
Movfuscator – Single instruction C compiler - acheron
https://github.com/xoreaxeaxeax/movfuscator
======
stcredzero
Of course, no post like this is complete without OISC:

[https://en.wikipedia.org/wiki/One_instruction_set_computer](https://en.wikipedia.org/wiki/One_instruction_set_computer)

(Then, there's my contribution: NISC -- the Null Instruction Set Computer!
It's a revolutionary architecture, in that die sizes and TDP can be scaled
down, seemingly arbitrarily, with no loss in functionality. In fact, NISC can
transcend the solid state entirely, and be implemented directly on the quantum
foam of the vacuum!

Another benefit: NISC machines are entirely immune to all buffer overflow and
use after free exploits! In fact, they are free of all exploits, whatsoever!)

~~~
Terr_
Nope, it's trivial to DoS them. Attackers don't even have to do anything.

~~~
tiuPapa
If the attackers can't do anything how will they DoS them? Wait I think I
understand now how it can be implemented on the directly on the quantum foam
of the vacuum.

~~~
naniwaduni
It doesn't matter that they can't do anything if they don't need to do
anything. Things attackers can't do only matter if they'd need to do them.

~~~
stcredzero
Newsflash: NISC system weathers huge DDOS attack, _with no discernible
effects!_

 _> Things attackers can't do only matter if they'd need to do them._

BUT, by the same token, things attackers _can_ do don't matter either! NISC
computers: So advanced, they make all attackers _meaningless!_

------
readingnews
Best part of the project is at the bottom, in the FAQ:

> Q: Why did you make this? A: I thought it would be funny.

~~~
gnulinux
This is real hacker news.

------
stephencanon
Without taking anything away from the author, calling MOV a "single
instruction" stretches things quite a bit. It's more of a big family of
instructions that happen to share an assembly mnemonic.

~~~
stcredzero
_MOV a "single instruction" stretches things quite a bit. It's more of a big
family of instructions that happen to share an assembly mnemonic._

But if you look at the serious attempts to implement OISC, you'll find that
the "single instruction" has so many parameters, some might think it might as
well be a big family of instructions.

~~~
bepvte
new OISC instruction: RUN <x86 instruction you want to run> <parameters>

~~~
stcredzero
That was like one of my professor's version of Object Oriented programming. He
would simply message pass to his undergrad assistant, Mark. "Mark, code up an
X."

------
ianbicking
I'd recommend the video presentation linked off the page, where he walks
through how he actually turned mov into a machine. It's very weird and
interesting!

[https://www.youtube.com/watch?v=R7EEoWg6Ekk](https://www.youtube.com/watch?v=R7EEoWg6Ekk)

~~~
Legogris
I love how he nonchalantly throws in a 0-day x86 PoC in the end.

------
benj111
So as there's no branch prediction, this is good defense against spectre type
attacks?

~~~
3JPLW
For a certain value of "good", yes.

> This is thought to be entirely secure against the Meltdown and Spectre CPU
> vulnerabilities, which require speculative execution on branch instructions.

> The mov-only DOOM renders approximately one frame every 7 hours, so playing
> this version requires somewhat increased patience.

[https://github.com/xoreaxeaxeax/movfuscator/tree/master/vali...](https://github.com/xoreaxeaxeax/movfuscator/tree/master/validation/doom)

~~~
ClassyJacket
Should be good enough for console players.

------
dx87
in a similar vein, here is an exmple program that runs using only x86 CPU
faults.

[https://github.com/jbangert/trapcc](https://github.com/jbangert/trapcc)

------
saurik
[https://hn.algolia.com/?query=movfuscator&sort=byPopularity](https://hn.algolia.com/?query=movfuscator&sort=byPopularity)

------
yellowapple
Who would win: the world's most popular CISC architecture or one MOVey boi?

------
jchw
This is awesome and it gets posted periodically. Previous discussion:

[https://news.ycombinator.com/item?id=12372242](https://news.ycombinator.com/item?id=12372242)

------
ChrisSD
On a slight tangent, I remember minimal lambda languages like Iota, Jot and
Zot that I think were derived from Unlambda.

------
odorousrex
Ha! This is actually pretty darn clever!

I wonder what the final binary sizes are in comparison to normal GCC
compilation, as well as execution speed.

I can't believe you made a floating point emulator just for this as well!
Quite impressed.

~~~
Legogris
Considering that the floating point library is big enough to be disabled by
default tells me you might run out of disk space compiling a single
application.

That being said, if this can increase difficulty of sidechannel attacks and
branch prediction, maybe it'd actually make sense for very isolated parts of
some services.

~~~
odorousrex
>That being said, if this can increase difficulty of sidechannel attacks and
branch prediction, maybe it'd actually make sense for very isolated parts of
some services.

I agree, I can see how it certain special circumstances/services this could be
very useful.

However, I still expect someone to compile Quake with it by the end of the
year.

~~~
simcop2387
They've apparently done DOOM already, and it's hours per frame. I don't want
to think what Quake would be like.

------
na85
Why haven't Single Instruction-Set architectures taken off?

If mov is Turing Complete it seems like there'd be a big win here... You could
parallelize this massively.

Edit: can someone explain why this is being down voted please, because this is
a legit question

~~~
saagarjha
They’re impractical and massively inefficient?

~~~
na85
Okay?

I'm asking because I don't know; can you elaborate on why that is?

Aren't most modern GPUs similar in that they're designed to just shit out
triangles as fast as possible, massively parallel?

~~~
uasm
> "can you elaborate on why that is?"

Might as-well suggest we use a single letter, instead of 26.

~~~
Sohcahtoa82
.... --- .-- .- -... --- ..- - - .-- ---?

~~~
munk-a
............... .............. .....

............. ......... ....... ........ ....................

....................... ............... ................. ...........

------
garganzol
At first look, the code produced by Movfuscator is mind boggling. But despite
its perceived entanglement there exist some deobfuscators that bring the code
back to Harvard (e.g. human readable) model.

TL/DR obfuscation by translating a program to "mov" instructions is
susceptible to static analysis and thus fully reversible.

~~~
TimTheTinker
> there exist some deobfuscators that bring the code back

Care to elaborate? The author of Movfuscator is very experienced and capable
at reverse engineering. In one of his video talks he hits some Movfuscated
code with some tools and says he doesn't know of anything that can deobfuscate
it. That may have changed since then -- I'd be curious to know.

~~~
andreareina
There's the demovfuscator:
[https://kirschju.re/demov](https://kirschju.re/demov)

~~~
TimTheTinker
Thanks! That’s really cool.

