Matasano Chargen - Latest Comments in Applicable Lessons from the Embedded World (aka Forth rules)

Re: Applicable Lessons from the Embedded World (aka Forth rules)

AventIsis — Sun, 24 May 2009 07:17:58 -0000

Great read, I have enjoyed reading it.

Rina

Re: Applicable Lessons from the Embedded World (aka Forth rules)

gwen hastings — Tue, 17 Mar 2009 12:31:14 -0000

Hi Jim
long time no see no hear
ah yes , forth, fig forth etc ad nauseam is ported to more platforms on the planet than just about anything else.
Also highly useful in writing portable worms/viruses/malware

gwen hastings

Re: Applicable Lessons from the Embedded World (aka Forth rules)

wbrown — Wed, 14 Jan 2009 19:36:38 -0000

Keep in mind that much of the 64K budget went to a full out cryptography implementation, with primitives for ciphers and random numbers. Some of that also went to network I/O and the like. If we measured the actual VM implementation itself, it would be pretty close to 20K. I believe we ended up at 32K.

Re: Applicable Lessons from the Embedded World (aka Forth rules)

newsham — Wed, 14 Jan 2009 19:13:36 -0000

"However, the virtual machine was 64K in size, which was sufficient for a second stage payload, but not for first stage shellcode." Just wanted to add a datapoint from an interview this week with an adware author: http://philosecurity.org/2009/01/12/interview-w... : <quote>I said, “Let’s install a Turing-complete language,” and for that I used tinyScheme, which is a BSD licensed, very small, very fast implementation of Scheme that can be compiled down into about a 20K executable if you know what you’re doing.</quote>.

Re: Applicable Lessons from the Embedded World (aka Forth rules)

davegmtso — Tue, 13 Jan 2009 17:37:09 -0000

In my hometown, we had a saying about FORTH:

eww.

:)

Re: Applicable Lessons from the Embedded World (aka Forth rules)

Jim Burnes — Sat, 10 Jan 2009 22:25:19 -0000

A Taste of FORTH

Wes brings up a good point. Properly engineered, a minimal FORTH would be very useful for penetration and embedded hacking. Before discussing FORTH in the abstract, we should take a look at some basic FORTH. In the example FORTH session below:

1. The colon character begins a word definition and the semicolon character ends the definition.
2. To execute a word all you need to do is type in the word and press ENTER.
3. Pressing ENTER doesn't automatically echo CR
4. Any numbers entered are pushed onto the stack.
5. Most words pull their arguments from the stack.
6. I'll put comments in parentheses, which are also FORTH's words for starting/ending comments

Example Session

( this is a comment. comment text follows an open paren and space -- a comment word )

( echo an asterisk to the terminal )

42 EMIT <enter> * OK

( define a word )

: STAR 42 EMIT ; <enter> OK

STAR <enter> * OK

: STARS 0 DO STAR LOOP ; <enter> OK

CR <enter>
OK

CR 20 STARS <enter>
******************** OK

This is the most powerful programming syntax in the world. It is also a knife with which you can cut yourself endlessly. It requires you to define an application-specific vocabulary with which to describe a solution to your programming problem. Your vocabulary will naturally pull its arguments off the stack and each word modifies the state of the program in sequence.

But you have total control of the interpreter/compiler. If you wish, your new word can read the next word out of the input stream at compile or interpret time which allows you to define your own syntax and programming model. You can even detect whether your word is being run during compile or interpret time and alter it's behavior.

This is a fantastically powerful and immediate extensible language. You could directly write a simple LISP or C interpreter in FORTH by simply defining a compiler vocabulary.

Notes:

While writing this small introduction I noticed that the two best books on FORTH programming and philosophy are now free on the web. They're written by Leo Brodie. Here they are:

Starting FORTH: http://home.iae.nl/users/mhx/sf.html
Thinking FORTH: http://thinking-forth.sourceforge.net/

(I'm a senior software engineer and I believe these books to be some of the most significant works on programming. I'd rank them up there with Knuth's 'Art of Computer Programming', the Dragon compiler book, Wirth's 'Algorithms + Data Structures = Programs' and the Gamma et al "Design Patterns" book.)

Even if your interest in FORTH is only fleeting, you should really study both of these books. Most programmer's don't get to use their favorite language on a daily basis, but like Tai Chi FORTH may not become your primary tool, but it could become your primary discipline as it focuses your mind and makes you a better practitioner in whichever language you use.

Good luck

Jim Burnes

Re: Applicable Lessons from the Embedded World (aka Forth rules)

wbrown — Fri, 09 Jan 2009 23:09:37 -0000

Ooops -- answer below.

Re: Applicable Lessons from the Embedded World (aka Forth rules)

wbrown — Fri, 09 Jan 2009 23:08:34 -0000

Good question, and that's actually kind of hard to answer. All the Forths out there are pretty small already. The answer to the question depends in part on what you're asking. Full featured Forths? Machine Forth for the ARM is 1478 cells of 32 bits. Jone's Forth, when you compile it and strip of symbols, is 8K including ELF headers. I've seen reference to 4K Forth systems. A gentleman said that he implemented Charlie Moore's Machine Forth in 5.5K, and that enough Forth to implement and build itself in.

So, this is kind of a trick question, as you can probably see. We can get away with implementing our Forth on a host machine, and compiling down a very small Forth with just the words that we need for the purpose.

Re: Applicable Lessons from the Embedded World (aka Forth rules)

Pete Markowsky — Fri, 09 Jan 2009 21:06:30 -0000

Interesting project. Sounds very similar to the metepreter with a bent towards making the payload smaller once you've injected your interpreter. Also I'm surprised you didn't mention forth's role in open firmware as I think that's probably the most common place it's seen. That certainly was the first place I saw it. :-)

Just out of curiosity any idea what the size in bytes is of the smallest forth implementation for the x86 family of processors?