|
Kazinsal posted:well if anything could make me consider pans to not suck... yeah, very impressive spokeswoman to target demographic alignment there.
|
#
?
Jun 16, 2022 00:07
|
|
|
|
| # ? May 18, 2024 13:32 |
|
|
infernal machines posted:iirc you could embed at least scripts and possibly executable code in wmv WMV files supported arbitrary DRM plugins which Windows Media Player or Foundation or whatever would install automatically or with minimal user intervention in the finest ActiveX fashion
|
|
#
?
Jun 16, 2022 00:27
|
|
|
media and image decoders nfamous for being sources of vulnerabilities and browser developers spent millions of dollars trying to find ways to get them into various sandboxes without tanking performance. latest technique I read about was compiling the decoder to webassembly, and then generating equivalent C(++?) from it to compile into the native binary while preserving the webassembly safety semantics.
|
|
#
?
Jun 16, 2022 00:59
|
|
|
it depends on the container and the os, and how the os handles the container, but there's a poo poo ton of code execution vulnerabilities to be had particularly in something like matroska that lets you just plop whatever you want in it. of course that doesn't mean you're automatically vulnerable, but combine it with an exploit in a (for example) jpeg library or something that parses subtitles (usually formatted hypertext or bitmaps) and yeah, it's not hard to see that's ignoring the video codecs themselves too. plenty of RLE codecs are still supported and i'd bet the decoders haven't been worked on in decades
|
|
#
?
Jun 16, 2022 01:01
|
|
|
Subjunctive posted:media and image decoders nfamous for being sources of vulnerabilities and browser developers spent millions of dollars trying to find ways to get them into various sandboxes without tanking performance. latest technique I read about was compiling the decoder to webassembly, and then generating equivalent C(++?) from it to compile into the native binary while preserving the webassembly safety semantics. this would definitely kill performance if they're talking about using WASI (C). it's absolutely slow as poo poo for anything i've tried it with apropos encoding (looking at you, ffmpeg)
|
|
#
?
Jun 16, 2022 01:06
|
|
|
Beeftweeter posted:this would definitely kill performance if they're talking about using WASI (C). it's absolutely slow as poo poo for anything i've tried it with apropos encoding (looking at you, ffmpeg) they aren’t using WASI, or a web assembly runtime. they’re generating and compiling C that implements the same semantics as executing the generated web assembly. it’s shipping in Firefox currently, and performance is fine: https://hacks.mozilla.org/2021/12/webassembly-and-back-again-fine-grained-sandboxing-in-firefox-95/
|
|
#
?
Jun 16, 2022 01:19
|
|
|
Subjunctive posted:they aren’t using WASI, or a web assembly runtime. they’re generating and compiling C that implements the same semantics as executing the generated web assembly. huh, that's actually pretty interesting. it looks like they're just spitting out whatever clang outputs as wasm back to c, which i'm having trouble wrapping my head around what happens when something is called that wasm doesn't support? for example, specific simd instructions aren't supported, threading by default is emulated (although there are implementations with threads, iirc they're not all compatible) and there's no float functionality. if it just falls back to a C implementation, how is that more secure? admittedly i haven't played with wasm/wasi in a long time (year+) so i might be wrong on the details and it's no doubt been updated since then. i realize you said that's not what they're using, too, but compiling something within the constraints of webassembly should be, well, within those constraints, no? Beeftweeter fucked around with this message at 01:43 on Jun 16, 2022 |
|
#
?
Jun 16, 2022 01:41
|
|
|
Subjunctive posted:media and image decoders nfamous for being sources of vulnerabilities and browser developers spent millions of dollars trying to find ways to get them into various sandboxes without tanking performance. latest technique I read about was compiling the decoder to webassembly, and then generating equivalent C(++?) from it to compile into the native binary while preserving the webassembly safety semantics. lets just skip straight to the browser as a type 1 hypervisor and each tab being its own full virtual machine
|
|
#
?
Jun 16, 2022 01:43
|
|
|
Subjunctive posted:they aren’t using WASI, or a web assembly runtime. they’re generating and compiling C that implements the same semantics as executing the generated web assembly. this is very neat though
|
|
#
?
Jun 16, 2022 01:44
|
|
|
hobbesmaster posted:lets just skip straight to the browser as a type 1 hypervisor and each tab being its own full virtual machine some dickhead is probably already doing this in rust
|
|
#
?
Jun 16, 2022 01:47
|
|
|
Beeftweeter posted:what happens when something is called that wasm doesn't support? then it doesn’t work with this technique, I imagine
|
|
#
?
Jun 16, 2022 01:58
|
|
|
Kazinsal posted:some dickhead is probably already doing this in rust embedded systems are actually kinda moving this way. cars for example have different VMs assigned to different parts of screens different but… gently caress it everything is a VM feels like the future
|
|
#
?
Jun 16, 2022 02:00
|
|
|
Kazinsal posted:security fuckup megathread 18.15: some dickhead is probably already doing this in rust
|
|
#
?
Jun 16, 2022 02:05
|
|
|
Subjunctive posted:then it doesn’t work with this technique, I imagine lol, in turn i'd imagine they can't decode (let alone encode) modern video this way then they say they're using this for graphite, hunspell, ogg, expat and woff2. well, fine, the only multimedia encoder/decoder there is ogg. the others probably wouldn't have much of a noticeable performance impact since they're just checking spelling or drawing vectors etc. but even with WASI a year ago you could do real-time encoding with ogg, because it's old as poo poo and isn't something most people are gonna want to use
|
|
#
?
Jun 16, 2022 02:12
|
|
|
|
|
#
?
Jun 16, 2022 02:41
|
|
|
hobbesmaster posted:embedded systems are actually kinda moving this way. cars for example have different VMs assigned to different parts of screens I've heard of MVVM before but this is ridiculous!
|
|
#
?
Jun 16, 2022 03:07
|
|
|
flakeloaf posted:cool beetlejuicing you got there, this hit my inbox this morning they are really having a lot of trouble with recruiting right now. if you're interested, you should apply and see where it goes.
|
|
#
?
Jun 16, 2022 03:22
|
|
|
thats a garbage CJ job you're better than that
|
|
#
?
Jun 16, 2022 03:26
|
|
|
Jonny 290 posted:thats a garbage CJ job you're better than that agreed, but it's very easy to move around internally once you have your foot in the door. it's worth taking what you can get if you're interested in the work, given that lateral movement is relatively easy.
|
|
#
?
Jun 16, 2022 03:34
|
|
|
if you're dumb enough to enable support for all possible things when building ffmpeg then you get a bunch of dumb codecs which are actually basically just a scripting language that some 90s game used to generate sound even with only the sane things enabled, opening untrusted input in ffmpeg outside of a sandbox is sort of terrifying and i've always been amazed that video-based exploits have been as rare as they are
|
|
#
?
Jun 16, 2022 04:13
|
|
|
hobbesmaster posted:lets just skip straight to the browser as a type 1 hypervisor and each tab being its own full virtual machine Someday, we will use our web browsers to run a second web browser inside of it.
|
|
#
?
Jun 16, 2022 04:46
|
|
|
Plorkyeran posted:if you're dumb enough to enable support for all possible things when building ffmpeg then you get a bunch of dumb codecs which are actually basically just a scripting language that some 90s game used to generate sound That you know of.  .mp4
|
|
#
?
Jun 16, 2022 04:49
|
|
|
Plorkyeran posted:if you're dumb enough to enable support for all possible things when building ffmpeg then you get a bunch of dumb codecs which are actually basically just a scripting language that some 90s game used to generate sound even if you don't and just want to use libx264/libx265 (using external hw/sw codecs with wasm is out of the question, i think, but i'd love to be wrong here) it's still going to suck rear end with wasm's limitations, not least of which is because they're optimized with a bunch of architecture-dependent asm yeah, it's technically workable, i've compiled it myself before. it's fine if you don't mind rendering at 0.5 fps
|
|
#
?
Jun 16, 2022 05:18
|
|
|
For the long tail of poo poo codecs that you want to technically support but nobody wants to actually work on, rendering at 0.5fps but with guaranteed security is a pretty good sounding compromise.
|
|
#
?
Jun 16, 2022 07:09
|
|
|
lmao i just remembered about codec packs
|
|
#
?
Jun 16, 2022 07:13
|
|
|
Jabor posted:For the long tail of poo poo codecs that you want to technically support but nobody wants to actually work on, rendering at 0.5fps but with guaranteed security is a pretty good sounding compromise. lol, true enough, but who the hell is using theora video and vorbis audio in an ogv container? not just because it's 2022, i mean that's true at basically any point in time
|
|
#
?
Jun 16, 2022 08:03
|
|
|
spankmeister posted:lmao i just remembered about codec packs
|
|
#
?
Jun 16, 2022 08:04
|
|
|
I can’t get a government job because I smoke a huge amount of weed. Also the pay is poo poo compared to the private sector.
|
|
#
?
Jun 16, 2022 08:06
|
|
|
FlapYoJacks posted:I can’t get a government job because I smoke a huge amount of weed. Also the pay is poo poo compared to the private sector. get a medical card
|
|
#
?
Jun 16, 2022 08:08
|
|
|
Beeftweeter posted:get a medical card Or the government could pay better wages and legalize weed?
|
|
#
?
Jun 16, 2022 08:11
|
|
|
Beeftweeter posted:get a medical card It's still illegal in federal law regardless of medical cards
|
|
#
?
Jun 16, 2022 08:12
|
|
|
FlapYoJacks posted:Or the government could pay better wages and legalize weed? I agree that weed should be legalized but contractors (yes, I know, it's not 100% the same) can make bank
|
|
#
?
Jun 16, 2022 08:13
|
|
|
sometimes, you really need an embedded linux guy and are willing to pay anything because good engineers aren't a dime a dozen but everything's gotta be cool at the federal level so weed is still not cool and it still might take another 4 years before it gets legalized. I don't smoke but I see it as the same level as alcohol
|
|
#
?
Jun 16, 2022 08:15
|
|
|
sb hermit posted:It's still illegal in federal law regardless of medical cards there are plenty of government jobs that don't test. i touched computers for the department of energy in a medical, then recreational state and never got tested. currently touch computers for the state govt in a different state, and again no tests.
|
|
#
?
Jun 16, 2022 08:18
|
|
|
Beeftweeter posted:lol, true enough, but who the hell is using theora video and vorbis audio in an ogv container? Video games and youtube? I think archive.org uses it too. Keep in mind that mp4 is not a free codec and some people are using old rear end servers that don't support vp9 or whatever. And ogv isn't really that popular in any case because it doesn't work on iphone. I think.
|
|
#
?
Jun 16, 2022 08:18
|
|
|
nudgenudgetilt posted:there are plenty of government jobs that don't test. i touched computers for the department of energy in a medical, then recreational state and never got tested. currently touch computers for the state govt in a different state, and again no tests. That's a good point. I guess state agencies set their own rules and I guess some government agencies don't care as well. I was more referring to software development, though. Some federal contractors have a lot of money but sometimes their hands are tied regarding who can work on the code.
|
|
#
?
Jun 16, 2022 08:20
|
|
|
sb hermit posted:That's a good point. I guess state agencies set their own rules and I guess some government agencies don't care as well. my experience is the reality is that the law dictates a drug free workplace, but the only parties interested in enforcing the law are those who are in the business of constantly having to ask for new work (contractors). aside from defense or cleared positions, the agencies themselves don't really seem to give a gently caress. i imagine the majority of compliance from contractors comes from the fact other contractors could use a lack of compliance as leverage. probably an overly cynical view, but *shrug*
|
|
#
?
Jun 16, 2022 08:26
|
|
|
sb hermit posted:Video games and youtube? I think archive.org uses it too. old video games, maybe, the rest? except for archive.org, which also transcodes to h264, i don't see it. keep in mind theora is based on VP3 and vorbis is not opus mp4 is a container (ISO/IEC 14496-14:2003) based on the old quicktime mov format. typically it'd use h264/aac, but it's not uncommon to see hevc/ac-4, dolby atmos, etc. it's also pretty extensible and has lots of attack surfaces, but not as many as regular mov
|
|
#
?
Jun 16, 2022 08:40
|
|
|
another approach to secure format parsing, from the Windows kernel. terrible name though https://www.fstar-lang.org/papers/EverParse3D.pdf
|
|
#
?
Jun 16, 2022 12:57
|
|
|
|
| # ? May 18, 2024 13:32 |
|
|
spankmeister posted:lmao i just remembered about codec packs https://www.youtube.com/watch?v=43shSuenPzU
|
|
#
?
Jun 16, 2022 13:16
|
|
