zlacker

>>fugled+(OP)
While cool, technically… From a security perspective today I learned that TrueType fonts have arbitrary code execution as a ‘feature’ which seems mostly horrific.

>>electr+4e
Not really, no more so than a random webpage running js/WASM in a sandbox.

The only output from the WASM is to draw to screen. There is no chance of a RCE, or data exfiltration.

>>samwil+xe
It's still horrible, not in a (direct) security but in an interop sense: Now you have to embed an entire WASM engine, including proper sandboxing, just to render the font correctly. That's a huge increase of complexity and attack surface.

>>xg15+ei
I'm hoping that in a few years time WASM sandboxes will be an expected part of how most things in general purpose computing devices work.

There's very little code in the world that I wouldn't want to run in a robust sandbox. Low level OS components that manage that sandbox is about it.

>>simonw+Ui
Normalizing the complexity doesn't make it go away.

Ideally, I'd like not to execute any kind of arbitrary code when doing something mundane as rendering a font. If that's not possible, then the code could be restricted to someting less than turing complete, e.g. formula evaluation (i.e. lambda calculus) without arbitrary recursion.

The problem is that even sandboxed code is unpredictable in terms of memory and runtime cost and can only be statically analyzed to a limited extent (halting problem and all).

Additionally, once it's there, people will bring in libraries, frameworks and sprawling dependency trees, which will further increase the computing cost and unpredictability of it.

>>xg15+qk
That's why I care so much about WebAssembly (and other sandbox) features that can set a strict limit on the amount of memory and CPU that the executing code can access.