►
From YouTube: "Moddable: Applying SES to Things" by Peter Hoddie
Description
SES is a JavaScript runtime library for running such third-party code safely inside a featherweight compartment. SES stands for Secure ECMAScript, where ECMAScript is the standards name for JavaScript. SES addresses JavaScript’s lack of security. SES supports practicing of the Principle of Least Authority (or POLA) so that the risk from most third-party code can be substantially reduced.
Lightbulb code https://gist.github.com/phoddie/9f87cc8f2efd9056c20a1bf5a445466e
Learn about Moddable: https://www.moddable.com/
Learn about SES: https://github.com/Agoric/SES/
A
Okay,
yes,
no
I
start
with
the
classic,
so
light
bulb.
Jokes
are
easy
targets,
so
just
just
restrain
yourselves
it'll
all
be
fine.
One
of
my
worst
nightmares
is
following
mark
and
talking
about
JavaScript.
So
wish
me
luck.
So
I'm
gonna
talk
as
this
teen
said
something
really
practical
about
not
so
much
theory,
but
really
about
how
we're
using
secure
M
script
in
things
and
I'm
gonna
use
a
light
bulb
as
an
example
for
that
this
is
an
old
quote,
easy
totally
completely
true,
not
controversial
here.
A
This
is
this.
Is
a
twit
tweet
from
yesterday
about
somebody
who
discovered
that
their
flashlight
has
firmware
that
can
be
reprogrammed
a
flashlight
a
flashlight,
so
this
gets
to
why
we
care
about
secure
Ekman
script
and
JavaScript.
So
this
is
my
proposed
law.
If
you
can
put
a
microcontroller
in
something
we
will
all
it
takes,
is
tiny
battery
and
then
there's
the
corollary
from
audible,
which
is
yes
once
you've
got
the
microcontroller.
It's
only
time
until
you
get
to
JavaScript.
So
this
stuff
matters
we're
putting
software
everywhere.
A
When
Mark
did
his
first
presentation
at
TC
53
earlier
this
year,
we
were
talking
about
wearables
and
he
decided
to
scare
us
and
say
it
gets
worse.
It's
implantables
it's
coming,
and
there
really
is
software
and
pacemakers,
and
things
like
that.
So
this
is
not
even
speculative
it's
real.
So
we
need
to
be
able
to
trust
this
stuff.
So
moddable
we
make
the
XS
JavaScript
engine
we
Patrick,
but
we
and
it's
focused
on
small
devices.
So
it's
completely
different
than
every
other
engine
you've
run
into.
A
We
we
obsess
about
how
do
we
fit
into
something
small?
How
small
a
typical
target
for
us?
The
one
we're
using
here
today
has
80
kilobytes
of
RAM.
That's
kilobytes,
not
not
megabytes,
gigabytes,
kilobytes,
a
Meg
of
storage,
that's
for
your
code
and
everything
and
runs
on
an
80,
megahertz
CPU
one
core
one,
one
core,
not
threaded,
not
nothing
and
sells
for
a
dollar
and
has
Wi-Fi
built
in
which
is
awesome.
It
sells
for
a
dollar
so
why
we
put
y'all
the
script
in
things.
A
The
list
here
is
actually
all
things
we
have
put
JavaScript
into
and
when
we
do
this,
we're
not
putting
JavaScript
into
run
some
scripts
on
the
edges,
we're
putting
JavaScript
in
to
run
the
whole
device
like
more
or
less.
Our
strategy
is
boot
to
JavaScript
as
early
as
possible.
We
go
there
and
we
stay
there.
A
The
hardware
is
crazy,
cost
sensitive.
You
know
you
say
to
people,
oh,
it's
only
$1
and
you
get
Wi-Fi
they're
like
yeah.
Maybe
you
know
week
for
40
cents
we
can
get
pretty
close,
and
so
you
know
when
you
say
like.
Why?
Don't
you
just
you
know,
add
you
know
more
and
use
Linux.
They
just
laugh
like
it
doesn't
happen,
so
you
really
have
to
deal
with
the
constraints.
So
I
love
light
bulbs
as
a
testbed.
The
functionality
is
pretty
simple.
Like
on/off
bright,
maybe
color
it's
one
of
the
smallest
IOT
things.
A
A
This
little
chip
in
the
middle
is
the
$1
micro
controller.
The
little
copper
thing
coming
out
is
a
Wi-Fi
antenna
and
then
there's
LEDs
are
on
the
side,
and
you
can
pick
these
up
for,
like
18
bucks
on
Amazon
in
quantities
of
one,
and
you
know,
they'll
get
cheaper,
but
already
that's
pretty
spectacular
for
something
with
all
that
power
why
the
hell
would
I
ever
want
JavaScript
in
a
light
bulb.
You
say
this
is.
This
is
a
fair
question.
This
is
a
fair
question.
Fortunately,
smarter
people
than
I
have
thought
about
this.
A
This
is
literally
a
book
from
the
MIT
press
that
was
published,
I
think
this
year,
maybe
last
year.
The
first
chapter
is
the
meaning
of
light,
and
it's
it's
actually
fascinating,
like
I
was
a
little
skeptical,
but
they
really
talk
about
all
these
ways
that
people
use
light
for
emotional
support
to
signal
things
inside
the
home.
A
To
people
who
are
you
know
a
little
skittish
or
not
like
so
excited
to
always
come
out
of
their
room
to
create
connections
between
people
who
are
in
different
locations,
so
they
can
know
if
somebody
just
came
home,
but
not
like
an
annoying
notification.
Just
oh,
the
light
came
on,
hear
it
I
know
mom's
home,
and
so
it's
really,
but
it
requires
that
we
can
control
the
behavior
of
light
and
do
things
that
the
manufacturer
never
intended.
A
So
some
of
those
are
silly
I
was
hoping.
You
were
meeting
in
the
nightclub
downstairs.
I
was
gonna,
do
some
big
light
things,
but
no,
but
we
need
to
be
able
to
change
the
behavior
of
the
light
and
here's
the
strange
thing
that
I've
found
once
you
can
change
the
software
in
a
device.
You
start
to
have
all
sorts
of
strange
ideas
about
how
you
want
to
change
it
so
really
when
you're
driving
home
or
sittin
on
sittin
in
your
uber
or
whatever.
If
you
start
to
think
I
could
make
the
light
bulb.
A
Do
anything
what
would
I
want.
The
ideas
will
come,
there's
a
detail,
though
it
better
be
safe
and
secure.
This
isn't
just
about
leaking
private
information,
there's
a
whole
host
of
interesting
issues.
So,
let's
dive
into
secure
ACMA
script.
So
what
is
security
on
embedded
devices?
Look
like
these
days.
If
you
were
out
building
a
product
and
buying
a
microcontroller,
every
single
salesperson
would
tell
you
we
have
security
nailed.
We
have
secure
pool
you
can't
like
install
unauthorized
firmware
because
we
do
code
signing
we
obfuscate,
the
ROM.
A
We
accelerate
all
the
crypto,
and
this
is
all
true
and
all
works
and
is
all
great
and
is
all
useful.
It's
all
focused
on
the
same
thing,
which
is
I'm
gonna,
stop
outside
untrusted
code
from
getting
into
my
device.
This
is
good.
Cess
starts
from
this
really
other
point.
It
says
I've,
let
the
untrusted
code
in
the
door.
A
It
has
the
run
of
the
house
now
what
am
I
going
to
do,
and
so
you
know
this
is
what
happens
when
you
know
early
embedded
devices
have
like
you
know,
4k
ROM,
you
could
review
every
line
of
code
and
say
I
trust
it.
This
thing
has
a
megabyte
of
ROM,
that's
getting
hard
to
review
everything,
and
you
know
we're
doing
four
and
sixteen
mega
products
today
so
you're
using
third-party
libraries,
which
you
can
sometimes
trust.
So
we
need
to
be
able
to
bound
that
untrusted
code
and
restrict
what
it
can
do.
A
One
of
the
things
that
it
took
me
a
while
to
get
my
head
around
with
the
correctness
crypt
is
that
there
is,
unlike
every
other
security
solution,
I've
seen
on
the
planet.
There
is
no
security
policy,
there's
no
like
access
control,
language,
there's
no,
like
rings
of
like
authority,
there's
nothing
there's
like
literally
nothing.
You
basically
can
take
everything
away
and
then
build
up
what
you
want
from
there,
and
so
the
cool
thing
is
you
build
the
security
policy
in
JavaScript
and
each
product
gets
its
own
security
policy
based
on
what
it
needs?
A
A
As
I'll
show
you,
we
can
take
the
security
system
and
run
it
in
this
$18
light
bulb
just
to
highlight
something
that
may
not
be
obvious
like
so
much
of
the
web
obviously
runs
on
a
UNIX
computer
or
a
derivative
or,
and
it's
inspired
by
system,
which
has
things
like
separate
address
spaces
and
sandboxing
in
different
processes.
If
you
have
those,
arguably
you
don't
need
security,
no
scrip!
You
could
do
it
another
way.
It
would
be
heavier.
We
don't
have
those
we'd
have
an
MMU
right,
we're
not
protected.
Never
we
get
nothing.
A
So
if
we
don't
do
it
in
the
language,
there's
nothing
in
the
microcontroller
to
help
us,
so
the
language
is
really
important.
Okay,
so
Marc
alluded
to
this
a
little
bit
in
his
talk,
but
I
wanted
to
emphasize
it
because
it's
really
important.
So
this
is
a
typical
embedded
architecture
that
we
use
at
the
bottom.
There's
an
artis.
If
you
don't
know
what
that
is,
it
means
a
real-time
operating
system.
A
So
this
slide
told
you
I
just
said,
so
we
do
everything
in
C
at
the
bottom
of
course,
JavaScript
the
top
and
the
host
is
mostly
JavaScript
with
just
a
little
bit
of
C.
So
when
you
want
to
enforce
security,
you
can
note-
or
in
the
browser
you
do,
that
through
the
operating
system
and
through
the
host
right
and
that's
what
the
browser
has
a
million
things
to
enforce
security
in
our
world.
We
can't
do
that.
The
art
sauce
is
too
primitive.
It
knows
how
to
allocate
memory,
not
protect
it.
A
The
host
is
all
in
JavaScript,
and
so
we
have
to
have
security
mechanisms
in
JavaScript,
where
we
have
no
security
mechanisms
at
all.
There's
nothing
to
fall
back
on.
So
that's
why?
When
Mark
said
that
TC
53,
which
is
embedded
JavaScript
modules,
has
selected
Eknath
Script
secure
Ekman
script
is
our
security
model
it's
out
of
pure
necessity,
there's
not
like
something
lower,
we
can
come
back
to
so
either
we
have
to
invent
something
ourselves
or
adopt
something,
and
incest
is
great.
So
why
not?
A
And
so
the
unit
of
encapsulation
is
called
a
compartment,
it
marks
slides,
they
call
it
in
an
evaluator
and
will
between
us
someday
arm
wrestle
that
to
the
ground.
The
concept
is
exactly
the
same,
which
is
a
compartment,
has
its
own
Global's
and
its
own
module
list,
and
so
you
can
create
those
things
and
so
I'm
gonna
show
you
some
demos
I
always
learned
better
when
I
like
actually
step
through
code,
so
I'm
gonna,
I'm
gonna
do
a
little
bit
of
that.
I.
A
A
The
first
argument
is
the
name
of
the
module
to
load
and
marks.
It
was
the
script
to
parse,
but
here
it's
the
module
to
load.
So
this
is
the
equivalent
of
what
you
would
put
in
the
from
in
an
import
statement,
and
then
this
is
a
global,
so
we're
adding
increment,
which
is
this
function
to
the
global
in
the
compartment.
Alright.
A
Once
then
we
call
the
modules
test
function,
it
traces
again,
so
they're
sharing
this
increment
function
and
consequently
the
global
X
and
there
you
go
so
even
though
the
global,
the
module
doesn't
have
access
directly
to
X,
it
can
call
it
can
get
to
it
through
the
increment
function
right.
So
it's
it's
hidden,
even
though
it's
a
global,
so
there's
two
sets
of
Global's.
So
let's
look
at
a
slightly
different
example.
Oh
wait
wait.
So
there
was
one
of
the
things
do
so
I.
Remember
this
I
put
it
in
my
notes.
A
A
A
I'll
put
a
breakpoint
here,
so
you
can
see
it
because
the
stepping
is
not
going
to
quite
do
what
I
want,
but
when
it
come
back
out
to
the
mod
when
I
come
back
out
to
main
you'll
see,
Global's
does
not
have
pollute,
but
when
I
step
back
into
the
module
and
I'm
here
again,
then
my
Global's
have
pollute
so
you
can
pass
stuff
in
and
the
the
compartment
can
mess
up
whatever
it
wants
to,
but
doesn't
get
back
out
the
other
side.
So
it
really
has
its
own
independent
universe.
A
Okay,
so
this
example
uses
the
module
map,
so
we
look
at
Global's.
This
is
a
module
map
on
the
compartment
constructor.
There
is
a
property
called
map
and
that
returns
a
list
of
all
your
modules,
all
the
modules
that
the
system
has
given
you
access
to
and
what
you
can
see
is
basically
on
the
left.
You
have
the
module,
specifier
and
use
bear
module
specifiers
and
on
the
right
you
have
a
symbol
which
points
to
it.
A
So
you
can't
link
the
path,
and
so
what
we're
gonna
do
is
first
make
a
copy
of
the
module
map
into
a
map
and
then
call
this
mod,
and
so
it
imports
increment
and
then
it
traces
never
because
it
should
have
never
got
here
because
we're
gonna
like
hide
increments.
So
if
I
come
here
and
comment
in
the
delete
map
increment,
what
we're
gonna
do
is
take
man
I
press
that
more
than
once
so
we're
going
to
delete
increment
from
the
map.
So
that
will
be
no
longer
in
here.
A
So
now,
when
we
go
and
run
in
the
compartment,
it
says
module
increment,
not
found,
because
now
we've
removed
that
from
the
list
of
modules
it
has
so
this,
like
the
Global's,
is
a
way
for
us
to
deny
access
to
a
compartment
to
a
particular
piece
of
code.
We're
gonna
use
that
mechanism
on
the
light
bulb
in
a
minute.
So
let
me
switch
again
sorry.
A
So
this
is
the
hardest
one
to
remember:
moddable
examples:
drivers,
oh
wow,
that
actually
kind
of
worked
perfect,
so
we're
gonna,
CD,
blink
and
open
main
all
right.
So
this
is
just
with
one
tiny
change.
This
is
straight
out
of
our
open
source
repository
I.
Have
this
light
bulb?
It
has
some
software
installed
in
it.
If
you're
super
super
sensitive
to
bright
lights
or
blinking
lights,
don't
look,
but
it's
not
too
too
horrible.
So
this
is
running.
A
This
light
bulb
is
running
this
code,
okay,
and
so
all
it
does
is
it
opens
up
an
instance
of
the
driver
and
then
it
sets
a
timer
and
on
each
tick
of
the
timer.
It
changes
from
red,
green,
blue,
warm
cool
and
warm
and
cool.
So
six
states.
After
it
completes
the
cycle,
it
decreases
the
interval
by
a
hundred
and
twenty
five
seconds,
and
so
you
get
this
effect,
which
is
super
annoying,
so
unplug.
A
But
that
that
JavaScript
I
didn't
install
this
here,
but
that
JavaScript
is
really
and
truly
running
on
this
light
bulb
that
I'm
not
going
to
drop
I'm
gonna
take
the
top
off
of
it,
because
we're
gonna
reflash
this
thing,
which
is
totally
bold
and
so
there's
a
few
things
here.
I'm
gonna
come
back
to
my
slides
briefly,
there's
a
few
things
on
the
security
of
a
light
bulb.
We
need
to
talk
talk
about
so
now.
You
kind
of
understand
compartments.
Hopefully,
so
what
do
we
want
to
do?
The
light
bulb?
A
Well,
this
light
bulb
has
warm
cool
red,
green
and
blue
lights,
and
it's
got
this
LED
driver.
There's
three
things.
We
want
to
stop
user
scripts
from
doing
okay,
one
is
we
don't
want
them
to
be
able
to
get
to
any
configuration
method,
so
they
shouldn't
be
able
to
pull
your
Wi-Fi
password
thing
really
has
Wi-Fi
in
it
and
it
shouldn't
be
able
to
do
anything.
You
consider
privileged
like
setting
the
clock,
because
that
could
like
mess
up
your
schedules.
For
example,
some
of
these
products
and
we've
really
worked
on
some
that
are
like
this.
A
If
you
exercise
the
drivers
to
their
full
range
of
possibilities,
you
will
destroy
the
device
and
so
like
if
you
were
to
run
I,
don't
think
this
light
bulb
it's
the
case,
but
imagine
if
you
were
to
run
the
light
bulb
at
full
brightness
for
an
hour
that
would
like
generate
enough
heat,
that
it
would
damage
the
product
and
short
its
life
or
create
a
safety
hazard.
This
is
really
true
in
some
products.
There's
another
problem
which
you
just
saw,
which
is
in
some
environments.
A
You
may
not
want
to
switch
the
lights
color
very
quickly
because
you
will
trigger
seizures
in
some
people
like
really,
and
so
it's
it's
a
health
issue,
and
so
you
may
want
to
control
that
when
you
deploy
it
into
some
environments
and
so
how
do
you
do
that
in
a
way
that
is
convenient
for
the
developer
but
guarantees
that
these
things
aren't
going
to
go
completely
crazy?
So,
let's
take
a
look
at
what
we
did.
I
hope.
Dean
comes
back.
A
Yeah
so
I'm
gonna
open
up,
so
we
have
a
new
main.
So
the
main
here
thanks
I,
can
do
this
for
a
little
bit,
but
but
somebody
shouldn't
go
far,
so
the
main
is
going
to
create
a
compartment
map.
I'm
gonna
create
a
to
start
with
the
compartment
map
and
instead
of
deleting
something
from
it,
we're
gonna
make
we're
gonna
make
a
new
one,
and
so
mark
has
taught
me
very
strongly.
That
blacklisting
is
terrible
and
whitelisting
is
great
because
with
waitlisting
you
know
exactly
what
you're
gonna
get.
A
So
that's
here,
just
because
main
is
what
we
boot
into,
and
so
that's
what
the
host
owns,
but
I'm
saying
map
that
particular
module
to
the
name
main,
because
if
this
module
imports
itself
by
saying
import
main,
it
should
get
back
itself
and
not
like
get
back
your
main
application,
which
is
the
host.
So
that's
one
small
trick:
the
next
one
is
for
the
driver
to
be
able
to
enforce
like
brightness
constraints
and
flashing
constraints.
A
We
need
a
special
attenuated
driver,
so
we
in
the
module
map
we
say,
take
the
specifier
for
the
normal
LED
driver
and
replace
it
with
this
attenuated
one
we'll
come
back
to
that,
and
then
we
also
give
it
access
to
the
timer.
So
it
can
do
some
blinky
things
and
then
all
we
do
is
instantiate.
The
compartment
with
name
yep
I
have
I,
have
a
cast
of
all
stars
from
my
my
Mike
help.
Thank
you.
So
we
we
invoke
the
compartment,
and
so
let's
look
at
the
attenuated
driver
that
which
is
really
the
interesting
part.
A
So
what
the
attenuated
driver
it
does.
Is
it
imports
the
original
driver?
Okay,
it
has
a
maximum
brightness,
which
is
16
instead
of
255
and
has
a
minimum
interval
of
500
milliseconds.
So
that's
the
these
are
the
limits
we
want
to
enforce,
because
excess
is
insane
about
supporting
everything.
In
JavaScript
these
days
we
use
private
variables
and
no
constructor
to
bring
the
driver
into
existence
and
to
remember
the
time,
the
last
right
initialization.
Thank
you
the
and
then
all
the
driver
has
is
a
right
method
after
that,
so
we
overload
the
right
method.
A
It
gets
colors,
it's
like
you,
know,
red,
green,
blue,
cool
or
whatever
as
numbers.
So
we
pull
those
into
an
array.
This
enforces
the
limit
on
being
able
to
blink
once
every
500
milliseconds.
You
must
know
more
than
that,
and
then
this
applies
the
brightness
and
then
passes
it
along
to
the
original
driver.
So
we
attenuate
with
the
brightness
by
whatever
the
maximum
brightness
is
and
I'm
actually
gonna
program.
This
into
the
light
bulb
just
to
show
you
that
it
actually
can
be
done.
A
Yep
sorry,
so
this
is
the
you
remember
when
you
used
to
program
computers
by
like
flipping
switches
and
all
kinds
of
things.
I
literally
have
to
flip
a
switch
on
this
to
put
it
into
programming
mode
and
then
attach
this
funny
little
thing
which
is
easier
than
it
harder
than
it
looks.
Okay,
then
not
drop.
It
then.
Here
we
just
to
MC
config
D,
M,
PSP,
/,
85,
I.
Think
it'll
tell
me
if
I'm
wrong
yep,
so
that's
flashing,
the
light
bulb.
A
A
A
There's
my
attenuator
driver
so
I
step
into
this
and
now
I'm,
not
in
the
regular
driver
but
I'm
in
the
attenuated
driver
right
and
so
now,
I
can
come
in
here.
I
can
see
the
colors
and
everything
is
good
and
so
I'll,
just
let
that
run
and
what
you're
seeing
down
below
is
when
it's
ignoring
the
rights
and
you
can
see
as
it
picks
up
so
more
and
more
of
them
get
ignored.
Is
this
light
speeds
up?
A
So
what
I'm
going
to
do
now
is
plug
this
in
here
it
takes
a
little
longer
to
boot,
because
it's
a
debug
build.
So
it's
looking
for
the
debugger,
but
once
it
does
and
it
will
you'll
see,
the
light
is
dimmer
right
than
it
was
before
and
it
starts
out
the
same
speed
as
before,
but
whereas
before
it
would
get
insanely
fast
now
it
will
never
change
the
color
faster
than
every
500
milliseconds,
so
I've
been
forced.
All
of
that
I
have
not
changed
a
line
of
code
in
the
original
script.
A
Alright,
so
the
application
developer
doesn't
know
about
this
as
best
I
could
do.
They
couldn't
detect
that
they're
running
in
this
host
either
everything
looks
the
same
right,
so
we
can
change
the
rules
on
them
later.
We
could
change
the
rules
based
on
a
digital
signature
or
whatever
we
want,
but
we
get
the
behavior
we
want-
and
we
purely
you
know,
we've
virtualized,
basically
the
host
here
and
we've
done
it
all
in
JavaScript.
A
So
yeah,
so
this
is
I
mean
it's
it's
wild,
but
it's
you
know,
I
mean
it's.
It's
really
fits
in
this
thing
and
so
I'm
just
sort
of
yeah,
oh
you're,
great.
Thank
you
just
to
wrap
up
so
securing
the
script
on
embedded
is
totally
practical
like
this
is.
This
is
really
not
a
fancy.
Processor
and
people
are
actually
designing.
Fancier
things
in
these
days
than
this.
It's
fast,
the
like
creating
the
policies,
as
you
can
see,
is
like
very
straightforward.
Right,
like
I
think
you
could
mostly
follow
the
code
that
I
wrote.
A
This
is
all
here
for
you
to
try
everything
that
I
showed
you,
except
for
my
example,
is
in
our
open
source
repository.
You
can
buy
this
light
bulb.
We
have
instructions
for
soldering
the
header
on
and
you
can
you
can
go
crazy.
This
is
not
completely
done.
The
compartment
interface
is
good.
We're
not
sure
it's
great
there's
some
refinement
to
do
you
know
there
probably
is
some
security
hole
left
somewhere
that
nobody
has
discovered
yet.
A
So
we
would
encourage
you
to
pull
this
code
code
down
and
try
stuff
build
something,
find
a
problem
and
contribute
to
helping
to
make
this
better,
because
we
think
this
could
be
a
huge
deal
for
JavaScript.
As
I
said
it
meeting
and
Brian
Charlson
quickly,
tweeted,
you
all
think
you're
doing
really
well,
because
there's
a
lot
of
phones
and
servers
out
there
try
counting
the
lightbulbs
it's
a
lot
of
places
for
JavaScript
left
to
go.
Thank
you.
A
A
Yep,
so
the
question
is:
if
Kate
wanted
to
replicate
this,
you
just
go
to
the
model
website.
Yeah
everything
is
there
and
there
the
only
thing
you
have
to
do
with
these
light
bulbs.
Is
they
really
weren't
designed
to
be
reprogrammed,
so
you've
got
to
solder
a
header
on
and
we
have
instructions
in
a
blog
post
on
how
to
do
that.
A
A
A
Basically-
and
this
starts
to
look
a
little
bit
like
Linux-
did
in
the
early
days
of
open
source
where
everything
was
open,
except
for
the
drivers
and
I
fear,
we're
gonna
be
in
that
space
for
a
little
while,
but
maybe
not
too
long,
yeah
yeah,
so
yeah
I
mean
we
I
mean
on
some
devices
we
boot
to
metal
like
we,
we
boot
we're
the
first
thing
that
runs.
We
program
some
registers
to
get
the
clocks
like
running
right,
and
then
we
just
go
so
you
can
run
really
bare-bones
with
excess.
If
you
want
to.
A
A
A
Now
the
question
is
why
javascript,
instead
of
C,
so
actually
I,
wouldn't
say
it's
quite
that
we
we
use.
A
lot
of
C
like
like
the
driver
for
to
talk
to
the
LEDs
is
actually
in
C,
because
it's
incredibly
timing,
sensitive,
and
so
we
have
some
advantage
in
the
embedded
world
that
we
can
put
some
C
in
there
because
we're
rebuilding
the
whole
firmware,
whereas
you're
not
rebuilding
the
whole
browser
for
your
webpage
right.
So
we
try
to
do
as
much
as
we
possibly
can
in
JavaScript.
A
But
you
know
the
graphics
engine
should
be
in
C,
and
so
there's
there's
a
line
there
and
we're
constantly
kind
of
exploring
the
limits
of
it.
But
why
JavaScript
is
actually
the
more
interesting
question
like
C
is
awesome,
but
when
you
try
to
build,
I
worked
in
it
for
far
too
long,
but
once
you
try
to
build
like
complicated
systems,
it's
a
disaster
like
it
doesn't
have
the
structures
that
doesn't
have
an
object
system.
A
You
can
make
one,
but
yeah
and
JavaScript
is
fantastic
for
this
stuff
and
like
really
well
thought
out-
and
so
you
know,
our
approach
has
been
use.
C,
where
you
need
it
to
talk
to
native
resources,
to
be
blindingly
fast
and
use
JavaScript
for
everything
else,
and
it
turns
out
that
everything
else
turns
to
be
like
90
or
95%
of
the
code
and
like
a
lot
of
products,
and
so
you
just
move
so
much
faster.
You
have
whole
classes
of
bugs
that
go
away.
You
never
read.
A
Uninitialized
memory
right,
I
mean
there's
just
all
these
really
nice
things
you
don't
tend
to
have
memory
leaks,
certainly
not
anywhere
near
as
many
as
you
do,
when
you're
working
and
C,
and
so
our
position
is
not
that
excess
is
the
best
way
to
build
an
embedded
device
using
javascript.
Our
position,
which
the
world
will
one
day
acknowledge,
is
that
actually
javascript
is
the
best
way
to
build
embedded
devices
period,
that
they
will
be
more
secure.
A
Mm-Hmm,
so
you
won't
be
surprised,
we
did
a
light
switch.
The
question
is
what,
besides
the
light
bulbs,
have
we
done?
You
won't
be
surprised
to
know
we
did
a
light
switch
and
we
actually
it
really
plugs
into
our
wall.
If
you
come
by
the
office
and
has
a
touchscreen,
so
it's
super
pretty
that
when
we
haven't
quite
published
yet,
but
it's
great,
you
should
I
mean
come
by
and
see
it.
A
One
of
our
guys
published
a
whole
project
on
a
digital
alarm
clock
that
uses
like
neopixels
and
it's
like
completely
ridiculously
awesome.
Like
every
feature
you
ever
wanted
in
a
digital
alarm,
clock
and
more
and
we're
working
I
mean
more
seriously
with
commercial
vendors
on
putting
this
into
products
through
TC
53
I
can
say
that
one
of
the
through
their
work
in
TC,
53
I,
can
say
one
of
those
is
whirlpool
who
are
working
with
on
a
suite
of
white
good
products.
Those
aren't
quite
in
the
market,
yet
so
I
can't
get
into
the
details.
A
Is
it
so?
The
question
is:
javascript
is
not
really
considered
great
for
real-time
work
in
particular,
the
garbage
collector
can
give
you
unpleasant
surprises.
So
there's
there's
a
few
things
when
I
mentioned
on
the
LED
controller.
In
fact,
I
tried
writing
it
in
JavaScript
the
LED
driver
and
failed
because
the
timing
wasn't
precise
enough.
So
we
just
don't
always
get
there.
That's
one,
but
the
garbage
collector
turns
out
not
to
be
a
big
issue,
and
the
reason
is
that
on
these
things,
we're
running
with
such
a
tiny
heap
like
on
this
light
bulb.
A
The
JavaScript
heap
is
like
20
K,
16
K
and
even
at
80
megahertz.
You
can
like
garbage
collect
that
heap
like
100
times
a
second
and
you'll
be
fine.
You
will
never
notice
like
a
hiccup
from
it,
because
there's
just
no
work
to
do,
and
so
that's
part
of
the
other
thing
we
do
when
we
build
our
software,
we're
really
sensitive
to
this.
A
So
we
try
to
write
our
software,
so
it
doesn't
create
new
objects
except
when
changing
states
right
and
so
then
you
don't
tend
to
be
throwing
off
a
lot
of
garbage
collections
in
the
normal
operation,
just
when
you're
moving
to
a
new
state
and
in
our
debugger.
If
you
saw
on
the
left
side,
there's
an
instrumentation
panel
and
it
actually
shows
you
all
the
garbage
collections
and
on
a
timeline
graph,
and
so
you
can
see
as
you're
running.
A
Oh,
my
god,
this
operation
is,
like
you
know,
doing
100
garbage
collections
a
second
and
this
other
one
is
doing
0
and
then
you
can
go
and
it's
you
know,
pit
piece
not
apart
so
embedded
development
requires
some
discipline
on
things
like
that.
But
it's
incredibly
rare
that
we
have
the
garbage
collector,
be
an
issue
once
we
sort
of
learned
learn
what
its
characteristics
weren't,
how
to
work
with
it.
A
So
yeah,
so
the
question
is
about
debugging
environment.
So
right
now
we
just
have
our
own
debugger
called
excess
bug
and
it
runs
on
Mac,
Windows
and
Linux,
so
you're
generally
set
and
of
course
excess
bug
is
written
in
excess.
So
it's
a
completely
JavaScript
powered
JavaScript
debugger
the
protocols
open
and
we
actually
have
had
an
open
source
developer.
Who
did
a
version
of
it
that
runs
in
a
web
browser
which
is
pretty
wild
over
the
network?
A
Quite
got
that
all
sorted
out,
but
it
really
does
work
and
people
have
in
the
past
done
a
visual
visual
coded
version
of
it.
But
it's
not
something
we're
actively
supporting
yeah
the
v8
debugging
protocol
is
really
complicated,
I
mean
it's
awesome,
No
no
offense.
If
you're
in
the
audience-
and
you
wrote
it
like
it's
awesome
but
to
be
able
to
support
a
debugger
on
an
embedded
device.
We
need
something
really
different,
and
so
we
have
an
incredibly
simple
debugging
protocol
that
gets
the
job
done.
A
Clearly
so
I
mean
that's
it's
a
place
where,
if
the
open-source
community
somebody
wants
to
do
that,
we'd
love
to
support
it,
but
it's
not
something
that
we've
would
chosen
to
invest
in
so
I
I'm
gonna
stop
I,
always
a
little
cautious
about
bringing
JavaScript
to
bring
you
our
work
to
a
javascript
audience,
because
it's
always
so
web-centric.
So
I
really
appreciate
the
fact
you
guys
are
so
attentive
and
interested
in
asking
great
questions.
So
thank
you.