014
Posts: 5
michikaze 03 May 2014, 17:01
@revolution
I think there is an option to forbid it anywhere except google play. I also think that running it in browser is safer, since developers expect problems to happen, and so the restrictions are more fixed than on most users enviropment. It warned me then app tried to store local information, probably it also warns user before actual start. I haven't tested it online, only on localhost.

@JohnFound
Don't see much difference, I spend in browser more time than anywhere else. Wouldn't you like to skip the downloading step and play something right on the page?
Post 03 May 2014, 17:01
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20333
Location: In your JS exploiting you and your system
revolution 04 May 2014, 00:07
JohnFound wrote:
The web browser is a web browser. Not an OS. So, it should not run programs. The OS should.
Agree. And this also applies to JS, Flash, Silverlight etc. I hope that one day people will see the folly of JS and realise that it was a bad idea from the start.
Post 04 May 2014, 00:07
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20333
Location: In your JS exploiting you and your system
revolution 04 May 2014, 00:10
michikaze wrote:
Wouldn't you like to skip the downloading step and play something right on the page?
No. Absolutely not. Would you let random people come into your house and play with your children unmonitored?
Post 04 May 2014, 00:10
View user's profile Send private message Visit poster's website Reply with quote
gens



Joined: 18 Feb 2013
Posts: 161
gens 04 May 2014, 01:40
"Native Client sets up x86 segments to restrict the memory range that the sandboxed code can access. It uses a code verifier to prevent use of unsafe instructions"

so... whats stopping the program from making it's own instructions ?
this is some next level false sense of security right here, lovin it
Post 04 May 2014, 01:40
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20333
Location: In your JS exploiting you and your system
revolution 04 May 2014, 02:33
Why is it even considered necessary to have it? Is there a purpose behind it other than "that would be cool"?
Post 04 May 2014, 02:33
View user's profile Send private message Visit poster's website Reply with quote
gens



Joined: 18 Feb 2013
Posts: 161
gens 04 May 2014, 02:39
i think its more about the sense of security (and the marketing that goes with it)
from what i see most people believe it
also "it would be cool"

sry michikaze, i can't offer what you asked for
Post 04 May 2014, 02:39
View user's profile Send private message Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 04 May 2014, 05:23
revolution wrote:
I hope that one day people will see the folly of JS and realise that it was a bad idea from the start.


Unfortunately, for now JS can't be avoided entirely, simply because HTTP protocol lacks some needed functionality. I mean the server-push technology is impossible without JS.

_________________
Tox ID: 48C0321ADDB2FE5F644BB5E3D58B0D58C35E5BCBC81D7CD333633FEDF1047914A534256478D9
Post 04 May 2014, 05:23
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20333
Location: In your JS exploiting you and your system
revolution 04 May 2014, 09:30
JohnFound wrote:
Unfortunately, for now JS can't be avoided entirely, simply because HTTP protocol lacks some needed functionality. I mean the server-push technology is impossible without JS.
But the fundamental usage of a browser is to browse (sorry for being captain obvious here). And I think that is where people have tried to push the browser beyond what it actually is. Server push is not a browsing function. That should be in some other program if one needs such a thing.
Post 04 May 2014, 09:30
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 04 May 2014, 10:14
revolution wrote:
But the fundamental usage of a browser is to browse (sorry for being captain obvious here). And I think that is where people have tried to push the browser beyond what it actually is. Server push is not a browsing function. That should be in some other program if one needs such a thing.


Hm, it is not so simple. From one point of view - yes you are right. But IMHO, it depends on the answer of "To browse what?". What if the documents that have to be browsed are not static, bug changing in time? Then the browser should provide some way to browse a dynamic document. Of course, the browser can refresh the document periodically, but this is wrong approach. Then the browser should have some functionality to detect the document change and to read needed part of the document. This is what is called "server push", because only the server knows when the document is changed. The only way now to provide such a functionality is by client side scripting, because the base client-server protocol (HTTP) supports only static documents.

_________________
Tox ID: 48C0321ADDB2FE5F644BB5E3D58B0D58C35E5BCBC81D7CD333633FEDF1047914A534256478D9
Post 04 May 2014, 10:14
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20333
Location: In your JS exploiting you and your system
revolution 04 May 2014, 10:26
Client side scripting is not "server push". That is just automated client polling. If by changing documents you mean games then that should be a different program, not a browser function.
Post 04 May 2014, 10:26
View user's profile Send private message Visit poster's website Reply with quote
JohnFound



Joined: 16 Jun 2003
Posts: 3499
Location: Bulgaria
JohnFound 04 May 2014, 10:46
revolution wrote:
That is just automated client polling.


No it is not, actually. The scripting is used to create some kind of "client site server" that connects to the web server and waits for events on the connection. The web server is that pushes events on the connection. The client side script reacts on these events and changes the document accordingly.

_________________
Tox ID: 48C0321ADDB2FE5F644BB5E3D58B0D58C35E5BCBC81D7CD333633FEDF1047914A534256478D9
Post 04 May 2014, 10:46
View user's profile Send private message Visit poster's website ICQ Number Reply with quote
michikaze



Joined: 03 May 2014
Posts: 5
michikaze 04 May 2014, 13:29
Quote:
Why is it even considered necessary to have it? Is there a purpose behind it other than "that would be cool"?

There are some limitations in using the JS, flash and java's virtual machines: main is of course speed. Raw machine code will be able to load and work faster. It's simplier, and I hope it will find it's niche.

Quote:
But the fundamental usage of a browser is to browse (sorry for being captain obvious here).

to interact with everything outside your computer

Quote:
No. Absolutely not. Would you let random people come into your house and play with your children unmonitored?

weird analogy

Quote:
so... whats stopping the program from making it's own instructions ?

what do you mean by "making instructions"? Self modifying code? I think the lack of write access.
Post 04 May 2014, 13:29
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page 1, 2  Next

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2024, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.