21 comments

[ 2.8 ms ] story [ 47.3 ms ] thread
WebAssembly has the power to level the playing field for games distribution. Why do we need Steam, which opposes a 30% tax to developers and only works on PC, whereas the browser is open and platform-agnostic?

This is truly the future of gaming.

Interesting, I am curious how were you able to achieve this, Baldurs Gate 2 is a closed source game, I guess its possible to have written a lifter for LLVM WASM?

But that seems to be an insane effort.

This is using GemRB, which itself is a reimplementation of Bioware's Infinity Engine. GemRB is ported to WASM, and it loads the game demo data in the filesystem. Pure magic, if you ask me :)
so cool! Way more newsworthy than some of the other stuff that gets airtime.
Very Cool! so much more newsworthy than most of the stuff that gets airtime.
Doesn't appear to work using Chrome on Android...
Or Firefox Desktop, they don't pass the required headers to enable Firefox's Spectre mitigations in order to use SharedArrayBuffer. I can't tell if Chrome will require it too, because they already do iframes in separate processes.

https://itch.io/t/1028526/cross-origin-policies-for-webassem... itch.io enabled them globally in the past, but it broke some things.

I believe the general plan is to require the headers in all browsers, for SharedArrayBuffer, including Chrome. (But currently, they work regardless there.)
Flash: well.. I could have done this too if you didn't ghost me
But this way we have it without Flash's much larger security flaws.
I stand corrected.

I thought the whole point of WASM was that it was sandboxed by the browser. Is that not the case, or is it just poorly done?

That is not the case although Web Assembly advocates sell it otherwise, thankfully security researchers are now finally caring to have a deeper look into their claims.

Sandboxing is only part of the solution, it doesn't protect all possible attack vectors.

For example, bounds checking is only enforced on the boundaries of the linear memory segment, not inside it.

So if you have a Web Assembly module, originally written in C, where all memory allocations get mapped into a single linear memory segment, there is no protection against possible corruption of neighbouring data structures.

With this in mind you can indirectly attack a module by providing data to the public APIs that would eventually change the expected results, for example returning an admin token for a security module, instead of a regular one that the API was expected to return for then given user id.