I have a kind of off-topic NASM story. I think I was using it circa 2004 for a class, and was taking another class that required us to find 10 exploitable security holes in existing software. (This was DJB's "Unix Security Holes" class. Best class I ever took.) NASM was the first place I looked (my thought process was, it takes untrusted input and it's written in C), and indeed I found one: https://lists.debian.org/debian-security-announce/2005/msg00...
Incidentally, the other holes I found for that class were various XSS vulnerabilities in our course registration software. The administration was furious with me (I didn't exploit them, only proved that they existed), and banned me from using any computers at the University. DJB stuck up for me, though, and the vendor sent me a new iPod as a thank you. It was pretty stressful for a first-year student in 2004 though.
My parents really didn't want me being involved in any security-related fields, so I ended up not really touching it again. My take these days is that security is a subset of correctness; design for security, and make sure you implement it correctly, just like you do for any other feature. I also write a LOT of fuzz tests ;) But yeah, NASM was the beginning and end of my software security career, which I still find kind of amusing.
> just how thankless vulnerability research and computer security in general is
Thankless? Which world are you living in? Do you have any idea how much money skilled, even junior, security researches are able to earn from consulting? If you have skills, you can print money, and often while working from anywhere in the world.
Nice to see NASM is still going strong. I used this for a class I taught back in the 90's. The class supported both Windows and Linux (but most students used Windows) and NASM supported both and was free.
I ended up creating my own free online textbook for the course. It's sorta out of date now since it was for 32-bit processors.
Why would anybody use this over the assembler shipped with their compiler?
This might make sense if your project is written entirely in assembly, but does anybody even do that nowadays? For projects that are mostly in C/C++ with bits of assembly here and there, it's yet one more dependency your users have to install.
NASM has a logical and sane syntax that is both readable and maps directly to the generated instructions, in other words it is designed to be written by hand, not as an convenient intermediate format for the compiler to generate.
Contrast that to typical AT&T-syntax x86 assembly with bunch of meaningless punctuation and complex addressing modes represented by bunch of comma separated numbers. And with MASM that needs bunch of boilerplate and noise words, because the syntax is motivated by what was required to produce real-mode 16b object files.
If you write cross platform software, you might want MSVC on Windows and gcc on linux and their assemblers masm and gas have very different syntax. nasm outputs object files for both directly. Also the syntax in the context of especially macros is often a little better.
Trust me, at least on Intel, you do not want to write assembly inside your C/C++ code, unless it's just a couple of lines. The usual AT&T syntax will drive you nuts, and the additional syntax for embedding assembly only adds to the misery.
For any reasonable amounts (say, you want a function or several) of assembly, you want Intel syntax and standalone assembly files.
NASM is a great tool, although YASM should also be mentioned: https://yasm.tortall.net — YASM is what I used when I optimized an H.264 decoder for Intel-compatible CPUs way back in 2005 or so.
> The usual AT&T syntax will drive you nuts, and the additional syntax for embedding assembly only adds to the misery.
It's trivial to enable Intel syntax in inline assembly even under GCC. And if you're using Rust instead of C or C++ then the inline assembly syntax is actually really great and very pleasant to use.
And while that in itself is maybe not particularly exciting, I think the underlying point is more that assemblers like nasm allow for the implementation of toolchains like this, where you have some assembly with some C code. While not common, I'm sure cases like this are also not exceedingly rare.
nasm has better goto labels you can use sublabels within a block that don't need to be globally unique.
The data generation stuff is better aswell.
This was a while ago, and I could have missed these features else where, but that's why I ended up at nasm.
Yes, if youre just doing a bit of assembly, use whatever, but if you're doing a bigger project in assembly, nasm is optimised for that, rather than dealing with the output of a compiler.
We were taught NASM as part of a course and I'm so much accustomed to it's beautiful syntax.
Is it less capable than MASM? Don't have a reason to believe so because there's one to one correspondence between what you write and what's gets executed.
As Borland fanboy, TASM was already quite cool, the only thing I missed was MASM being more high level with its macro capabilities, but by time I got to play with MASM, I was already into Windows 3.x world.
Readit News
Incidentally, the other holes I found for that class were various XSS vulnerabilities in our course registration software. The administration was furious with me (I didn't exploit them, only proved that they existed), and banned me from using any computers at the University. DJB stuck up for me, though, and the vendor sent me a new iPod as a thank you. It was pretty stressful for a first-year student in 2004 though.
My parents really didn't want me being involved in any security-related fields, so I ended up not really touching it again. My take these days is that security is a subset of correctness; design for security, and make sure you implement it correctly, just like you do for any other feature. I also write a LOT of fuzz tests ;) But yeah, NASM was the beginning and end of my software security career, which I still find kind of amusing.
Thankless? Which world are you living in? Do you have any idea how much money skilled, even junior, security researches are able to earn from consulting? If you have skills, you can print money, and often while working from anywhere in the world.
I ended up creating my own free online textbook for the course. It's sorta out of date now since it was for 32-bit processors.
https://github.com/tianocore/tianocore.github.io/wiki/Gettin...
I have tested it locally with wrk and blew my mind!
This might make sense if your project is written entirely in assembly, but does anybody even do that nowadays? For projects that are mostly in C/C++ with bits of assembly here and there, it's yet one more dependency your users have to install.
Contrast that to typical AT&T-syntax x86 assembly with bunch of meaningless punctuation and complex addressing modes represented by bunch of comma separated numbers. And with MASM that needs bunch of boilerplate and noise words, because the syntax is motivated by what was required to produce real-mode 16b object files.
For any reasonable amounts (say, you want a function or several) of assembly, you want Intel syntax and standalone assembly files.
NASM is a great tool, although YASM should also be mentioned: https://yasm.tortall.net — YASM is what I used when I optimized an H.264 decoder for Intel-compatible CPUs way back in 2005 or so.
It's trivial to enable Intel syntax in inline assembly even under GCC. And if you're using Rust instead of C or C++ then the inline assembly syntax is actually really great and very pleasant to use.
And while that in itself is maybe not particularly exciting, I think the underlying point is more that assemblers like nasm allow for the implementation of toolchains like this, where you have some assembly with some C code. While not common, I'm sure cases like this are also not exceedingly rare.
The data generation stuff is better aswell.
This was a while ago, and I could have missed these features else where, but that's why I ended up at nasm.
Yes, if youre just doing a bit of assembly, use whatever, but if you're doing a bigger project in assembly, nasm is optimised for that, rather than dealing with the output of a compiler.
Is it less capable than MASM? Don't have a reason to believe so because there's one to one correspondence between what you write and what's gets executed.
NASM supporting bin, ith, srec, obj (OMF), win32, win64, coff, macho32, macho64, elf32, elf64, elfx32, a.out, aoutb, as86 and dbg.
With minimal changes MASM code can be converted to NASM.