On 10/8/10 9:21 PM, Dirk Pranke wrote:
On Fri, Oct 8, 2010 at 2:04 PM, Paul D. Fernhout
<pdfernh...@kurtz-fernhout.com> wrote:
It's totally stupid to use JavaScript as a VM for "world peace" since it
would be a lot better if every web page ran in its own well-designed VM and
you could create content that just compiled to the VM, and the VMs had some
sensible and secure way to talk to each other and respect each other's
security zones in an intrinsically and mutually secure way. :-)
"Stating the 'bleeding' obvious (security is cultural)"
http://groups.google.com/group/diaspora-dev/msg/17cf35b6ca8aeb00
You are describing something that is not far from Chrome's actual
design. It appears that the other browser vendors are moving in
similar directions. Are you familiar with it? Do you care to elaborate
(off-list, if you like) on what the differences between what Chrome
does and what you'd like are (apart from the JavaScript VM being not
particularly designed for anything other than JavaScript)?
Yes, there are similarities, you are right. I'm not familiar in detail
because I have not used Chrome or looked at the code, but to my
understanding Chrome does each tab as a separate process. And typically (not
being an expert on Chrome) that process would run a rendering engine (or
maybe not?), JavaScript (presumably?), and/or whatever downloaded plugins
are relevant to that page (certainly?).
From:
http://en.wikipedia.org/wiki/Google_Chrome
"Chrome will typically allocate each tab to fit into its own process to
"prevent malware from installing itself" and prevent what happens in one tab
from affecting what happens in another, however, the actual
process-allocation model is more complex.[49] Following the principle of
least privilege, each process is stripped of its rights and can compute, but
cannot write files or read from sensitive areas (e.g. documents,
desktop)—this is similar to the "Protected Mode" used by Internet Explorer
on Windows Vista and Windows 7. The Sandbox Team is said to have "taken this
existing process boundary and made it into a jail";[50] for example,
malicious software running in one tab is supposed to be unable to sniff
credit card numbers entered in another tab, interact with mouse inputs, or
tell Windows to "run an executable on start-up" and it will be terminated
when the tab is closed.[15] This enforces a simple computer security model
whereby there are two levels of multilevel security (user and sandbox) and
the sandbox can only respond to communication requests initiated by the
user.[51] Typically, plugins such as Adobe Flash Player are not standardized
and as such, cannot be sandboxed as tabs can be. These often need to run at,
or above, the security level of the browser itself. To reduce exposure to
attack, plugins are run in separate processes that communicate with the
renderer, itself operating at "very low privileges" in dedicated per-tab
processes. Plugins will need to be modified to operate within this software
architecture while following the principle of least privilege.[15] Chrome
supports the Netscape Plugin Application Programming Interface (NPAPI),[52]
but does not support the embedding of ActiveX controls.[52] On 30 March 2010
Google announced that the latest development version of Chrome will include
Adobe Flash as an integral part of the browser, eliminating the need to
download and install it separately. Flash will be kept up to date as part of
Chrome's own updates.[53] Java applet support is available in Chrome with
Java 6 update 12 and above[54]. Support for Java under Mac OS X was provided
by a Java Update released on May 18, 2010.[55]"
So, yes, especially from a security aspect, there is a lot of overlap.
http://www.google.com/chrome/intl/en/more/index.html
http://www.google.com/chrome/intl/en/more/security.html
"Google Chrome includes features to help protect you and your computer from
malicious websites as you browse the web. Chrome uses technologies such as
Safe Browsing, sandboxing, and auto-updates to help protect you against
phishing and malware attacks."
Of course, we use Firefox and NoScript to do some of that just with
JavaScript. I haven't installed Chrome in part just for concerns that it is
too much power for Google to have over my life. :-) But I've though about it
precisely for that feature of seperate processes. But Firefox has been
adding running plugins in separate processes, so that is a step in that
direction, too.
But, that's still not the same as having a common Virtual Machine for each
tab, where you can expect to have, say, a JVM available to run the code for
that page that meets some standards (even as you could have one installed in
many situations essentially as a plugin, but 30% coverage or whatever is not
100% coverage). And you'd need a VM optimized so there is essentially very
little cost in time or memory to create and dispose of hundreds of these VMs
(which is probably not yet the case for the JVM, although it continues to
improve -- a big advantage I've heard of, say, PHP over Java for CGI has
been that it starts fast because so much is precompiled, even if Java is
faster once it gets going). I don't know the current state of JVM startup
optimization other than that it has been getting a lot better in loading
(especially with version 6), but it still, to my understanding, can start
running as fast as, say, a Squeak VM that just maps an object memory file
using virtual memory and gets going? Also, I think the JVM still takes a
bunch of memory even just to start up? Anyway, I would expect Java will
continue to improve in that way. But, that's all future stuff.
Personally, I also think the browser itself should be written in a language
like something that runs on the JVM or something other VM, something with
garbage collection, in order to reduce the security risks of memory-related
and pointer-related programming errors in the rendering engines. The fact
that Chrome is written in C++ probably makes in fundamentally insecure. :-)
Here is a random file in C++ from the project:
http://src.chromium.org/viewvc/chrome/trunk/src/base/json/json_writer.cc?revision=54359&view=markup
Do I want to check that for memory leaks or misused pointers and so on?
Boring and tedious. So 1980s. :-) And even then you could use ObjectWorks or
Lisp. :-) So, in that sense, Chrome is obsolete. The best they could do
someday is maybe use OMeta to translate parts of it to something else. :-)
And I'm not just joking -- it is not unreasonable for me, as an end user, to
say that I would rather have software than ran half the speed but was not
going to keep having random security problems in years to come every time
someone changes it and forgets an asterisk or a bounds check somewhere. Oh,
sure there are tools, and there is testing, and so on. But then we are into
the fact that if developers are worrying about all that, they'll probably
make some other security error. And example alternative:
http://lobobrowser.org/java-browser.jsp
"Lobo is an open source web browser that is written completely in Java. "
So, in any case, whether Chrome is already obsolete for security
considerations or not, right now, you are still stuck with JavaScript as the
universal VM in Chrome, and not instead something that you could optimize
more like Java's JVM or VisualWork's VM, or Forth, or something else. Well,
it looks like Flash is getting bundled in(?), but Flash is not especially
open as a VM (even if you could use haXe or something like that with it).
You don't have a reliable alternative where you would not necessarily have
that 100X performance penalty of using JavaScript for looping or floating
point calculations (or whatever the penalty is now with optimization work
going on fast and furious). Although maybe that is changing, as with those
comments about what is going on since May -- but it still seems like a
separate install for Java?
http://www.java.com/en/download/faq/chrome.xml
And of course, not everyone is running Chrome. I'd be surprised if it had
more than 5% marketshare? Or even 1%? Well checking it, I am surprised, it
has 7% according to this:
http://marketshare.hitslink.com/
"In daily tracking, Chrome 6.0 is topping 7% of global browsing share since
being released on September 2nd. All other versions of Chrome have dropped
to near zero global share in the meantime. The almost complete migration of
users to 6.0 occurred within three weeks."
Of course, autoupdates are another potential security problem. :-) Sooner or
later, everything is going to get autoupdated to malware. :-( That's another
peril of rapid development and systems that are not designed modularly with
lots of firewalls in the first place (like if Google Chrome was just some
Jar files for a reliable and rarely changing JVM and all running in
sandboxes). Anyway, just more reality-checking issues for "the future of
computing" -- dealing with security and how people actually upgrade software
(and maybe giving people a better way to do that).
Maybe in a year or two all major OS's will have the JVM installed and so you
could ask people who visit your site to download just Chrome? But will
Windows have the JVM installed by default? I don't know and I would think
not? Still, in practice it might be installed already for something else?
But then will Chrome be configured to use it?
Anyway, the fact that it's not easy to know that is why what Chrome is doing
is not identical to what I suggested. It's compatible (like if Google got
Windows and all GNU/Linux distributions to have Java installed and
configured with Chrome), but it's not identical. And until it is, we are
left with JavaScript.
Also, it's not clear off hand how you would get different JVMs to talk to
each other in a browser like Chrome? It might be easily doable, but I'm not
sure if it has actually been done in Chrome, like to make a more complex
application or support multiple cores with VMs than were sending messages to
each other?
Anyway, just lots of unknowns for me. But a good question.
Of course, then one may ask, does it run on the Android and the iPhone?
JavaScript again is what you might expect there.
It's hard to think about how something new gets the social momentum to
overcome the hurdle of JavaScript now being entrenched everywhere people
spend most of their time at the computer -- there is even JavaScript plugins
in, say, the Thunderbird email client I use to write this. It really is
almost everywhere.
Now, there are problems of the VM approach too, even if every web browser
maker did agree to bundle in the JVM with their browser in a way that would
let everyone write to the JVM with Java, JavaScript on Rhino, Scala,
Clojure, or whatever FONC produces that can translate to the JVM. Right now,
unless people take pains to obfuscate their JavaScript, you can probably
read whatever is on a web page as an end user, and the code can even be
indexed by a search engine (in theory, though I would expect most skip it?).
But if people are writing things that are precompiled for a VM (JVM, Flash,
or whatever) then you may not get the source and also web pages may not be
accessible (unless the author makes the source available anyway or creates
related semantic content for the page that is textual that can be used in
parallel with the compiled code). So, that's actually a good side of how
JavaScript is used in practice, that the "view source" key really works. And
that's a big way people learn about JavaScript, HTML, and CSS, beyond
tutorials in the web browser itself:
http://www.w3schools.com/js/default.asp
But ultimately, I'd hope we could move to, like John says, beyond "writing
applications as if they were still single-tier IBM computers from the
1970s/80s" at least for most things. (I still think many simulations may
likely fall in that category for a long time.) And that means probably
writing much more sophisticated clouds of cooperating web pages and related
servers (or other communications infrastructure).
--Paul Fernhout
http://www.pdfernhout.net/
====
The biggest challenge of the 21st century is the irony of technologies of
abundance in the hands of those thinking in terms of scarcity.
_______________________________________________
fonc mailing list
fonc@vpri.org
http://vpri.org/mailman/listinfo/fonc
