logoalt Hacker News

Bytecode VMs in surprising places (2024)

67 pointsby azhenleylast Friday at 2:12 PM23 commentsview on HN

Comments

drob518today at 1:22 PM

On one hand, all these mini interpreters and compilers are cool. I have a soft spot for extensible systems. On the other hand, all these things are a huge security problem. When every subsystem and data format is carrying around its own Turing complete bytecode and JIT, they all need to be secure and bug free for the system to be secure and bug free. And that far more code surface to keep clean.

chirsztoday at 11:22 AM

SBus peripherals use the Forth language in their PROMs to initialize themselves[1].

[1] https://docs.oracle.com/cd/E19957-01/802-3239-10/sbusandfc.h...

show 1 reply
magnattoday at 11:13 AM

Some other examples:

- ACPI configuration for power management and platform stuff [1]

- Bitcoin transactions [2]

- TrueType fonts [3]

[1] https://wiki.osdev.org/AML

[2] https://en.bitcoin.it/wiki/Script

[3] https://learn.microsoft.com/en-us/typography/opentype/spec/t...

show 1 reply
superjantoday at 11:30 AM

How about the infamous iOS hack with a VM implemented in a JBIG2 PDF? https://projectzero.google/2021/12/a-deep-dive-into-nso-zero...

pratikdeogharetoday at 9:39 AM

There is one in golang regular expressions https://swtch.com/~rsc/regexp/regexp2.html

I guess that is why you say re.Compile.

show 3 replies
ivankellytoday at 9:50 AM

Quake had it’s own vm also

omeid2today at 9:36 AM

This list is entirely incomplete without mentioning Java Card.

There is a tiny Java Bytecode VM in an insanely large list of places, you can find some of them here:

https://github.com/crocs-muni/javacard-curated-list https://en.wikipedia.org/wiki/Java_Card

dlojudicetoday at 1:23 PM

Another World (Out of this world) game had its own bytecode [1]

[1] https://github.com/fabiensanglard/Another-World-Bytecode-Int...

self_awarenesstoday at 10:13 AM

RarVM was used in a previous version of the format, newest RAR has removed it, and RarV5 doesn't have a VM.

ignoramoustoday at 9:31 AM

TikTok shipping XOR cipher'd bytecode & interp is right up there: https://news.ycombinator.com/item?id=34109771

show 1 reply
anthktoday at 10:20 AM

yt-dlp's jsinterp.py

https://jxself.org/compiling-the-trap.shtml

I've got subleq+eforth (https://github.com/howerj/muxleq) running in JS which is dead simple to do. No input but I could output ASCII mapping values to an array.

https://esolangs.org/wiki/Subleq

So, yes. yt-dlp runs propietary Youtube JS code defying the original purpose.

dsecurity49today at 9:51 AM

[flagged]