[fpc-pascal] WebAssembly Target

Karoly Balogh (Charlie/SGR) charlie at scenergy.dfmk.hu
Thu Mar 16 15:45:15 CET 2017


On Thu, 16 Mar 2017, Graeme Geldenhuys wrote:

> And this brings me to my next worry. As far as I understand, WebAssembly
> is C (for now - other languages to follow) compiled into WebAssembly
> bytecode. So now we have C code with all its pointer access, buffer
> overflow issues etc running in the web browser space - at least Java
> Applets were a lot safer in that regards, and Java Applets require
> explicit signed executables and granted permission by the end-user (per
> app, per domain etc). WebAssembly just runs - no questions asked.

Yes. Much like your average Javascript snipet. But even if it's compiled
from C (or Pascal, eventually... :P), it doesn't mean it can just poke
pointers whereever it feels like, there are several protection layers
between the bytecode and the native code, the JIT engine itself, the
browser, and the OS. Also, most browsers run most pages in isolation
anyway. I agree though that some kind of code signing would be benefical.

Also, the major problem with Java and other plugins security faults were,
that the organizations behind them moved with glacial speed, and sometimes
(Flash, Silverlight) they were even closed source, which made it
impossible for browser vendors to act quickly and patch things up. None of
this is true for WebAssembly.

> Then we have the issue of code being obfuscated when compiled into
> bytecode. So now it is even harder to detect malicious code.

There are already decompiler tools for WebAssembly, which translate the
bytecode back into the AST or even some JS-alike syntax. It's not that
much less human readable, than a deobfuscated JS code, which someone ran
through an obfuscator before, IMO.

> It seems I am not alone in thinking this way. Just read the comments
> posted at the link listed in the first message of this thread.

I think there's still a master switch to disable this in the browsers. I'm
sure there'll be tricky attacks, but these happen with normal JS anyway.
But I don't think it'll be such a disaster as people predict. (And I'm
usually quite pessimistic about such things.)


More information about the fpc-pascal mailing list