l4v VS BrowserBoxPro

> C/C++ can be made memory safe

.. but it's much harder to prove your work is memory safe. sel4 is memory safe C, for example. The safety is achieved by a large external theorem prover and a synced copy written in Haskell. https://github.com/seL4/l4v

Typechecks are form of proof. It's easier to write provably safe Rust than provably safe C because the proofs and checker are integrated.

You can't really retrofit safety to C. The best that can be achieved is sel4, which while it is written in C has a separate proof of its correctness: https://github.com/seL4/l4v

The proof is much, much more work than the microkernel itself. A proof for something as large as webP might take decades.

When something like the seL4 microkernel is formally verified, the remaining bugs should only be bugs in the specification, not the implementation.

seL4 specifications and proofs are not a programming language.

Yes, especially 'logically impossible' when you dig into the details. From the blogpost:

> and the kernel modifications to seL4 that can reclaim the memory used by the rootserver.

MMMMMMMMMMMkkkkkk. So you then have to ask: were these changes also formally verified? There's a metric ton of kernel changes here: https://github.com/AmbiML/sparrow-kernel/commits/sparrow but I don't see a fork of https://github.com/seL4/l4v anywhere inside AmbiML.

I mean, it does also claim to be "almost entirely written in Rust", which is true if you ignore almost the entire OS part of the OS (the kernel and the minimal seL4 runtime).

Probably the only way to prevent this type of issue in an automated fashion is to change your perspective from proving that a bug exists, to proving that it doesn't exist. That is, you define some properties that your program must satisfy to be considered correct. Then, when you make optimizations such as bulk receiver fast-path, you must prove (to the static analysis tool) that your optimizations to not break any of the required properties. You also need to properly specify the required properties in a way that they are actually useful for what people want the code to do.

All of this is incredibly difficult, and an open area of research. Probably the biggest example of this approach is the Sel4 microkernel. To put the difficulty in perspective, I checkout out some of the sel4 repositories did a quick line count.

The repository for the microkernel itself [0] has 276,541

The testsuite [1] has 26,397

The formal verification repo [2] has 1,583,410, over 5 times as much as the source code.

That is not to say that formal verification takes 5x the work. You also have to write your source-code in such a way that it is ammenable to being formally verified, which makes it more difficult to write, and limits what you can reasonably do.

Having said that, this approach can be done in a less severe way. For instance, type systems are essentially a simple form of formal verification. There are entire classes of bugs that are simply impossible in a properly typed programs; and more advanced type systems can eliminate a larger class of bugs. Although, to get the full benefit, you still need to go out of your way to encode some invariant into the type system. You also find that mainstream languages that try to go in this direction always contain some sort of escape hatch to let the programmer assert a portion of code is correct without needing to convince the verifier.

[0] https://github.com/seL4/seL4

[1] https://github.com/seL4/sel4test

[2] https://github.com/seL4/l4v

I mean, just look at the commits with "fix" in the specs folder: https://github.com/seL4/l4v/commits/master?after=4f0bbd4fcbc...

I'm using this type of simple approach to build a SaaS right now. We need to spin up many VPS and provision them, and the fastest way to do that is with rsync and ssh.

But we didn't stop there: this SaaS for our open source browser product is entirely built like this^0: behind the scenes it's a collection of bash scripts that implement and execute the business operation of the SaaS.

So basically, it's a command-line interface to the SaaS. Think of it this way, say I didn't have a website, with login, and "click a button to open a browser", but instead people would write me letters, send me cheques, or call me on the phone. Then I can serve their requests manually, at the command line.

The reason I made it like this was:

- clear separation between thin web front-end and actual business logic

- nice command-line interface (options, usage, help, clear error messages) to business logic for maintenance and support to jump on and fix things

- inheritance of operating system permissions and user process isolation

- highly testable implementation

Maybe this is dumb, but I really like it. To me it's an architecture and approach that makes sense.

I'm sure this is not new, and I think a lot of good quality operations must be built via this way. I highly align with the author's stance of the composition of a few simple command line tools to get the job done.

Perhaps we can call this "unix driven development", or "unix-philosophy backend engineering"

0: https://github.com/dosyago/BrowserBoxPro (saas coming soonish)

If you're concerned about these kinds of bugs on your local OS platform you may consider "abstracting away" your local connection point via a remote browser. This way, whatever your local machine and OS, you can have a dedicated server that you run your browsing through. Granted it doesn't enclose your entire network connection: only your browsing, but what it does there is change your IP address, mask your location, and add protection from browser 0 days.

We're constantly adding new features add BrowserBox to respect and protect privacy and improve the overall experience. It's open source so you can change it how you want too. If you don't like AGPL-3.0 you can get a commercial license. Come take us for a spin: https://github.com/dosyago/BrowserBoxPro

If you don't want something open source, but prefer the joy of a large company I think Mullvad also has their Mullvad Browser which does something similar!

Agree. This is one of the reasons it's better to go with older and more reliable JPEG for viewport streaming. An exploit chain would need to penetrate screen capture images to pass to the client. Browser zero days do occur and this is why it's important to have protection. For added protection consider browser isolation. Check out open source Zero Trust browser isolation at BrowserBox using JPEG (now WebP) now: https://github.com/dosyago/BrowserBoxPro

Technically, we did try using WebP due to its significant bandwidth gains. However, the compute overhead for encoding versus JPEG introduced unacceptable latency into our streaming pipeline, so for now, we're still against it. Security is an additional mark against the newer standard, as good as it is!

Notes

renice: https://stackdiary.com/linux-docs/renice/

audio server code: https://github.com/dosyago/BrowserBoxPro/blob/boss/src/servi...

audio client code: https://github.com/dosyago/BrowserBoxPro/blob/boss/src/publi...

-------

FAQ

What real time prio did you renice to? We tried a few around -16 but settled on -15.

Did you try WebRTC for the audio? Yes, we tried the channel for streaming chunks, but in this case WS was more reliable and faster (I guess it was because we were producing small chunks at a consistent rate). I'm interested in exploring WebRTC audio channel streaming if anyone knows, come and contribute: https://github.com/dosyago/BrowserBoxPro or get in touch at [email protected]

Why are you using WAV not MP3 for audio? Because we're chunking it. I didn't know how you can slice MP3 into tiny pieces for custom ACK-based streaming like we are doing, and I'm not even sure if it's possible: when I tried the MP3 became corrupted, but WAV worked fine, (I guess because it's linear not a compressed self-referential format like MP3). In tests the reduction in bandwidth due to MP3, was somewhat lost to the increase in latency / compute on the server to encode it. If anyone knows a better way to stream audio (or MP3) in this case come contribute: https://github.com/dosyago/BrowserBoxPro or get in touch at [email protected]

People have requested this for years. I finally got around to it. This is a WIP but tested on MacOS and Linux it worked.

Pull the image and follow the run instructions: https://github.com/dosyago/BrowserBoxPro/pkgs/container/brow...

How to Use GitHub Actions and ngrok to Test a Remote Browser, BrowserBoxPro

It's worth noting the following method will work for any web application, it's just surprising to me that it worked with one which uses WebSockets, WebRTC and has a significant back-end component!

I've recently made an exciting breakthrough with my project, BrowserBox, a remote browser application that supports WebSockets and WebRTC. Amazingly, I was able to run and test it successfully in the context of a GitHub Action, even browsing the web as normal! If you're curious about running your own remote browser for testing purposes, here's how you can do it too:

How can you do this yourself?

1. Fork the repo

https://github.com/dosyago/BrowserBoxPro/fork

2. Add your ngrok auth token to your fork's repository secrets under NGROK_AUTH_TOKEN (you need to sign up for an ngrok free account if you don't have one)

3. Go to your fork's Actions page and run the CI action.

4. Wait a couple minutes for the setup to run and click on the URL produced by the "Print ngrok URL" step.

5. Play around with the remote browser! Just click on the big + to create a new tab and enter a search query or an address in the address bar and you're away!

IMPORTANT! I'm not sure if this violates the GitHub terms doing this (it may do! Any GitHub employees please email me at [email protected] and I will remove this Action if it does!), but it's logical that just using this to browse the web would be wasting resources from the Actions runners intended purpose, so don't overdo it! To try to help with this I've set the Action to only run the browser for 5 minutes.

If anyone wants to port this to GitLab or another CI platform, we would very much welcome your contribution!

Anyway, I was really happy and surprised to discover that we can use the generous free compute from Microsoft and GitHub, and the free tunnel from ngrok, to really do some useful things, and you can check up on those and integration test using ngrok and GitHub Actions!

Many comments on here are about this protecting the ad business model, but I think it's actually about protecting against competitor browsers.

If official Google Chrome is the only browser that passes this attestation proposal, you can effectively own the market and prevent new competitors.^0

I'm sure the technical specifics will be slithered over with enough worm-tongue to make it vague and innocent enough to not trigger anti-competitive lawsuits or whatever, but that might still be an option.

From a legal view, isn't this worse than microsoft force bundling IE into its OS? Taken to its full realization, it seems attestation is Alphabet force bundling Chrome into the whole web (that ubiquitous, "global OS", used my almost everyone). It's not there yet, but is it impossible to go from current zero to very-scary one?

As a maker of a competing browser technology (that uses Chrome under the hood), I'm worried about this, but heartened by the fact that as we are also an open-source product, the solution (that I've talked about elsewhere in this thread), if it's possible, will be distributed and built by people.

It's plain that Alphabet faces a conundrum: how do they prevent their investment in the open-source product being used against them? How do they prevent competitors (like brave, and BrowserBox) benefiting from the code Alphabet pays its employees to write, essentially using Alphabet's money to gradually chip away at (or threaten chipping away at) Alphabet's Chrome market share.

I understand the paradox they face, but I don't think "DRM" level control of a global and ubiquitous "means of access" is the way to solve it. But as owner of an open-source company myself, I don't think the solution is one where Google can't capture any value from what they invest in creating.

In terms of the long term economics, I don't have a solution. But I don't think that matters. I think technically there will be solutions to this, and they'll be built in the open.

DOSYAGO is really not an activist company, nor do we seek to be. But some things are worth standing up for. Future of the web should be one, I think. If you'd like to get involved, come on over to BrowserBox and contribute!

https://github.com/dosyago/BrowserBoxPro

0: With a current "monopoly", these new competitors may seem theoretical, but I think internally their viewed as very real threats over the long term. Brave, etc. And the fact that anyone can use Chromium to build a new browser.