Domain: pearsoncmg.com
Stories and comments across the archive that link to pearsoncmg.com.
Stories · 4
-
Book Review: Digital Archaeology: the Art and Science of Digital Forensics
benrothke writes "The book Digital Archaeology: The Art and Science of Digital Forensics starts as yet another text on the topic of digital forensics. But by the time you get to chapter 3, you can truly appreciate how much knowledge author Michael Graves imparts. Archaeology is defined as the study of human activity in the past, primarily through the recovery and analysis of the material culture and environmental data that they have left behind, which includes artifacts, architecture, biofacts and cultural landscapes. The author uses archeology and its associated metaphors as a pervasive theme throughout the book. While most archeology projects require shovels and pickaxes; digital archeology requires an entirely different set of tools and technologies. The materials are not in the ground, rather on hard drives, SD cards, smartphones and other types of digital media." Keep reading for the rest of Ben's review. Digital Archaeology: The Art and Science of Digital Forensics author Michael Graves pages 600 publisher Addison-Wesley Professional rating 9/10 reviewer Ben Rothke ISBN 978-0321803900 summary Excellent introductory text to digital forensics In the preface, Graves writes that in performing an investigation that explores the use of computers or digital data, the investigator is embarking on an archaeological expedition. In order to extract useful artifacts, information when dealing with our topic at hand; the investigator must be exceedingly careful in how he approaches the site. The similarities between a digital investigation and an archaeological excavation are much closer than you might imagine. Data, like physical artifacts, gets dropped into the oddest places. The effects of time and environment are just as damaging, if not more so, to digital artifacts as they are physical mementos.
The book shows you precisely how to extract those artifacts effectively. And in a little over 500 pages, the books 21 chapters, provides a comprehensive overview of every area relevant to digital forensics. The author brings his experience to every page and rather than being a dry reference, Graves writes an interesting reference guide for the reader who is serious about becoming proficient in the topic.
Rather than provide dry overview of the topics and associated hardware and software tools. The books take a real-world approach and provides a detailed narrative of real-world scenarios.
An important point Graves makes is that a digital investigator who does not understand the basic technology behind the systems they are investigating is going to be at a distinct disadvantage. Understanding the technology assists in the investigative process and ensures that the evidence can be held up in court.
The need to a proficiency in digital forensics is manifest in the recent attack against Target stores. After an aggressive attack, the store called in external digital forensics consultants to help them make sense of what happened.
The book starts with an anatomy of a digital investigation, including the basic model an investigator should use to ensure an effective investigation. While the author is not a lawyer; the book details all of the laws, standards, constitutional issues and regulations that an investigator needs to be cognizant of.
The author notes that Warren Kruse and Jay Heiser wrote in Computer Forensics: Incident Response Essentials that the basic computer investigation model was a four-part model with the following steps: assess, acquire, analyze and report. Graves breaks those into more detailed and granular level levels that represent processes that occur within each step. These steps are: identification and assessment, collection and acquisition, preservation, examination, analysis and reporting.
Chapter 2 has a section on the constitutional implications of forensic investigation, of which is the topic is also pervasive throughout the book.
As noted, a significant portion of the book is dedicated to the legal aspects around digital investigations. Graves spends a lot of time on these needed issues such as search warrants and subpoenas, basic elements of obtaining a warrant, the plain view doctrine, admissibility of evidence, keeping evidence authentic, defining the scope of the search, and when the Constitution doesn't apply.
The only chapter that was deficient was chapter 13 – Excavating a Cloud. Graves writes that the rapid emergence of cloud computing has added a number of new challenges for the digital investigator. The chapter does a good job of detailing the basic implications of cloud forensics. But it unfortunately does not dig any deeper, and does not provide the same amount of extensive tool listings as do other chapters.
Each chapter closes with a review of the topic and various exercises. Those wanting to see a sample chapter can do so here.
For those looking for an introductory text on the topics of digital forensics, Digital Archaeology: The Art and Science of Digital Forensics is an excellent read. Its comprehensive overview of the entire topic combined with the authors excellent writing skills and experience, make the book a worthwhile reference.
Reviewed by Ben Rothke.
You can purchase Digital Archaeology: The Art and Science of Digital Forensics from amazon.com. Slashdot welcomes readers' book reviews (sci-fi included) -- to see your own review here, read the book review guidelines, then visit the submission page. -
Book Review: The Logic of Chance
eldavojohn writes "The Logic of Chance: The Nature and Origin of Biological Evolution is a comprehensive snapshot of the latest research of biological evolution. The text is written by Eugene V. Koonin, an editor for a journal and researcher at NCBI. The book, although lacking in foundational knowledge and often foregoing explanation of research, presents a comprehensive and well-referenced view of modern evolutionary research. It is heavily laden with acronyms and jargon specific to biology and evolution. As a result, reading it requires either prior knowledge or a high tolerance for looking up these advanced topics with the reward of it being an extremely eye opening and enjoyable read worthy of your time." Keep reading for the rest of eldavojohn's review. The Logic of Chance: The Nature and Origin of Biological Evolution author Eugene V. Koonin pages 516 publisher FT Press Science rating 7/10 reviewer eldavojohn ISBN 978-0132542494 summary An outline of a fundamentally new evolutionary synthesis reflecting key advances in genomics, systems biology and biological physics. First off, my background is primarily in computer science although I took courses in bioinformatics in my undergrad and have maintained an interest in evolution since evolutionary and genetic algorithms were supposed to revolutionize computer science when I was in school. Unfortunately, my lack of biology caused the text to be extremely tedious (so much googling) for some chapters while my strong statistical background made other chapters very much enjoyable. For most readers this presents a large barrier of entry. When the author discusses neural networks being used to categorize prokaryotic genes, it may be insufficient to the reader to understand what that means. As a result, this book's audience is a relatively small set of people: 1) biology graduates with strong statistical knowledge or 2) someone willing to work very hard to understand advanced terms and concepts in both fields. Please proceed knowing that a biologist's review of this same book could very well sound entirely different from mine. Also, Koonin wastes very few words in this book, the text is dense and if you are unable to complete reading this review due to jargon there is a low chance you'll be able to tolerate it in the book. To sample some of this book, there is a short PDF containing chapter one or Google Books offering the first 147 pages at the time of this writing — you will see that this review barely scratches the surface of what is covered in this information-dense book.
Secondly, I will preface my review of the technical aspects of this book with my reason for giving it a score of 7 out of 10. The introduction to this book sets very lofty goals. One of them being the hope that this book does for evolution what A Brief History of Time did for physics. That is a seriously tall order and gave me correspondingly high hopes for this book. Koonin, unfortunately, is a very gifted writer and is unafraid of using exceedingly complex sentences such as this gem from page 117 (deliberately taken out of context):
"It has been known for years that a widespread form of global regulation in bacteria is mediated by cAMP, with the participation of diverse adenylate cyclases (a striking case of NOGD); numerous proteins containing cAMP sensors, such as the GAF domain; and the CRP, FNR, and other transcription regulators, also containing cAMP-binding domains."
That sentence is typical of Koonin's writing — lengthy and intricately peppered with many acronyms (only one of which had been described well enough for me earlier in the text). Of course, that paragraph comes with a reference to a paper (like almost all of the paragraphs in this book) from 2010 by Seshasayee so the reader is free to seek external resources if these sentences are daunting.
Considering all of this, I read A Brief History of Time in high school and, despite not having had a physics course yet, learned a lot from it. I attribute that, mostly, to the fact that the sentences are simple and straightforward. Not only that but A Brief History of Time did a great job of building upward from the foundational mechanics of physics while somehow remaining refreshingly brief. This is not the case in The Logic of Chance but I will rush to the book's defense somewhat on that charge. Prior to having read this book, I would have stated my desire that the text start from the basics and work its way up. After reading this book and understanding this field better than I ever have, I now agree that the subject matter of evolution would demand quite the epic tome to accomplish such a feat. I do hope to see future versions of this book with more concise and clear sentences as well as more fundamental concepts explained. If I could have begged Koonin to add one thing to this book, it would be a glossary in the back spanning many hundreds of pages for ignorant readers like myself. Right now this book is for graduate students and academia whereas A Brief History of Time could almost be consumed by anyone who made it through the public school system.
I also sympathize with Koonin's herculean task because modern evolutionary studies seem relatively young compared to other fields like particle physics. As a result, Koonin must (and does) concede in some sections that there still exists largely debated theories. These debates often concern things about which we may never know the absolute truth like the branching factor of a tree of evolution on Earth some indeterminable time ago. As more and more prokaryotes and eukaryotes are added to their statistical algorithms, this may become clearer and yield revelations like the genetic makeup of the last eukaryotic common ancestor (LECA) and free this text of many pages devoted to questions surrounding such origins of life. But for now Koonin must tediously cover all his bases to introduce such things to the reader.
The book starts off by establishing the fundamentals of evolution up until the consolidation of Modern Synthesis. This includes purifying selection, drift, draft, fitness landscapes, etc until Darwinian Evolution was combined with genetics. At this point, the substrate of evolution (the genome) lead to evolutionary genomics. In particular Koonin concentrates on the statistics applied at the molecular level including distance methods, maximum parsimony, maximum likelihood, Bayesian inference and a similar analysis of phylogenetic methods. Koonin establishes early on that evolutionary research can no longer rely merely on phenotypic effects but rather there is a vast array of concrete changes happening at a molecular level.
The book moves on into comparative genomics and discusses extensively the intricate differences between the genomes of viruses, bacteria, archaea and eukaryota. Koonin exhaustively compares these groups through statistics and lays a brief foundation of relationships between genes. From this point on the book is heavily infested with the terminology of homologous, orthologous and paralogous genes. In addition to those the author discusses In-/Out-paralogous, co-orthologous and groups of orthologous (COG) genes. For people unfamiliar with this world, bookmarking and referring to Box 3-1 on page 56 is strongly advised. For the layperson, I believe an expansion of such a graphic would be a great addition to this book. Inside this part, the book also covers a simple but often misunderstood core piece of evolution and that is that evolution has the basic elementary events at the level of gene and genome evolution: substitution, deletion/loss, insertion, recombination/HGT and duplication. Over and over on Slashdot, I see comments that indicate a confusion or perception of evolution being one big monolithic thing. Koonin obviously reads or even studies a lot of other academic fields and tries to explain "the gene universe" as a space-time where there are a few dense clusters of core genes represented in most genomes but most of that space-time is occupied by a huge number of increasingly sparse "nebulae" consisting of rare genes. The author says of this universe: "This organization of the gene universe is distinctly fractal--that is, it appears at all scales of evolutionary distances."
As if that wasn't enough to prove that a definitive phenome narrative (what I alluded to earlier as desired) would be a bad idea, the next section moves on to systems biology and a heavier statistical look at genomics. Beyond the gene status (present or not present) exist two classes of variables: intensive evolutionary variables and extensive phenomic variables. At this point, we're not even talking about tangible things like eye or hair color but rather the underlying mechanisms to those sorts of things like proteins and how they are folded. Everywhere Koonin uses italics, the reader should pay special attention as I found these to be the most interesting key points (example: "Highly expressed genes evolve slowly"). In defining the nature of the evolutionary process, the author covers important concepts like fitness graphs that contain multiple local maxima to demonstrate how non-optimal progressions can occur. Furthermore this section makes it clear that adaptation is not the be-all end-all of evolution. The extensive discussion of the quantifiable properties of genome architecture, functioning and evolution are defined more so by non-adaptive, stochastic processes. Here (and in many later sections) Koonin attempts to use metaphors like Jacob's tinkering and ratchets to help the reader understand these complex concepts but I felt that these metaphors were still so far abstracted that the text could use anything linking these processes to tangible observations in organisms. Again I cannot hold this as a flaw for, after reading the book, it's clear that such a request would be viewed as sophomoric and evidence that I am unable to progress past The Origin of the Species (this book's key objective).
Koonin then moves on to the prokaryotic world and examines their genes and operons while paying special attention to an odd case: cyanobacteria. Most importantly in the prokaryotic domain, extensive comparative genomics has revealed a concept called horizontal gene transfer (HGT). I was personally hoping that Koonin would seize upon this novel concept and its importance in bacterial antibiotic resistance and how bacteria can evolve to dissolve novel compounds. For better or for worse, Koonin sticks to the pure purpose of this book and extensively covers important HGT discoveries like the convergence of protein sequences in similar groups of bacteria and archaea. Some selfish genes rely so heavily on horizontal mobility that they are dubbed "mobilomes" and Koonin discusses their aspects extensively. Darwin's Tree of Life concept was a very small eukaryotic part of the big picture that Koonin tries to re-invent as the "Forest of Life" or "Web of Life" (considering HGT). A whole chapter is devoted to discussing its properties and graphically visualizing its structure based on extensive surveys and what we know today.
From there the author discusses the origins of eukaryotes, Last Eukaryotic Common Ancestor (LECA), the branching factor of its evolution, its relative distance to the point of symbiogenesis in proposed evolutionary trees and the many competing theories about that tree. This section of the book spends considerable time examining the inferred origins of basic eukaryotic cell functioning and also discusses at length the archaeal roots of elaborate systems with the exception of the mitochondrion. This chapter also looks at the perplexing features of introns in eukaryotic genes. Koonin then tackles the misconceptions and abuses of the word complexity in all aspects of evolution. He applies information theory to the genetic code and notes that "information (entropy) tells us very little about the meaningful information content or complexity of a genomic sequence." It is then suggested that a new way to compute entropy and complexity is to examine the alignment of orthologous sequences instead of single sequences. For people interested in information theory, chapter eight is the most fruitful where Koonin proposes a computable formula for biological (evolutionary) information density. Like Claude Shannon's ability to infer many important aspects of communication, Koonin's modifications allow us to calculate that perceptually complex organisms possess more "entropic" genomes while perceptually less complex organisms like bacteria have the tightly packed and information dense "informational" genomes. After establishing these studies in information theory, Koonin is able to argue that neutrality of mutations that are fixed during evolution is the null hypothesis for all molecular evolutionary theories. All of this aids the author in discussing why evolution progressed passed single celled organisms that already had 1,000 to 1,500 genes to larger sets of genes in multicelled organisms.
Chapter nine tackles the modalities of Darwinian, Larmarckian and Wrightean evolutionary theories. This chapter improves upon the simplistic triad of heredity-variance-selection that defines Modern Synthesis by showing that the relationship between population size and environmental stress determines which of the three modalities is expressed the most in evolution while at the same time observing the importance of entropy (noise) at all levels of transmission. Koonin shows that by combining very well known molecular mechanisms we can achieve a complex scenario like Jean-Bapteste Lamarck's proposed modality of evolution. The text gives viruses the same treatment which, despite my assumption that they would be easier to analyze, appear to have many of the same complexities that prokaryotes and eukaryotes have. Possibly even more so given the effects of the Red Queen Hypothesis and all of the counterdefense genomes in some viruses. Furthermore the cellular empire and virus empires have two-way exchanges of genes. The truth is we know very little about the virus world — considering its size and history — and the author postulates that viromes in unknown and unstudied viruses consist largely of uncharacterized "dark matter" (again, borrowing terms from cosmologists).
Koonin then approaches the next logical step backwards: the last universal common ancestor (LUCA). He starts by listing the arguments that cellular life indeed had a common ancestor and looks at competing theories (for example cell organization complexity versus genetic complexity leading to different models of varying degrees of cellularity). In chapter twelve, Koonin covers the topic that is often the hardest to imagine — the origin of life. This is interesting and particularly difficult because the translation system itself at some point evolved. Interestingly enough, these 60 protein-coding genes and ~40 structural RNA genes are the only complex ensemble of genes that are conserved across all extant cellular life forms. So, of course, the point in the evolutionary tree where this had developed is discussed as well as the Darwin-Eigen cycle. The latter requiring a system of a far greater complexity in order to be started. So the author begins examining the proposition that over time and due to their catalytic properties ribozymes lead to processive synthesis of peptides (long enough to be the first proteins). After discussing the eleven stages this would have to encompass, the author discusses the existing skepticism of models that try to explain how replication and transcription came about. This chapter also tackles geochemical and chemical propositions on the origin of life — something that has been discussed on Slashdot before. This research centers on networks of inorganic compartments consisting of catalytic surfaces with gradients of heat and acidity that could have supported primordial organic chemistry.
The book ends with a chapter devoted to reiterating topics as well as asking important questions like whether or not another biological evolution model is necessary/feasible as well as caution against logic like the progress fallacy or criticizing a concept like "the selfish gene" because it sounds "undignified." Though these are tempting arguments because of their simplicity, they have proven fruitless. A diagram on page 412 reminds us just how complex the flow of genetic material is between the virus empire and the cellular empire.
There are two appendices to this book and, perhaps because they use a softer language, they were much more accessible to me yet posed more questions than answers. Appendix A concentrates on the philosophy of postmodernism, the infeasibility of synthesis and the distrust of metanarratives. The author argues that any paradigm presented must include oversimplification and that we merely replace them with better metanarratives. It is also important to ask these questions about the current paradigms for without them we would never have come up with drift, draft and various neutral ratchets to improve old models. Koonin references Hawking and Mlodinow with the concept of model-dependent realism which stresses that scientists merely construct models that are in turn swapped out for better models given how well they explain data and predict the outcomes of experiments. Lastly Koonin refers to Popper's famous falsification paradigm and his subsequent position on how invaluable evolution is purely on the grounds that it arms us to model and understand specific experiments. The second appendix deals with roughly estimating the probability of life arising given inflationary cosmology. I know this back of the envelope math has become popular given recent discoveries of exoplanets in the news but I felt the few references to the "many worlds in one" model deserved to be placed in a separate book. Nevertheless, Koonin covers both the strong and weak forms of the anthropic principle and looks at the connotations they hold for evolution.
The references at the end of this book are extensive — 38 pages of two line references. It should probably be mentioned that Koonin's references to his own work consist of two of these pages although at no point did it sound like he was unfairly proffering his theories over others. At certain points I had to wonder whether or not I was reading a lightly adjusted abstract from a peer reviewed paper or a book. This is most evident in one of the figures of an appendix on page 437 that reads "This is a formulation of the 'weak' anthropic principle adopted for the context of this paper." Since it is a graphic and in the appendix, it's forgivable but caused me to wonder if the rest of the book couldn't be more seamlessly tied together with transitionary language for novices like myself. Amazingly, I found maybe one grammatical error and no typos in this book which was a refreshing experience for a first edition. Also, this is one of the best bound books I've had the pleasure of reading, its spine has held up to hours of laying it flat open while I googled for a better understanding. While $50 is pricey, the book is built to last and this $10 premium over the kindle edition is worth it if you must hold a physical copy of a book. It saddened me to be reminded that some states struggle with including the core concepts of Darwinian evolution anywhere in their K-12 curriculum. And should those students desire to break new ground in this modern field, texts like The Logic of Chance are that much further away from them.
You can purchase The Logic of Chance: The Nature and Origin of Biological Evolution from amazon.com. Slashdot welcomes readers' book reviews — to see your own review here, read the book review guidelines, then visit the submission page -
Book Review: The CERT Oracle Secure Coding Standard For Java
brothke writes "It has been a decade since Oracle started their unbreakable campaign touting the security robustness of their products. Aside from the fact that unbreakable only refers to the enterprise kernel; Oracle still can have significant security flaws. Even though Java supports very strong security controls including JAAS (Java Authentication and Authorization Services), it still requires a significant effort to code Java securely. With that The CERT Oracle Secure Coding Standard for Javais an invaluable guide that provides the reader with the strong coding guidelines and practices in order to reduce coding vulnerabilities that can lead to Java and Oracle exploits." Read on for the rest of Ben's review. The CERT Oracle Secure Coding Standard for Java author Fred Long, Dhruv Mohindra, Robert Seacord, Dean Sutherland, David Svoboda pages 744 publisher Addison-Wesley Professional rating 10/10 reviewer Ben Rothke ISBN 0321803957 summary Definitive guide on the topic The book is from CERT, and like other CERT books, provides both the depth and breadth necessary to gain mastery on the topic.
The first 100 pages of the book are available here. After reading it, you will be likely to want to see the next 650 pages.
This book provides a set of guidelines for secure programming in Java SE 6 and 7 environments. It is primarily targeted at software developers and computer security practitioners. While Java is inherently designed to be relatively secure as compared with other languages, it requires the developer to understand the security controls and language features thoroughly before he can implement them correctly. The book illustrates insecure coding practices and suggests corresponding safe alternatives to enable a developer to have an optimal blueprint.
Software developers are constantly under pressure to accommodate feature requests and have to strike a fine balance between enhancing delivery excellence and releasing a software product in consonance with deadlines. At the same time they routinely tackle technical challenges and often document their experience for the benefit of others. This book is one such effort, in that, several programmers and reviewers have contributed the contents. It encourages a developer to think beyond programming logic and enables him to produce clear, concise, maintainable and secure code – a mandatory requirement for today's dynamic software industry which is plagued by a spectrum of security threats and attrition's.
This book isn't for a Java beginner. The introductory chapter expects an intermediate or seasoned Java professional to identify the gamut of security vulnerabilities that frequently manifest in code and design. The chapter briefly explains injections attacks, unintended information disclosure, denial of service and issues involving concurrency and class loaders. Summary tables have been provided to assist the reader to easily locate representative secure coding rules for each category.
The examples presented primarily encompass the lang and util libraries of Java SE and also cover collections, concurrency, logging, management, reflection, regex, zip, I/O, JMX, JNI, math, serialization and JAXP libraries. No particular Java platform or technology has been favored; the set of rules is generic and independent of whether a mobile, enterprise, desktop or web application is being developed.
Notably, the layout enables the practitioner to pick up any chapter or rule at random without requiring him to read the preceding pages. Each rule has a short description of a unique problem and one or more non-compliant and compliant code examples. Risk assessment and references to other coding standards along with bibliography are also provided.
Unfortunately, the suggested tips for automatic detection of described problems aren't very practical because no automated bug detection tools have been vetted. Some rules also have a related vulnerabilities section that preys on weaknesses in commonplace software in context of the described problem.
Chapter 2 focuses on input validation and data sanitization. It highlights attacks such as SQL, XML, and OS injection and XML External Entity (XXE) and suggests corresponding mitigation techniques. It mentions but doesn't elaborate on web-based attacks such as cross-site scripting and CSRF, to avoid being too domain specific. The chapter advises developers to normalize strings, canonicalize and validate path names, refrain from logging unsanitized input, use appropriate internationalization and globalization APIs, avoid string encoding misgivings and other issues.
Chapters 3, 4 and 5 deal with declarations and class initialization, expressions, and numeric operations respectively. Dangers of auto-boxing, side-effects in assertions, integer overflow, and vagaries of floating point arithmetic are discussed at length.
The examples are short, to the point and intellectually challenging for the advanced reader. For example, one rule – don't use denormalized numbers dissects a vulnerability in Java 1.6 and earlier that allows an attacker to perform a denial of service attack by sending a crafted input to the JVM.
The book devotes a chapter to object-oriented programming and stresses on limiting extensibility of classes, encapsulating data, ensuring that code refactoring doesn't result in broken class hierarchies, using generics for fun and profit and so on.
Another chapter discusses Java methods, for example, one rule suggests that subclasses mustn't increase the accessibility of an overridden method. There is some useful information about using methods of Object class properly. This information is standard advice that can also be found in other books. This book offers all that and more. For example, one rule documents a convincing and exhaustive list of reasons why you shouldn't use finalizers.
The book also highlights misconstrued exception handling practices through examples akin to the shortcuts programmers invent, to save themselves from the trouble of having to handle exceptions. It explains why doing that can be insidious. Information disclosure arising from ill-conceived exception handling strategies is also discussed. Some may disagree with the advice on the pretext that exception handling when done the right way leads to unreadable code, however, the features presented from Java 7 convincingly offer a middle path. Further, when compliance with a certain rule is believed to be challenging and costly, the standard allows documented deviations and even lists valid exceptions for each rule.
Chapters 9, 10, 11, 12 and 13 are reserved for concurrency related issues. There are more than 30 rules in these chapters; the set could qualify as a handbook of concurrency issues and solutions. At a high level, the chapters cover visibility and atomicity, locking, thread class APIs, thread pools and thread safety in multi-threaded Java programs. The chapters don't assume that the reader has any familiarity with multi-threaded programming.
The next few chapters highlight input-output (I/O) risks such as working with shared directories, using files securely, closing resource handles properly, serialization and more. The book doesn't assume that the reader has a sophisticated background in serialization and builds from the basics. It cites examples of vulnerabilities that necessitate understanding the role of serialization.
A chapter on platform security follows, and is meant for advanced Java users. This chapter leads to another on runtime environment that cautions against signing code, granting permissions frivolously and permitting insecure deployment configurations. The final chapter captures miscellaneous rules that forbid hardcoding sensitive information, leaking memory, generating weak random numbers and writing insecure singletons among other topics.
Many other leading security standards delineate high-level measures that must be taken to ensure compliance but most fall short of prescribing the exact recipe to get there. This book fills that gap by approaching security from the ground-zero level upwards. However, it doesn't clearly specify to what extent the rules will help organizations meet the compliance goals proposed by other security standards. All the same, the eighteen crisp chapters of this book undeniably have the potential to help the software developer win the battle against software insecurity on his own terms.
For those using Java on Oracle and hoping to build secure applications, The CERT Oracle Secure Coding Standard for Javais a very useful resource that no programmer should be without.
Ben Rothkeis the author of Computer Security: 20 Things Every Employee Should Know.
You can purchase The CERT Oracle Secure Coding Standard for Java from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page. -
Linux Kernel Development 3rd Ed
eldavojohn writes "Linux Kernel Development Third Edition by Robert Love is the perfect book for the beginning or intermediate Linux kernel hacker. It provided me an excellent bridge between the high level introduction I had in college (from Operating Systems Concepts) and the actual kernel code. The best part about this book is that the chapters are — like the kernel — modular, and allow the reader to dig down in a particular part if they have a specific interest. This, in conjunction with Love's indications of which files and code snippets contain the logic, gave me confidence to clone the kernel, make tiny adjustments, compile and run. At four hundred pages, the book is a long read, but for kernel newbies like me it's a better alternative to jumping into the millions of lines of code. While you might find this information in pieces floating around online, this book balances clarity with brevity in an exceptional manner. It should also be noted that this book defaults to the x86 architecture when explaining architecture-sensitive parts of the kernel (with 64-bit differences occasionally outlined)." Keep reading for the rest of eldavojohn's review. Linux Kernel Development Third Edition author Robert Love pages 480 publisher Addison-Wesley Professional rating 10 reviewer eldavojohn ISBN 978-0-672-32946-3 summary A thorough guide to the design and implementation of the 2.6 Linux kernel tailored for developers. If you're unfamiliar with Robert Love, let's just say he's been active in contributing to the Linux kernel for fifteen years and he's currently at Google and was part of the Android team. This is his third edition of Linux Kernel Development, and it's tailored to the 2.6 kernel. The first chapter of this book gives you a very brief history of Linux along with an explanation that a major upgrade has been postponed and 2.6 is a very stable and capable version to use. I'd imagine many companies today (like my own) live and die by the capabilities of 2.6 hosting a variety of services. The second chapter sets you up with git to clone the code and deploy it locally without hosing your kernel. If you'd like to sample Love's writing style, these two chapters are available for preview online (PDF).
From there on out, Love divides the kernel up and proceeds to ease the reader into each realm that he covers. You won't get full coverage of the kernel but he delivers the most important chunks that he can in 400 pages and makes good on keeping the material in focus. Every chapter seems to follow a pattern of a few pages of generic remedial kernel design talk then a few pages of Linux specific historical approaches to said design followed by the meat and potatoes in 10 to 40 pages depending on how much code is cited. A short paragraph or two tidies up each chapter to segue into the next one. I failed to find any weaknesses in Love's writing. While he struggles to keep the reader engaged and entertained at times, there's simply too much explaining to be done for him to waste pages on wit and banter. If any of that is to be found, it's sprinkled around the intros and outros surrounding some genuinely solid technical writing. To keep this review relatively concise, I'll only fully cover the content in the first half of the book.
Chapters three and four focus on processes and how the kernel manages them. Love glosses over some basic concepts (i.e. the state transition diagram of a process) about process creation but also includes small code snippets ranging from function signatures to iterative algorithms that do the heavy lifting when initializing and maintaining processes and their hierarchical structures. If you've ever wondered exactly what happens during a fork or how zombie processes are managed, it's all answered here in English. The book moves on to Linux's relatively new completely fair scheduler (CFS) and also describes how to switch out schedulers (the older schedulers appear to remain unused in the code if you want to swap them back in). Love concentrates on kernel/sched.c and kernel/sched_fair.c as he explains the code and flags that control waking, sleeping, preemption and context switching. For me this was one of the most interesting parts of the book where the reader gets to see timeslice and 'nice' factors at work in the actual code. The runnable processes are managed in a red-black tree and Love takes care to show how these are cached and used in the code. As I read these chapters, I couldn't help but wonder how companies like Google tailor the Linux kernel to their needs inside their massive server farms — the care to 'waste not' is already so evident in Love's explanations that tweaking through settings and flags or even rewriting seems like a hard route to save cycles.
Chapter five is a brief how-to about system calls in Linux. This chapter details how to create a system call and how to register it, but also gives background on how the kernel handles system calls and explains concisely how Linux handles system calls in regards to security and stability. Most importantly this chapter explains why you should rarely — if ever — resort to system calls (if it's not accepted as part of the kernel, you face future conflicts with the syscall number).
Chapter six was a bit of a surprise to me but outlines in depth four data structures (linked lists, queues, maps and red black trees). If you code only for Linux and you are rolling your own of any of these data structures then this chapter is for you. It's a bit of a flashback for me but important to note so that one does not duplicate these efforts inside the already expansive code in the kernel. Indeed, this topic is an addition to the book that was not present in the second edition.
Chapter seven is a good illustration of Love's ability to ease the reader into the kernel. He starts off giving a high level introduction to hardware interrupts and their superiority to hardware polling. Form there he explains interrupt handlers and finally the top half (handler) versus the bottom half (deferred workload). This four page intro to the chapter helps beginners like myself prepare for the coming sections on writing a hardware interrupt handler, registering it, unregistering it, disabling all or some handlers, explaining /proc/interrupts and checking contexts. This chapter lays the foundation for following chapters and shows the basics of interrupt handlers. Chapter eight, of course, covers exactly what was left unexplained in the prior chapter — the bottom half. And again the chapter eases into it with an explanation detailing bottom halves. Love gives just the right amount of background (a few paragraphs) to help the reader understand why we are about to discuss softirqs (statically defined bottom halves), tasklets (dynamically defined bottom halves built on top of softirqs) and work queues at great length.
Chapters nine and ten begin with topics the reader might already have some familiarity with: race conditions. Nine begins with the standard topic of the kinds of problems race conditions pose and how one can handle them. The reason for this is the advent of symmetrical multiprocessing (SMP) support that has faced increasing demand in modern operating systems. Love covers what questions the reader should be asking themselves when writing code that may be adversely affected by more than one processor. Love warns the reader that this is not something that can be tacked on at the tail end of development; it must be in the developer's mind from the start. This leads nicely into chapter ten which recalls these problems and explains the many different ways they can be addressed inside the Linux kernel. For each of these approaches, Love outlines the C functions that are available with a brief description. Love lists them in increasing complexity and decreasing frequency: atomic operations, spin locks, semaphores, mutex, completion variables, sequential locks and the Big Kernel Lock (BKL). For each of these, Love provides bullets of guidelines on when to use them versus the others. The most useful of the tables int his chapter are those that contain requirement/recommended tables that help prescribe the reader a solution. But Love advises that the simplest mechanism should be employed unless more complexity is demanded. He also advises the reader to try out several options before settling on the best way to enforce synchronization and handle concurrency. Aside from the specific technical details, this chapter was full of useful rules and guidelines to keep in mind.
The rest of the book covers — in equally excellent detail — the topics of: timers and their management, memory management, VFS, address space, I/O, page caching, debugging and portability. Love also gives some short pointers on code style, creating patches and how to join the community in the final chapter. Skimming the ToC from the second edition (also on 2.6) reveals no major changes to topics aside from some reordering and updating of sample code (like the completely fair scheduler). It's clear that Love has set out to provide a comprehensive guide to the Linux kernel and if you are looking to work intimately with the kernel for fun or for profit then this is the definitive book for delving below the surface of Linux.
You can purchase Linux Kernel Development Third Edition from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.