All these heavy-weight, closed, possibly-backdoored CPU’s people are using these days for BCHS stacks. I’d rather just macro-assembler it on a GPL’d CPU I can customize and understand. Open cores also let you do other neat things to improve security later on.
My biggest concern is not actually how vulnerable does it leave my system, but how open to attack am I left from other vectors, traditional to web application security stuff. Did my carelessness in dealing with memory leave me open to an open redirect, and thereby phishing? Did I do the right thing to prevent session fixation when dealing with cookies? Did I stop CSRF properly? Did I leave myself open to a hard to spot SQL injection? Did I properly quote output to avoid XSS attacks?
These are the more scary things, as most attackers will start here, assuming the application is written in a safer language, and thereby harder to get an RCE. You obviously still need privsep, chroot isolation and things like that, but they’re secondary, in a lot of ways, to a hardened web application in the current climate.
I’m all for “hipster free” development. But writing webapps in C is (putting potential security issues aside) just not as productive as using a higher level language like Python/Ruby/Golang/etc. .
Although, I like the motivation behind this website. The web development community really tends to hipsterize development when things could be simpler.
I’m not quite sure if this is meant as a joke or not.
On the one hand, I totally see a resurgence of “let’s just use 4 basic operating system functionalities and not invent every part of it” (which, by the way, I fully subscribe to, most web pages don’t need technical innovation and could live with a lot less moving parts).
On the other hand, there’s stuff like this:
Anybody can write crappy, bug-ridden and insecure code. In any language. Good news: with C, it’s even easier! So familiarise yourself with common (and common-sense) pitfalls noted in the SEI CERT C coding standard and comp.lang.c FAQ.
and the example feels a bit… well… overly simple. :D
(I’ll fix the manpage links—thanks!) I’d seen the SVN version. Any way you can break that out as a separate library (may I suggest “stspsql”?) so other folks can use it? Missed you all at bsdcan!
Way back when, I worked for a company during the dot-com boom, and that company (Company 1) acquired another company (Company A).
Company A was a free web page hosting service. A coworker of mine was assigned the task of taking over their technology stack (apparently it was written by a founder, who no longer wanted any part of it). The whole thing was written in C.
Not only was it all in C (we were a Perl shop at the time, with a little bit of Java creeping in around the edges), but the entire site (signup, login, html editor, file upload, admin screens, etc) was all a single binary.
A single binary named “a.out”.
Which, we were told, stood for “Company A”.out.
My poor coworker wrestled with this code for the rest of his time at this job. He is scarred to this day.
This is why I’m predisposed against C as a web implementation language, even though rationally I know it was an extreme case, two decades ago.
Not sure what details would be pertinent, aside from the company names. I doubt I’m under any enforceable NDA at this point, so I’ll go ahead and give those. I worked for Tripod (one of the top three free web page hosts), which was owned by Lycos (a portal company which was relevant at the time, but not so much any more), and they acquired Angelfire (another of the top three free web page hosts). Angelfire at the time was run by a tiny number of people (possibly 2? possibly more, but <10), and Lycos handed off all operation to us at Tripod.
FCGI is in the standard library for Go and I have used it with openbsd and httpd on my in development side project https://sftpplease.io/. It works pretty well, but for my file sharing server it’s performance was too bad (5x slower downloads than just via the Go server) and I haven’t had time to investigate yet.
I also think there was a bug in either httpd or go causing connections to time out after 1 minute no matter what I set the client timeout to in httpd.conf.
I like it. There are clearly performance downsides to CGI (and does httpd support concurrent requests to a single FastCGI backend?), but I could see myself using this for a lot of real-world projects where those downsides don’t matter.
I think the key takeaway from this project is that while C-based CGI web applications have traditionally been a security minefield, there are now fewer mines in that field thanks to usable sandboxing mechanisms like OpenBSD’s pledge(2) and wrappers like kcgi. Developers still need to worry about vulnerabilities that could leak or change internal application state, but the application itself can be fairly well contained without dealing with containers/jails.
As far as I can tell from browsing the source code to httpd it does not support concurrent (fastcgi multiplex) requests to a single fastcgi backend. I don’t think nginx supports this either though. For higher performance you might just need to use proxy_pass in nginx which does support concurrent requests.
My favourite part about BCHS is watching folks come out of the woodwork to argue about C.
Fully hipster compliant if you ask me :D
C’s a little too mainstream.
So I’m porting my code to this obscure assembler. You’ve probably never heard of it.
Were you doing a Leon3 port, too?
http://soc.microsemi.com/products/ip/search/detail.aspx?id=635
All these heavy-weight, closed, possibly-backdoored CPU’s people are using these days for BCHS stacks. I’d rather just macro-assembler it on a GPL’d CPU I can customize and understand. Open cores also let you do other neat things to improve security later on.
https://people.csail.mit.edu/nickolai/papers/zeldovich-loki.pdf
Previous discussion.
My biggest concern is not actually how vulnerable does it leave my system, but how open to attack am I left from other vectors, traditional to web application security stuff. Did my carelessness in dealing with memory leave me open to an open redirect, and thereby phishing? Did I do the right thing to prevent session fixation when dealing with cookies? Did I stop CSRF properly? Did I leave myself open to a hard to spot SQL injection? Did I properly quote output to avoid XSS attacks?
These are the more scary things, as most attackers will start here, assuming the application is written in a safer language, and thereby harder to get an RCE. You obviously still need privsep, chroot isolation and things like that, but they’re secondary, in a lot of ways, to a hardened web application in the current climate.
I’m all for “hipster free” development. But writing webapps in C is (putting potential security issues aside) just not as productive as using a higher level language like Python/Ruby/Golang/etc. .
Although, I like the motivation behind this website. The web development community really tends to hipsterize development when things could be simpler.
I’m not quite sure if this is meant as a joke or not.
On the one hand, I totally see a resurgence of “let’s just use 4 basic operating system functionalities and not invent every part of it” (which, by the way, I fully subscribe to, most web pages don’t need technical innovation and could live with a lot less moving parts).
On the other hand, there’s stuff like this:
and the example feels a bit… well… overly simple. :D
http://www.learnbchs.org/easy.html
(I mean, in which sense is just writing raw HTTP to the output stream less magical then using a specific library for it?)
As linked: tutorial 1, tutorial 2. Especially see the latter.
Hi Kristaps! Good stuff.
Just a heads-up, https://kristaps.bsd.lv/ksql/ksql.3.html links to other ksql man pages on man.openbsd.org which don’t exist there.
If you are still looking sqlite wrapper API ideas, SVN has an internal sqlite wrapper that I found fairly easy to get used to: https://svn.apache.org/viewvc/subversion/trunk/subversion/include/private/svn_sqlite.h (Though it may not be as minimalist as you would like :)
(I’ll fix the manpage links—thanks!) I’d seen the SVN version. Any way you can break that out as a separate library (may I suggest “stspsql”?) so other folks can use it? Missed you all at bsdcan!
Way back when, I worked for a company during the dot-com boom, and that company (Company 1) acquired another company (Company A).
Company A was a free web page hosting service. A coworker of mine was assigned the task of taking over their technology stack (apparently it was written by a founder, who no longer wanted any part of it). The whole thing was written in C.
Not only was it all in C (we were a Perl shop at the time, with a little bit of Java creeping in around the edges), but the entire site (signup, login, html editor, file upload, admin screens, etc) was all a single binary.
A single binary named “a.out”.
Which, we were told, stood for “Company A”.out.
My poor coworker wrestled with this code for the rest of his time at this job. He is scarred to this day.
This is why I’m predisposed against C as a web implementation language, even though rationally I know it was an extreme case, two decades ago.
Are there any details that could be shared regarding this?
Not sure what details would be pertinent, aside from the company names. I doubt I’m under any enforceable NDA at this point, so I’ll go ahead and give those. I worked for Tripod (one of the top three free web page hosts), which was owned by Lycos (a portal company which was relevant at the time, but not so much any more), and they acquired Angelfire (another of the top three free web page hosts). Angelfire at the time was run by a tiny number of people (possibly 2? possibly more, but <10), and Lycos handed off all operation to us at Tripod.
[Comment removed by author]
Well why not just use relayd and the HTTP libraries then? No reason to bother with the CGI aspect.
cgi makes web serving more orthogonal imo. however hard it is to do in go, idk
FCGI is in the standard library for Go and I have used it with openbsd and httpd on my in development side project https://sftpplease.io/. It works pretty well, but for my file sharing server it’s performance was too bad (5x slower downloads than just via the Go server) and I haven’t had time to investigate yet.
I also think there was a bug in either httpd or go causing connections to time out after 1 minute no matter what I set the client timeout to in httpd.conf.
IIRC a pure-go fileserver will use sendfile under the hood, whereas the FCGI fileserver would have to copy it.
Thank makes sense, thanks for the info.
Let me try one for embedded web:
JAWS - JX OS architecture + Ada Web Services
https://en.m.wikipedia.org/wiki/JX_(operating_system)
I like it. There are clearly performance downsides to CGI (and does httpd support concurrent requests to a single FastCGI backend?), but I could see myself using this for a lot of real-world projects where those downsides don’t matter.
I think the key takeaway from this project is that while C-based CGI web applications have traditionally been a security minefield, there are now fewer mines in that field thanks to usable sandboxing mechanisms like OpenBSD’s pledge(2) and wrappers like kcgi. Developers still need to worry about vulnerabilities that could leak or change internal application state, but the application itself can be fairly well contained without dealing with containers/jails.
As far as I can tell from browsing the source code to httpd it does not support concurrent (fastcgi multiplex) requests to a single fastcgi backend. I don’t think nginx supports this either though. For higher performance you might just need to use proxy_pass in nginx which does support concurrent requests.
IIUC, FastCGI has no notion of flow control when multiplexing connections, which seems a little scary if you have high load.
I am very curious what people mean by “hipster-free” development. It always seems like elitism to me.
https://en.wikipedia.org/wiki/Poe%27s_law ;)
I’ve tried this kind of thing a few times and it’s never been as much fun as just using a framework. Not worth it.
kwebapp