Personal View site logo
WebAssembly is important thing
  • Google, Microsoft, Mozilla and the engineers on the WebKit project today announced that they have teamed up to launch WebAssembly, a new binary format for compiling applications for the web.

    The new format is meant to allow programmers to compile their code for the browser (currently the focus is on C/C++, with other languages to follow), where it is then executed inside the JavaScript engine. Instead of having to parse the full code, though, which can often take quite a while (especially on mobile), WebAssembly can be decoded significantly faster.

    http://techcrunch.com/2015/06/17/google-microsoft-mozilla-and-others-team-up-to-launch-webassembly-a-new-binary-format-for-the-web/

    It took big time to realize that complex modern sites are very little different from apps (and current technology is badly suitable for this).

  • 24 Replies sorted by
  • It's funny how the possibility of running code locally which was loaded from just any foreign server has become popular at the same time that people experience an exponential growth of malicous code aiming to abuse their computers.

    Quite obviously, a programming language that needs to be able to access I/O resources to perform useful tasks cannot really be kept from also being able to do harm. From day 1 JavaScript emerged, it became the primary attack vector to the web users' computers. The idea of circumfencing the code loaded from a remote server in a "sandbox" has never really worked, and most likely never will.

    "WebAssembly" doesn't really change the risk exposure, but it's one step closer to the much older concept of just running a native application downloaded from somewhere, which is after all not really more dangerous when done in a separate user account isolated by the operating system. And without a browser and all this sandbox/virtual machine overhead, downloaded "apps" run even faster.

    I for one would prefer browsers that just decode a small set of well defined data formats for display, and never execute code downloaded from remote.

  • You get almost everything wrong.

    First, JS do not have any access to I/O (only to the library functions that are also intermediary). Actually all JS is doing in virus and such attacks is to use some bug and put small native code in memory (via variables in stack usually). All actual viruses and malware running of infected computer have nothing to do with JS.

    Second, WebAssembly won't contain native code. It will be something similar to jave compiled code.

    Third, move from JavaScript to virtual machine actually significantly reduces bugs and attack vectors due to reduced complexity.

  • JS does of course have access to I/O, sure that is mostly via library functions, but it doesn't matter to the infected user whether his keystrokes were recorded via some library function or whether the fake PIN-entry dialog he was presented with was rendered via library functions or more direct I/O operations.

    The more people rely on sensitive applications (like e-banking, shopping, mailing etc.) being run from inside a browser, the easier they are exposed to threats by malicious JavaScript code.

    Second, the execution speed of modern JavaScript environments does result from just-in-time compilation into native code. Every bug in that translation opens up additional risks that can be exploited from within the compiled code.

    Lastly, JavaScript as of today already allows to gather information via side channels like RAM access patterns - see http://arxiv.org/pdf/1502.07373.pdf for more on this.

  • @karl

    Yes, JS and some advanced HTML processing parts are attack vectors.

    JIT compilers do NOT add risks. But add speed. You can check any good books about this.

    Referenced paper is extra weird stuff having almost nothing to do with any practical things.

    Adding something as Webassembly actually increase security and also increase speed (due to much fewer requests). Security increase comes from simple fact that you can require signing check and prevent usage of any other packages or scripts on site (and JS attacks usually use embedding of one extra external JS file).

  • Well, let's agree to disagree, then. :-)

    The side channel attacks outlined in the paper are a quite real threat, and they are possible espcially because JavaScript JIT compilers allow such code to measure timing differences on the order of magnitude caused by cache hits/misses.

    Usage of signatures and encryption is also possible without local execution of downloaded code, securing the HTTP communication via TLS or even other protocols could be done all without it.

  • Usage of signatures and encryption is also possible without local execution of downloaded code, securing the HTTP communication via TLS or even other protocols could be done all without it.

    Well, you can't prevent cancer using condoms.

    Same here. If attacker embedded rogue JS it does not matter much if connection is secure or not, really.

    All current issues with attacks practically used to form botnets come from complexity of HTML5 and JS parts in all modern browsers. If you ask me, I am for fully banning usage of HTML, CSS and JS on all major sites (starting with specific visitors number) and moving to the application model with strict requirement of signing all packages (with site specific certificates).

    It won't happen, of course, at it will make huge hit on advertisement, search, government and criminal sectors.

  • Google, Microsoft, and Mozilla? Gosh!

    “People of the same trade seldom meet together, even for merriment and diversion, but the conversation ends in a conspiracy against the public, or in some contrivance to raise prices.”

    Adam Smith, The Wealth of Nations

    (I wonder if there are any second opinions starting to appear yet)

  • This seams like a solution trying to find a problem.

    No matter how much I or everyone hates AppStore, (Play, Apple etc)- they have enabled developers to get paid for writing code. While useful and positive true 'webapps' tech is not linked to an environment- so I doubt developers will spend much time on it- unless they are getting paid.

    So Facebook will code a Webassembly App- for users that don't have iPhones, Windows phones or Android? What are they using for Facebook? Jailbroken iPhone's running linux? ;-)

    This is a great talk by Eric Meyer

  • @alcomposer

    I think you mixed up all things.

    All modern sites already use tons of JS. Whole point of this technology is to be able to pack compiled code and corresponding data and pass it directly to JIT. From user POV all you see is faster sites.

    As for how Apple "enabled developer" to get paid. It is plain and utter bullshit. You can just search around for statistics (developers income in AppStore and all else) and research explaining how market worked without Apple.

  • Whatever compilation standard gets developed, we all benefit if it gets W3C standards status - and there's no signs that it won't.

    Rather, as you kind of alluded to, Apple - and indeed Facebook - are conspicuously absent. (is this latest Assembly compilation project somehow not in keeping with the business model they have in mind?)

    In the past, Microsoft was the rogue, big enough to flex its muscles and have us all dance to its tune: we'd code perfectly compliant xml for all browsers - and then start all over again for Microsoft's non-compliant Internet Explorer. Same again? Another serve of fractured web, anybody?

    I'll be watching this space.

  • @VK I totally know the new HTML5 model of the web: CSS HTML JS. My point has been lost- let me explain.

    I am totally excited about this tech.

    However we all have seen the 'app' craze. Companies now commission apps for frontends, with generic backends.

    This is a great new tech that will work very well, and should happen.

    But what is the tech environment that this tech is entering into? The web browser is dieing as we type this- there seems to be an app for everything.

    No matter how much I use Firefox - chrome- or whatever - I am only one person. Tech only gets valued and maintained if people use it.

    I can not see a future where people will re-discover the browser, and I don't think trying to make webapps more advanced will fix this problem.

  • Yep. Last 7 years looks like big mess.

  • Protocol type distribution, Germany 2007 image

  • @goanna, P2P is dead in water. I suspect that streaming services (netflix etc.) will take over this space. And it will be taken over with some sort of app. (on a TV Box- or iPad etc)

    This is the state of the PC/Notebook/Tablet landscape. I really doubt that users will swap the 'facebook' app for the 'facebook' webapp on their iPad/Nexus/Windows Phone/Ubuntu Watch whatever.

    image

    Furthermore Apple and other manufacturers could actually block this tech so as not to enable other appstore experiences. (Does anyone remember flash? But then I suppose that is different.)

  • @alcomposer as much as I see merit in all your observations, I think we'd be naive to assume that this enormous www collaboration effort being mooted is just about browsers - or that they've decided to ignore touch devices or apps.

    That has deep implications in today's app-obsessed world. All too often, developers and users are forced to pick hardware-oriented sides—Apple’s iOS and OS X, Google’s Android, Microsoft’s Windows, or another platform. If WebAssembly works to usher in powerful Web apps, developers tired of making (or remaking) apps to suit specific platforms could have a way off the porting merry-go-round. readwrite.com

    I do think there are some exciting ways IT can work towards a more elegant way to cope with ever-increasing net complexity. Until now, a whole lot has indeed been server-side and this is a whole new ball-game and my concerns, as I've said, are as follows:

    • Follow the money. (Might these collaborators be looking -heaven forbid- for better ways to profile, data-mine and sell?)

    • OSes. Everything these days is Unix-ish except Windows. Whatever works on Android will easily adapt to Apple, Chrome (- and now Linux), but the wasm solution will still have to be produced in a Windows version as well - and probably incur limitations in the process. This explains why Microsoft is keen to be in at ground floor level - and, to my mind...

    • This latest attempt at compiling could be a non-starter.

  • @goanna when the iPhone was first released, there were no native apps. Steve believed that one could simply have 'web apps' that would function like native apps. Webassembly is basically re-introducing this concept. I totally understand why its happening, and personally I hate appstores of all kinds. But you can't argue with users wanting simpler and faster experiences. Most people don't want to navigate around the web anymore- they want a curated experience. I don't want a curated experience but when I see how family and friends use the web and apps its a different story.

    What I am trying to articulate (and most probably badly) is that this is all nice- but the ship has sailed. Unless there is a tipping point the other way, I can't see this making a dent. I also doubt that the developers of webasembly care if its 2x as fast- I wager that they are more interested in feature sets. Considering how much technical debt we have gotten ourselves into- investing time and cash into a technology that gets you 2x as fast web banner isn't really that super- but having a really smart web banner - with app like features - then that is something.

    YMMV

  • @alcomposer

    You are fighting so hard with ... wind mills :-)

    Thing described here is intended for developers to improve things that clearly need improving.

    It is also quite clear from economical POV that very specific apps for many different mobile OSs will die in long term. We are already down to two OSs. Add here one sudden major error by Apple and we will be down to one.

    As for "web and family". It was quite famous experiment where among big group small number of people started going clockwise and with time all people start doing it, they changed direction and with delay all people did the same.

  • @Vitaliy_Kiselev I suppose I have a very jaded view of the future of computing. It is all too hard for most people.

  • Thanks for that second link, @Vitaliy_Kiselev. It gave me a few wry smiles while nerding-out over my morning coffee