OSDev.org

This is similar to the LinuxBIOX/Coreboot/WebAssembly thread, but only similar, it has a more broad topic:
I found this project, with members like Mozilla, Intel, RedHat:

https://bytecodealliance.org/articles/a ... e-alliance

It attempts to make the IT world more secure. But to me it seems sub-optimal, to express it rather carefully.

It has 3 bytecode runtimes.

There is a code generator (even the word makes me feel uncomfortable, being a low level programmer) called Cranelift who produces super-fast code. Why this is needed for security escapes me.

And I don't feel comfortable about the whole concept. But maybe I just have a prejudice and it's THE thing to come. So what do you think about it?

Greetings
Peter

Wonderful solution to a non-existent problem they made up. Reading that page I share you opinion. I have a strong feeling that those guys know absolutely nothing about IT security, they just using it as a buzzword now that protecting privacy is a thing, thanks to the hearings of ZB.

They say:

The problem

The way that we architect software has radically changed over the past 20 years. In 2003, companies had a hard time getting developers to reuse code.
Now 80% of your average code base is built with modules downloaded from registries like JavaScript’s npm, Python’s PyPI, Rust’s crates.io, and others.

I don't agree this is the root cause of the problem. Well, it is a reason for bloated, buggy, extremely slow and unstable programs that eat up all the RAM, sure, but you simply can't blame the lack of security to modularity. This is pure bullsh*t.

Together, we’re putting in solid, secure foundations that can make it safe to use untrusted code

At this point I started to laugh. Good luck with that, guys! You'll reinvent jailing and sandboxing soon!

Cheers,
bzt

I suggest you read the whole page (and understand it) before making fun of it. Although jailing / sandboxing techniques are discussed, this isn't really what they are talking about.

While I know almost nothing of the Bytecode Alliance, I can say that the overall topic of 'managed code' for operating systems is well-worn and rather tumultuous for this forum. I would direct your attention to the flame-wars between Brendan on the one side, and embryo2 and onlyonemac on the other; however, this would be pointless, as those 'debates' were at best thinly-veiled phallometry contests, and this site has had more DSWs than actual discussions to begin with.

I will point out that while bytecode - previously known as pseudo-machine p-code before Sun decided that this wasn't marketable enough - have a long and venerated history, going back further than assemblers do in fact (fun fact: one of the very first reusable libraries was a callable floating-point interpreter which interpreted a specialized bytecode, which IIRC was used on the EDVAC in the late 1940s - or was the Manchester Baby, or maybe one of the Atlas systems? I'd need to check). However, until fairly recently, the main reasons for using one were three-fold: to ease portability of a language, as seen in the original Pascal p-machine (whence the name 'p-code' came, though as I said they were around twenty years earlier); to make the executed code more compact, as seen with countless Tiny Basic interpreters; or to ease implementation of a complicated system by giving the translator a simplified target, as seen in the first Smalltalk implementations.

The idea of it being more secure hadn't come into the picture then, since, well, security wasn't much of a much then. Even when Java was introduced, Sun focused a lot more of their promotional time on portability than on security - the first 'killer app' of Java, applets, was little more than an overproduced demo of this portability, a 'see, we can even run it on a browser!' thing meant to convince people that switching from IBM mainframes to Sun workstations was a good idea at a time when PCs were still playing second fiddle in large-scale IT.

The trade-off is the same as with automatic garbage collection: aside from it having a performance cost, the main problem is that you are swapping many small points of failure for one huge one, while not addressing several of the more important failure points at all. As I've said numerous times, I see the overhead of GC acceptable, but also mean to mitigate the issues it presents by having the compiler determine when it can avoid it automatically. The same applies to 'managed code'; it is only practical to the extent that you only use it where you have to.

I have no problem with code generation or runtime intepretation, given that I am developing in a Lisp derivative and intend to use runtime code synthesis in my kernel. I do have a problem with it being treated as both a buzzword and a panacea. I will have to read more about Bytecode Alliance to see just what they are doing and saying before I make my mind up about them.

I agree with you Schol-R-LEA, but I didn't take their web page / project to be about bytecode. Sure they use bytecode to enable some of the other things they are talking about (granting permissions to submodules for example), but I don't think bytecode is what this is about.

The name "Bytecode Alliance" is unfortunate.

kzinti wrote:Although jailing / sandboxing techniques are discussed, this isn't really what they are talking about.

Exactly, that's why I call it a bullsh*t. This is marketing, nothing else.

kzinti wrote:The name "Bytecode Alliance" is unfortunate.

Again, marketing, nothing else.

Don't expect real security from this project.

Cheers,
bzt

Allright, you convinced me.

I'll bite, I think it sounds pretty good.

From a quick skim read it is a system call wrapper for web assembly libraries which implements a capability based security model. If it's implemented properly it essentially solves the confused deputy problem. Since no mainstream OS supports a capability based security model, it seems totally reasonable to retrofit one when you're giving a webapp access to the file system. Obviously this is one of many security problems, and it needs to be used properly to be effective but I think it's a move in the right direction. Cap-based security really is a no-brainer in this day and age IMO.

It's obviously going to be a matter of waiting and seeing as to whether they meet their goal, but they do have some big names on their board which doesn't guarantee much but it makes me more inclined to think they are taking this seriously rather than just trying to hock snake oil. I mean what would Mozilla gain from founding a placebo security system?

StudlyCaps wrote:Since no mainstream OS supports a capability based security model, it seems totally reasonable to retrofit one when you're giving a webapp access to the file system.

Well, I totally agree that capability based model is a good direction, but not without proper sandboxing. Of course as you've pointed out (with the notable exception of SELinux) no mainstream OS supports capability based security, so it would be impossible to just pass the arguments to the OS, where separation at supervisor level can be really guaranteed. So I'm afraid as being a user-space-and-software-only solution they won't implement it properly, but I'm hoping that I'm wrong.

StudlyCaps wrote:I mean what would Mozilla gain from founding a placebo security system?

You mean besides of the obvious free advertisement they get from every single newsportal and forum writing about Bytecode Alliance? And that all websearch engines will drop out the name Mozilla on the first page as relevant search result for the buzzword "bytecode"?

I have a feeling that Mozilla is desperately trying to make impression on users ever since Chrome appeared; Safari is pre-installed by default, and with the rewrite of Edge, IE is slowly, but steadily coming back. Imho it would be better if they would focus on their developers and not on the marketing-team, but that's just my opinion.

I think this historical wikipedia graph really gives the answer to "why":


Cheers,
bzt

bzt wrote:I have a feeling that Mozilla is desperately trying to make impression on users ever since Chrome appeared; Safari is pre-installed by default, and with the rewrite of Edge, IE is slowly, but steadily coming back. Imho it would be better if they would focus on their developers and not on the marketing-team, but that's just my opinion.

Wow! I had no clue Mozilla was in such dire straits! You are totally correct IMO that this bytecode alliance deserves to be treated with suspicion, if I had a dollar for every good idea turned into a cynical cash grab by corporate committees trying to monopolise or undermine an industry, Bill Gates would be jealous.

What are you guys talking about? There are many reasons why bytecode can help to greatly improve both performance and security. I'd expect people on an OS dev forum to be a little bit more knowledgeable about type theory and compiler theory.

Love4Boobies wrote:... bytecode can help to greatly improve both performance and security...

How so? You mean bytecode in contrast to text? And how security?

EDIT: And what do you think about speed of virtual bytecode in contrast to native bytecode?
Greetings
Peter

OK, this is getting away from the real topic (since as has already been stated, the name 'Bytecode Alliance' is not wholly descriptive), but I will say that I am aware of some the touted security advantages, even if I don't necessarily think they are as significant as they are often made out to be. But then, I am wary of anything that smacks of marketing rather than technology, and my primary objections to the claims are that they are often overstated and misleading, and distract attention from the need for security procedures to be an active process rather than just a part of the software environment (the claims themselves do, that is, not necessarily the actual use of bytecode for that aim).

• The ability to incorporate encryption, signatures, and other verification markers into the 'executable' in a way which would be impractical for a casual attacker, or even a determined one on a time or budget constraint, to adequately spoof.
• The ability to run in purely interpretive mode, isolating/sandboxing the execution and thus limiting the ability to interfere with other processes.
• The ability to have all memory accesses to be automatically bounds-checked at runtime.
• The ability to force all code being run or compiled to be statically checked before execution for certain classes of exploits.
• The ability to inspect each instruction for validity before execution.
• The use of an extended virtual instruction set which incorporates complex security-related instructions at the simulated 'machine' level.

Now, here's the thing: there are other ways to get all of these advantages while still running in native code. The main argument regarding bytecode - or more generally (and more apropos of my own intended OS design) any other system which separates source compilation and code generation in a way that only permits JIT code generation - over most of the more ad-hoc approaches is that they are part and parcel of the AOT/JIT approach, and are combined with other advantages regarding portability and code compactness.

As I said earlier, prior to Microsoft's push for .NET, the majority of interest in p-codes were their portability and code density (there had been talk of security earlier with the Java JVM, though you must recall that Sun was widely criticized for creating what many called a 'virus propagation platform', which was the main reason Sun made a point about it at all). This was, however, often seen as counterbalanced - and then some - by the runtime overhead of the interpreter, which is why Sun quickly moved to a JIT bytecode compiler rather strict interpretation. Microsoft, having seen what happened with Java, and having their own reasons to go with a bytecode (mostly related to making Windows applications less reliant on x86, at the time before AMD64 came about when it looked as if the platform was going to falter soon), applied JIT from the first in .NET, as well.

But therein lies the rub, since as soon as you translate the program from the non-native bytecode to the native instruction set, many of those advantages are lost, or at least limited. This means that the JIT either has to be limited to static analysis for the runtime behavior, or else it needs to insert all of those runtime checks directly into the executable code (or some combination of the two).

This was always Brendan's argument against this, as he was of the belief that runtime checks were unnecessary and wasteful - though his ideas of what did or did not constitute a runtime check were at odds with those of most others. He was designing his language and compiler with the idea that it would reject a priori any code which it couldn't absolutely verify statically, which would require the programmer to manually insert boundary checking and so forth; he argued that this would not constitute a 'run-time check', but instead was 'normal control flow', based on the fact that the compiler obliged the coder to insert them manually rather than automatically doing so itself (this sort of hair-splitting was part of why I didn't want to quote that thread earlier, as was the fact that I needed to spend pages of posts dragging an explanation out of him as to what he saw as being a 'run-time check'). He also was intending to place hard limits on several things, including making all types have defined ranges, and that the behavior on an over- or underflow would have to be defined for each type (similar to how Ada handles numeric types) - with the default being that any code which could overflow would cause a compiler error (which is rather different from the exception based approach most other languages with such requires use).

You do gain some Gentoo-esque ability to tune the generated code to the specific system, though in practice the JITs being used are desultory at best in doing so. The performance tradeoffs are neither simple, nor consistent across different programs and platforms (or even just different implementations of the same platform; the optimization of an Intel CPU can be quite different from that of an AMD CPU, or even from that of a different CPU by Intel themselves).

I will mention one web page that had come up in the earlier discussion which might be relevant to Love4Boobies post, however: "Abstract Interpretation in a Nutshell" by Patrick Cousot.

PeterX wrote:

Love4Boobies wrote:... bytecode can help to greatly improve both performance and security...

How so? You mean bytecode in contrast to text? And how security?

The bytecode can be designed in such a way that it makes it impossible to express certain erroneous constructs. You do not have this sort of guarantee for arbitrary machine code running on a traditional platform. You can also design the whole thing with the compiler in mind such that the resulting code makes certain guarantees (a typical example would be negating out-of-bounds array accesses).

EDIT: And what do you think about speed of virtual bytecode in contrast to native bytecode?

Well, bytecode in itself doesn't necessarily have implications for performance. After all, you can simply AOT compile it the same way you usually do with C. With JIT, there are both pro's and con's. For instance, there is some initial translation overhead but since it all happens on the fly, the JIT compiler can make optimizations based on runtime profiling: "Oh, it seems like there's a bias towards this branch in the control flow, let's optimize for that! Oh, the workflow changed? Let's optimize it differently."

I saw Schol-R-LEA answered too so I'm sorry if I repeated anything he's covered already but I have his posts hidden away because his signal-to-noise ratio is horrible. Just walls of text with nothing interesting or relevant to say.