Web Security and Wasm at The Tech Sessions

/

We had a couple of great talks at the Tech Session yesterday. If you are in the Hull area you should keep an eye on what they are doing. You can find them here. The first talk was from John Smith (yes, that is is real name). It had the title “Your cloud got hacked, and they like it”. John is a senior security architect and did great job of explaining just how vulnerable cloud applications are to bad actors. He put the bad actors into categories, from the “Chancer” (there for the money, only knows how to use freely available tools) all the way up to “Ghost” (has the tools, skills and persistence to live in your systems indefinitely without being detected). Things I took away from the talk:

  • There are freely available tools that make it easy to do things like search GitHub repositories for keys to online resources. Use them yourself to see if you are vulnerable. Start with GitLeaks and remember that the bad guys use these all the time.

  • Avoid using long term credentials. And change them regularly - like your underwear.

  • Monitor your resource usage to detect changes. And set limits.

  • Don’t have “one ring to bind them all”. Put different resources under different accounts.

  • Code is a depreciating asset. You must budget for the effort needed to keep it up to date and secure (and to test for security).

  • Open source can be dangerous. Bad actors will target tools used by millions of applications to inject malware into your systems.

  • Developer systems in a company are the holy grail for hackers. They usually have lots of extra permissions and interesting source files on them.

  • At the end of the day it is all about Risk (how surprising). Actively attack the security risks you are running, and keep looking for new ones.

Next up was a talk from Joe Axon This content was a little more relaxing (at least for me) but no less interesting. Joe was talking about using Web Assembly (Wasm) to write games that can run on your machine in your browser. Running programs in your browser usually means JavaScript, which is a great language but not really good for games. JavaScript is a scripting language. It contains lots of high level abstractions and behaviours that are kind of hard to convert into simple machine code. Web Assembly (or Wasm) is a simple stack based language which, from the examples Joe showed us, is very close to what hardware does. This makes it very easy to convert into native machine code that would run at much higher speed. Things I took away from the talk:

  • Wasm is stack based and looks like assembler to me. The text format (i32.add, etc.) is deliberately low-level and easy for humans to read if you’ve seen assembly before.

  • Wasm looks very easy to convert into machine code.

  • It supports integers, floats and blocks of data (although the are now SIMD - single instruction, multiple data vectors too). Anything else you have to structure yourself.

  • You have to do all your input and output (including the display) by passing blocks of data between Wasm programs and JavaScript. The code to do this looks easy to use, but comes at a price in terms of performance.

  • You can get compilers that take most high level languages you’ve heard of and convert them into Wasm - making this an interesting way getting things like C++ or Rust to run in a browser at a sensible speed

  • There is a tool (KNI) that can take XNA games (written for MonoGame) and, after a bit of fettling, create Wasm code that runs at speed in the browser.

So, after a really interesting evening I drove home thinking about scanning my repositories and porting some of my old games to the web. Great stuff.