Developer builds static HTTP web server entirely in aarch64 assembly for macOS
Written completely in assembly language, the tool demonstrates the mechanics of low-level systems programming while prioritising educational value over production readiness.
A developer has released ymawky, a minimal static HTTP web server written entirely in aarch64 assembly language for macOS. The project utilises raw Darwin syscalls without any libc wrappers to serve static files and support various HTTP methods including GET, HEAD, PUT, OPTIONS, and DELETE. By removing standard libraries, the implementation forces manual management of CPU registers, memory offsets, and error flags that are typically abstracted away in high-level languages.
The codebase manually handles string parsing, memory management, and security features such as path traversal prevention, symlink blocking, and denial-of-service mitigation via custom timeout logic. The server operates on a fork-on-request model, where each inbound connection triggers a new process. This approach requires the developer to write custom logic for parsing HTTP headers byte-by-byte, validating carriage return and line feed sequences, and managing file descriptors without the aid of existing frameworks.
Security considerations are handled through manual sanitisation of filenames for HTML and URL contexts to prevent cross-site scripting attacks. The implementation uses the O_NOFOLLOW_ANY flag to block symlink traversal, ensuring that requests cannot escape the designated document root. However, the author notes that the project is not impervious to denial-of-service attacks, though it aims to limit resource tying through specific timeout mechanisms.
To mitigate slowloris attacks, the server calculates a dynamic timeout based on content length and a minimum bytes-per-second transfer speed. A custom sa_tramp handler bypasses standard sigreturn mechanisms to send a 408 Request Timeout response before exiting the child process. Specific constraints include a 1GB default maximum body size for PUT requests and a 4096 byte buffer for filenames to prevent memory overflows.
The author explicitly states that the implementation is an educational experiment rather than a production-grade replacement for existing servers like nginx. The project relies on a little-documented Darwin syscall, proc_info, for counting active child processes, which introduces potential fragility if Apple changes the syscall interface. Despite these limitations, the tool serves as a demonstration of the challenges involved in writing web servers from the ground up.
The release highlights the stark difference between writing software in assembly compared to languages like Python or C. Every step of the CPU process is visible and under control, yet the lack of warnings or automatic cleanup makes simple tasks appear complicated. The project aims to explore low-level systems programming challenges, offering a glimpse into the difficulties of parsing requests and managing file descriptors without modern conveniences.
