Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
tptacek 5 days ago

There's lots of clientside Go, too!

comex 5 days ago | parent [-]

Where? Within, as I said, “the type of consumer OS or client-side application that typically gets attacked”. It has to be a component of either a big application or a big OS, or something with comparable scope. Otherwise it would not likely be targeted by real-world memory corruption attacks (that we hear about) no matter the language. At least that’s my impression.

tptacek 5 days ago | parent [-]

I'm sure I could come up with a bunch of examples but the first thing that jumps into my head is the Docker ecosystem.

comex 4 days ago | parent | next [-]

Yeah, that’s not nearly the level of big I was thinking of. It’s not a browser or WhatsApp or Word.

Admittedly, Go is popular among developers. And there are some public examples of client-side attacks targeting developers and security researchers specifically. Such attacks could hypothetically go after something like Docker. But, searching now, every single example I can find seems to either exploit a non-developer-specific target (browser, iMessage, Acrobat), or else not exploit anything and just rely on convincing people to execute a Trojan (often by sending a codebase that executes the Trojan when you build it).

That bifurcation actually surprises me and I’m not sure what to conclude from it, other than “build systems are insecure by design”. But at any rate, the lack of Go exploits doesn’t say much if we don’t see exploits of developer tools written in C either.

tptacek 4 days ago | parent [-]

We routinely do see those exploits!

comex 3 days ago | parent [-]

Are you talking about private examples or do you have one to share?

tptacek 3 days ago | parent [-]

Sure, I mean, take for example git.

More broadly: a lot of people mouthing off about how thread safety issues make Go unsafe, but you're one of a small minority of commenters here who could just find something and POC it. How hard do you think that would be? I'd absolutely accept a controlled-environment serverside RCE.

ameliaquining 5 days ago | parent | prev [-]

I would say that Go is common in command-line developer tooling, which is sort of client-side albeit a noncentral example of same (since it includes tools for running servers and suchlike), and rare in all other client-side domains that I can think of.