zlacker

[return to "Llama.ttf: A font which is also an LLM"]
1. electr+4e[view] [source] 2024-06-23 14:19:38
>>fugled+(OP)
While cool, technically… From a security perspective today I learned that TrueType fonts have arbitrary code execution as a ‘feature’ which seems mostly horrific.
◧◩
2. samwil+xe[view] [source] 2024-06-23 14:25:55
>>electr+4e
Not really, no more so than a random webpage running js/WASM in a sandbox.

The only output from the WASM is to draw to screen. There is no chance of a RCE, or data exfiltration.

◧◩◪
3. xg15+ei[view] [source] 2024-06-23 14:58:00
>>samwil+xe
It's still horrible, not in a (direct) security but in an interop sense: Now you have to embed an entire WASM engine, including proper sandboxing, just to render the font correctly. That's a huge increase of complexity and attack surface.
◧◩◪◨
4. simonw+Ui[view] [source] 2024-06-23 15:02:31
>>xg15+ei
I'm hoping that in a few years time WASM sandboxes will be an expected part of how most things in general purpose computing devices work.

There's very little code in the world that I wouldn't want to run in a robust sandbox. Low level OS components that manage that sandbox is about it.

◧◩◪◨⬒
5. rft+ps[view] [source] 2024-06-23 16:23:06
>>simonw+Ui
Your comment reminded me of this great talk [1] (humor ofc). While it talks about asm.js, WASM is in may ways, IMO, the continuation of asm.js

[1] https://www.destroyallsoftware.com/talks/the-birth-and-death...

[go to top]