
Branchless Doom - strangecasts
https://github.com/xoreaxeaxeax/movfuscator/tree/master/validation/doom
======
peatmoss
Thank heavens for this advancement! I imagine those using Doom to manage
system processes
([https://www.cs.unm.edu/~dlchao/flake/doom/chi/chi.html](https://www.cs.unm.edu/~dlchao/flake/doom/chi/chi.html)),
will appreciate the security measures implemented in this version. I can only
hope these two projects can find common purpose.

~~~
jghn
Several years back I convinced a coworker to try and install that. He had a
mac and I was running FreeBSD or something and couldn't run it. He'd been
running some sort of simulation for several days on that machine.

So we fired it up and within about 2-3 minutes he managed to shoot PID 1 or
something like that as the machine rebooted. Boss was _not_ happy.

~~~
int0x80
mm usually PID 1 is unkillable even by root AFAIK.

~~~
jghn
Actually you're right. He killed the simulation process now that I'm wracking
my brain to remember how that actually worked. That then led to us joking
about what it'd be like to force-reboot via the killing.

The key detail I'll never forget is his "Oh fuck!" face when it happened.

~~~
abofh
[https://www.freedesktop.org/software/systemd/man/systemd.htm...](https://www.freedesktop.org/software/systemd/man/systemd.html)

Not all signals are blocked by init, if init wants to be signaled :)

------
51Cards
"The mov-only DOOM renders approximately one frame every 7 hours, so playing
this version requires somewhat increased patience."

Favourite line.

~~~
FLUX-YOU
You could play Doom over email with that kind of time

~~~
Yhippa
Did a back-of-the-envelope calculation. Assuming you responded promptly it
would take around 504 years to finish the game.

------
Legion
I look forward to this being a benchmark for testing CPU advancement in the
years to come.

"It gets 2 frames per hour in Branchless DOOM!"

------
pkilgore
Compiler FAQ, in it's entirety, says it all:

>Q: Why did you make this? A: I thought it would be funny.

~~~
romwell
To the author's credit, it really is. I'm still giggling.

------
iokevins
"This is thought to be entirely secure against the Meltdown and Spectre CPU
vulnerabilities, which require speculative execution on branch instructions."

~~~
tgb
I must not be understanding Meltdown correctly and I know this is a joke, but
I thought it was the _malicious_ code that used speculative execution to
(indirectly) read unauthorized memory. So in what sense is Branchless Doom
secure _against_ Meltdown?

~~~
trentnelson
You don't store your plaintext passwords in a modded version of Doom with a
kernel scheduler hack to ensure it mostly gets dispatched on the HyperThread
core neighboring the one your browser is getting dispatched onto?

Amateur.

------
banachtarski
My understanding of how some of this works is that to handle jmps, the program
uses nojmp to become its own signal handler and inserts a faulty mov to raise
a SIGSEGV, mov addresses around, and continue as though it was a successful
jmp.

And it looks like float and int math is handled with lookup tables. yikes! but
impressive!

~~~
monocasa
It's cooler than that, IMO. It uses the SIGSEGV to jump back to the start,
once per global iteration. Bit most of the normal 'jumps' are encoded by doing
both sides of the work, but using a scratch base address for the storage of
the 'not taken' side that ends up not contributing to the actual result.

~~~
euyyn
So it prevents speculative execution of branches, by speculatively executing
them itself? lol

~~~
dfox
Structuring code like this actually has it's purpose. Instruction stream
executed by massively parallel SIMD systems (prototypically for 80's
supercomputers like Connection Machine, but also for GPUs few generations
back) actually works in exactly same way.

------
pslam
I know it's a joke, but this still branches, via an obscure mechanism of
faulting, and mov instructions past the faulting instruction will
speculatively execute.

~~~
describrion
That's not quite true... the code (essentially) loops over itself infinitely;
the only branch is a loop back to the beginning of the program. Since this
branch has only one target, it can be a direct jump (as opposed to an indirect
one), meaning it would not use the branch trace buffer, and would not cause
speculative execution. The author used faulting for branches only to write the
program in all mov instructions; if the last 'mov' is replaced with a direct
jmp (which, it looks like, can be done with the --no-mov-loop flag to the
compiler), no more speculative execution.

~~~
Liquid_Fire
> direct jump

Another important thing here is that it's an unconditional direct jump. A
conditional direct jump can still cause speculative execution (e.g. could be
vulnerable to Spectre variant 1).

------
shakna
Uses movfuscator, one of the most painful tools when you're faced with reverse
engineering. Also one of the most fun, from the other side of the aisle.

~~~
elago
Hopefully this isn't too off topic, but could you explain how to even start
approaching this from a RE/malware analysis perspective? I'm guessing there's
no drag-and-drop de-obfuscate tool like there is for some of the common .NET
obfuscators. Do you just rely on behavioral/dynamic methods?

~~~
problems
For even the nastiest of obfuscators there are often attempts at
deobfuscators...

[https://github.com/kirschju/demovfuscator](https://github.com/kirschju/demovfuscator)

------
wasx
Finally I can play my favourite game without worrying about how Intel has
fucked me!

~~~
craftyguy
You could run it on a mid-90's CPU without speculative branching and very
likely see better performance.

~~~
NinjaKitten
486 or Pentium 90, what this game was made for.

~~~
craftyguy
Yea, either one of those would run the game better than this
project/slideshow.

------
Endy
This is a more interesting idea than I would have thought at first. I wonder
if it could be used to discover whether any frame-perfect exploits still
remain unfound in Doom. I know that there are people who have played the game
frame-by-frame in order to identify possible advantages, this is an
interesting take on the idea. The one concern I have is this: does it change
the enemy logic significantly? Will the enemies still react in roughly the
same way?

I also wonder if it would be at all possible to eventually speed it up (maybe
not to actual play speed, but faster) while remaining branchless and free of
speculation. It might be interesting to see if research in Doom could provide
faster and more secure solutions in the real world.

------
js2
HN discussion of movfuscator:
[https://news.ycombinator.com/item?id=9751312](https://news.ycombinator.com/item?id=9751312)

HN discussion of trapcc:
[https://news.ycombinator.com/item?id=5261598](https://news.ycombinator.com/item?id=5261598)

------
phillco
I was disappointed to find out the screenshot is not a GIF.

~~~
Gigablah
You may have to wait 7 hours to confirm that.

~~~
Endy
Or right-click and "save image as..." That works too.

------
ninju
The mov-only DOOM renders approximately one frame every 7 hours, so playing
this version requires somewhat increased patience.

hehe

------
IncRnd
Well, the compiler works!

------
darawk
This is excellent work.

------
tzahola
“The mov-only DOOM renders approximately one frame every 7 hours, so playing
this version requires somewhat increased patience.”

lol

~~~
dawnerd
Would be interesting to make this a sort of twitch plays. 7 hour voting
windows.

~~~
catmanjan
I think it only registers input every 5 or so frames anyway :O

