Very impressive. Maybe most impressive is that you got your 12 year old daughter to play this!

When can I expect the CHERI version? :-D

> When can I expect the CHERI version? :-D

"CHERI has three central design goals aimed at dramatically improving the security of contemporary C-language TCBs, through processor support for fine-grained memory protection and scalable software compartmentalization, whose (at times) conflicting requirements have required careful negotiation in our design."

:) I don't think so

Pretty sure that's the joke.

The game is just a lot more difficult, you have to exploit everything as a UAF

CHERI can provide heap temporal safety to protect against use-after-free (really, use-after-reallocation; use-after-free is harmless until the point at which the memory is being used for something else, and deferring lets you batch revocation sweeps), it's just not on by default yet as it's a bit too experimental, but we're working to stabilise it more for our next CheriBSD release.

If I understand CHERI correctly it would be UAF + only intended pointer operations on pointers.

Yeah, you get in-bounds access to the allocation so sub-allocation attacks/cross field is in the play. It's kinda a pain in the ass to turn that into a useful exploit primitive though, and anyways UAF is much easier because (at least with classic allocators) you can corrupt any allocation type. Hardened allocators make exploitable overlaps much harder though and so in practice CHERI's spatial safety might be enough to kill tons of bugs.

Yeah, I were programming 6502 assembly at 12. Not that easy to do for a 12 year old now with today's computers

It's not too hard on a Raspberry Pi or Microbit

There are seveal books on assembly language programming for various Raspberry Pi systems, such as:

https://blog.adafruit.com/2021/09/21/an-interview-with-steph...

If you restrict it to similar capabilities, for example target a contemporary computer with freedos, it's not that much different.

They can in the browser like skildrick but turning it into a game is a great motivator.

A typical age to get into computers back in the 8-bit days.

From time to time I watch Jim Butterfield's Commodore 64 tape: https://www.youtube.com/watch?v=J9WnHuGjZ38 and I think just things were much easier

computers now are more like magic, nobody knows where your files are, or which programs you own or where they are even running.

Dylan Cuthbert once argued that machine code is easier for younger minds because each instruction is less abstract.

https://www.gamesindustry.biz/machine-code-is-for-kids-artic...

I agree, though I don't think that core x86 (especially in real mode) is as bad as he seems to think - it started out as a 16-bit extension to the 8080 after all, and can be used that way.

Low-level computing is even more amazing when you learn how to decode and execute simple instructions with a few logic gates.

Beyond that is in many ways a matter of interfacing and scale (at which point abstraction layers can be very useful.)

It's not an unusual age to get into computers now. It's an unusual subject though! Back in the 8 bit days you didn't have the option of writing 3D games and websites and apps and so on.

We had very crude 3D, Elite and Starglider style, and BBS instead.

Core War is a game played in a memory arena of a virtual machine supporting a simple simulated assembly language. I first saw it described in a 1984 issue of Scientific American[1]. I had already been programming for 15 years by then and recognized Core War as being inspired by Darwin, an even earlier game developed at Bell Labs.

Darwin was created in 1961 and ran on an IBM 7090. In Darwin, programs competed for resources and the winner was the program that reproduced and took over all of the allocated space. It didn't last long because an unbeatable program was developed by Robert Morris Sr. See [2].

Software Practice and Experience was one of my favorite CS journals in the mid-70s and it had a frequent column call Computer Recreations written under the pseudonym Aleph-Null. I enjoyed implementing a number of the games described in that column while in grad school. Unfortunately, Software Practice and Experience is an expensive journal, but university students can likely find it like I did in the university libraries. The issues in the 1970s were easy to read and fun, having articles on subjects like pascal compilers, Algol 68, and concurrent programming. That is where I learned about Module[3,4] and later Oberon[5] in articles by N. Wirth.

[1] https://en.wikipedia.org/wiki/Core_War

[2] https://en.wikipedia.org/wiki/Darwin_(programming_game)

[3] https://onlinelibrary.wiley.com/doi/abs/10.1002/spe.43800701...

[4] https://onlinelibrary.wiley.com/doi/abs/10.1002/spe.43800701...

[5] https://onlinelibrary.wiley.com/doi/abs/10.1002/spe.43801909...

I had a friend who loved games but claimed he didn't have the mind for coding and yet he was tricked into doing it via the game Human Resource Machine and some of his solutions were better than my own with years of experience!

Sometimes having a new and fresh perspective helps a lot more than you think.

My 12 year old hates math, but he's surprisingly good at Human Resource Machine and SpaceChem. It makes me wonder whether high school maths is fundamentally different from programming maths.

Very interesting.

I have always felt that short mnemonics are a poor engineering choice for today's computer memory sizes.

Like, the first thing you have to do here is to learn and recall what the instructions do. If you replace the names with more spelled out versions, it makes it much easier to pick them up and then remember them and read code.

The fact that people often don't do that makes me suspicious.

I also think that the fact that these types of exploits are possible points to overall system design failures.

I'm not saying that it's not a fun game or a good way to learn. But I feel that there is too much general acceptance of structural problems in engineering. To the degree that most people don't even see those structural flaws.

> The fact that people often don't do that makes me suspicious.

I thought of doing that, even the first versions of the game had much more readable pseudoassembly, but in the end I wanted my daughter to comfortably read the output of objdump and I dont think its a big deal to learn few mnemonics. I also think kids respond really well when they are not patronized (at least mine does).

> To the degree that most people don't even see those structural flaws.

Do you think people dont consider arbitrary ready and write as a structural flaw?

There are thousands of people working on it, and making good progress, but in the same time, I still think its fun to peek and poke.

I think I agree with your reasons for doing it that and I wasn't really trying to criticize your game in particular.

I was trying to make a more general statement about the types of problems that we seem to find ourselves solving over and over again and the fact that that occurs as such a typical case rather than replacing those structures.

I don't know how to make solving structural problems into a game.

I guess I did want to be a little critical though just to insert the comment that it's also important to make sure we teach kids that representation matters and that system design structure should not be taken for granted.

Dude, this is awesome! I want to play it at work

This looks like a lot of fun. What ages do you think it's appropriate for?

I think the easy win condition (which is just to break out of the main loop by doing a quick buffer overflow in bug()) is doable for 10-15 years old

My daughter is 12 and we have fun playing it, the hard win condition (which is forcing your opponent to jump to the game_over() function) I think is harder, but I guess within 5-6 months we can get there.

For adults, I am not sure, some people are super scared of assembly like its made by the devil himself, so might be harder to get them to play than kids.

What I find interesting is how we tend to view the world as a mirror of ourselves.

If I'm interested in buffer overflows and programming than my daughter must be highly interested in it too! How likely is that?

First she's a kid, second she's a girl. The odds are stacked but I see a good number of dads charge forward anyway.

To the Dads out there... when you did a project like this was at least some part of you aware that it was more of a vanity project?

Anyway. I'm interested in this stuff so I'm happy you released it.

What I find interesting is the size of the assumptions people are capable of casually making in order to make a point of theirs sound legitimate.

You are implying that the creator of the project is pushing this onto their daughter merely for his own vanity - where do you get that from? I browsed a few pages on the site, and couldn't see anything at all that would suggest that. Quite the opposite in fact, there were several gentle suggestions of the daughter having a lovely time and being very interested.

How do you know that the daughter hasn't instigated the whole thing in the first place, by repeatedly showing curiosity as to what her Dad is doing on his computer? That it started off small, and built up from there, a two-way development of someone sharing their interests with a younger co-explorer?

I don't know what the case actually is, of course; but I'd imagine you don't either.

As someone who's been involved with education for a good few years now, my experience is that kids are much more capable learners than seems to be generally believed.

One reason for this seems to me to be how schools are structured, but maybe the fundamental thing at the heart of it is the limiting beliefs of people throwing around opinions like yours. I say hats off to this father for attempting to share his interests and his passions, with his daughter and the world.

> If I'm interested in buffer overflows and programming than my daughter must be highly interested in it too! How likely is that?

As a father, I am just trying to teach her everything I can, sometimes its programming, sometimes its fighting, sometimes its meditating.

Some of it will be of value, some of it wont.

> The odds are stacked but I see a good number of dads charge forward anyway.

The odds are always stacked. Such is life.

Not all paths have the odds stacked against you. Put yourself in her shoes. What does she like? What are her interests? What is she good at? Don't be so blinded by love that you lose all rationality.

Fighting physically is not what women excel at I wouldn't teach her that. A women's power comes in the form of social control and groups. If a man hits a woman he is engaging in a fight with all the men that protect her. That is a woman's power. A large portion of this power comes from how beautiful she is too. Most women figure out how to wield this power automatically depending on how they look. They grow up to be more fearful than men in general and will automatically learn behaviors needed to stay safe. Fighting is largely useless as any man easily overpowers the majority of women regardless of fighting skills. You'll have to train her in weapons that kill if you want her to have a chance at winning.

Anyway... from your reply I can sort of see that it looks like I'm generally right, despite how much the other replier doesn't want to believe it.

> looks like I'm generally right

nop

Really? I have no allegiance to being right. If I am please elaborate, is your daughter very interested?

> is your daughter very interested

Yes, why would I teach her something she is not interested in?

>why would I teach her something she is not interested in?

The answer to this question is startlingly obvious yet for some strange reason in this specific situation you can't see it. Why?

The majority of kids aren't interested in anything that schools have teach them. To them it is a chore to appease parents and to avoid consequence. If interest develops at all it usually comes much later.

But you see you should already know what I'm saying. Like I said it's quite obvious. The anomaly here is why your child is at all interested in buffer overflows. I would be interested in more elaboration on why your daughter is different from the norm.

Once a 64bits risc-v code path is stable, does a good enough job, is rid of its "buffer overflows"... how they are going to do planned obsolesence without C/c++ always changing syntaxes?? Poor souls...

Wait a second. .. .. A table top board game... which involves assembly coding?

Why I never think about this before? :D

PL/I did some things right: string/array bounds checking, stack that grows up rather than down.

https://www.acsac.org/2002/papers/classic-multics.pdf

Well I am going to introduce this at my work.

I'm surprised no one has mentioned that this is very similar to Core War.[0]

[0] https://en.wikipedia.org/wiki/Core_War

Because 90% of HN wasn't born until 16 years after the first release?

Core War got boring because there were known good bots that always won.

And, well, Iiiii'm surprised no one mentioned RobotWar which predated Core War, but wasn't as complex.

https://en.wikipedia.org/wiki/RobotWar

;-)

Reminds me of Tierra[1], the "virtual life" simulator.

Haven't read the history of Tierra but wouldn't surprise me if he was inspired by Core War when creating it.

[1]: https://tomray.me/pubs/doc/index.html

CoreWar is definitely one of ideal programming games (since I like assembly coding). Not many games like it these days, unfortunately, perhaps the closest one is Zachtronics' TIS-100.

Good game by the way!

CoreWar is a great game!

But I am not sure its very similar, I got a lot of inspiration from the WarGames (1983) movie https://www.imdb.com/title/tt0086567/

The whole project started as an attempt just to teach assembler, and the game was actually zero choice game like Snakes And Ladders, you have 5 instructions per turn, but on certain places you have to roll a dice and follow the branch: https://punkx.org/overflow/build/snakes-and-ladders.pdf

But then after watching WarGames I thought I can make something where you can just write on top of your opponent's memory.

CoreWar has very different dynamics and I think anyone who has not tried it is missing out.

At some point I thought to actually make the game real-time, as in you can move as your opponent moves, (SMP instead of time sharing like it is now, where you get context switched out in 10 moves), but it was too chaotic. Maybe with the esp32 helper it can be done and be fun.

What part of WarGames inspired you? The hacking basically involved war dialing and password research, no stack overflows! :)

... wait a second are you really punkx?

> What part of WarGames inspired you

The part where they made it play tictactoe :)

> wait a second are you really punkx

Not sure what you mean, its just a name I picked to mean 'punk for X' where X is whatever you want.

Not more rules than a typical german table game of the year has

My favorite HN comment of all time was by cperciva 16 years ago:

    cperciva on July 18, 2007
    
    "Did you win the Putnam?"
    Yes, I did.

But my new favorite announcement is this post:

    I made this game to teach
    my daughter how buffer
    overflows work.

It just doesn’t get more HN than that. Mad props!

Very curious about the context of that first comment, do you have a link?

"how we look when we play the game"

Are you the pupper or is your daughter the pupper?