DieHard, the Software

Roland Piquepaille writes "No, it's not another movie sequel. DieHard is a piece of software which helps programs to run correctly and protects them from a range of security vulnerabilities. It has been developed by computer scientists from the University of Massachusetts Amherst — and Microsoft. DieHard prevents crashes and hacker attacks by focusing on memory. Our computers have thousands times more memory than 20 years ago. Still, programmers are privileging speed and efficiency over security, which leads to the famous "buffer overflows" which are exploited by hackers."

Vista already doing some of this

[PurifyYourMind]

Along the same lines anyway... a new feature in Vista: Address space layout randomization (ASLR) is a computer security technique which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space. http://en.wikipedia.org/wiki/Address_space_layout_ randomization

Re:Vista already doing some of this

This came out in OpenBSD 3.3 over three years ago. Nice to see Microsoft keeping up with the times.

Re:Vista already doing some of this

[PurifyYourMind]

Doh! I should have known. :-)

Re:Vista already doing some of this

[Salvance]

Sure, but wouldn't it be better if everything ran in it's own virtual session (or within a virtual secure space)? This was Microsoft's original plan with it's Palladium component of Longhorn, but my understanding is that this was almost entirely scrapped to get Vista out the door.

Part of the other problem is that most home users expect secure data, but they aren't willing to do anything about it (e.g. set up non-admin users, install virus checkers/firewalls/etc).

Re:Vista already doing some of this

[Alien54]

So of course, the two systems will conflict with each other, and lock up the system tighter than the improper use of superglue in NSFW situations

or randomly locate virtual memory around the HD without regard to pre-existing magnetic conditions.

;-)

Re:Vista already doing some of this

[Jeremi]

This came out in OpenBSD 3.3 over three years ago. Nice to see Microsoft keeping up with the times.

Is this feature standard in Linux yet? I'd hate to see us OSS guys get shown up by Bill... ;^)

Re:Vista already doing some of this

[Ristretto]

Hi Slashdot readers,

DieHard's randomization is very different from what OpenBSD does, not to mention Vista's address-space randomization. I've added a note to the FAQs that explains the difference in some detail, and answers several other questions, but in short: "address-space randomization" randomizes the base address of the heap and also mmapped-chunks of memory, leaving the relative position of objects intact. By contrast, DieHard randomizes the location of every single object across the entire heap. It also goes further in that it prevents a wide range of memory errors automatically, like double frees and illegal frees, and effectively eliminates heap corruption.

-- Emery Berger

Re:Vista already doing some of this

[jnf]

Yea and was in PaX about 6 years ago, so much for being proactively secure.

Re:Vista already doing some of this

[truth_revealed]

Die Hard uses the Flux Capacitor technology.

Man, that's lame even by my standards.

Re:Vista already doing some of this

[strider44]

You could have just looked it up and seen that it's been in Linux for a similar length of time (in 2.6.x). I just googled for "linux address randomization" and clicked the top link.

Re:Vista already doing some of this

Yeah, so lets bash MS for doing a good thing

Re:Vista already doing some of this

[nacturation]

Seems like OpenBSD's implementation does what DieHard claims, or at least some of it. See this interview from August 2005 for information:

http://kerneltrap.org/node/5584

Any thoughts?

Re:Vista already doing some of this

[Tim+C]

Vista has been in development for around 5 years; unless you were expecting this to be released as a service pack for XP or Server 2003, what's your point? It's in MS's latest release, what more do you want? (Yeah, a shorter release cycle would be nice - except that then people would bitch about the upgrade treadmill...)

Re:Vista already doing some of this

Im not sure if your the main developer there. But checking what you do, I'd say you did a direct translation of what OpenBSD does over to Vista.

Even though no source code has been transfered, I'd say this is pretty much a translation of what OpenBSD did.

Please point to the source code you used for your flux version.

Re:Vista already doing some of this

[iamacat]

No, it won't. Programs need to interoperate - you might want to explicitly upload a photo to shutterfly using your web browser, but you don't want a rogue website to just siphon off all your private photos by exploiting a memory bug in one of the endless plugins.

The real solution is programming in a language with secure memory management, such as .Net, Java or even LISP. I suspect that overhead is far smaller than running 3 copies of the program at once like DieHard does.

Re:Vista already doing some of this

[Alioth]

OpenBSD prevents double frees and illegal frees and heap corruption too, and has been doing so for at least a couple of years. The code is BSD licensed too, so you can use it in closed source products like Windows. OpenBSD also has had something called W^X (Write XOR execute) for several years now, even for CPU architectures that don't support making executable pages read-only.

Re:Vista already doing some of this

By contrast, DieHard randomizes the location of every single object across the entire heap. It also goes further in that it prevents a wide range of memory errors automatically, like double frees and illegal frees, and effectively eliminates heap corruption

Yep, just like OpenBSD's malloc does. Not much contrast there, fanboi.

Re:Vista already doing some of this

[Ristretto]

Hi,

Here's a more detailed answer -- I'll add it to the FAQ.

OpenBSD (a variant of PHKmalloc) does some of what DieHard's allocator does, but DieHard does much more. On the security side, DieHard adds much more "entropy"; on the reliability side, it mathematically reduces the risk that a programmer bug will have any impact on program execution.

OpenBSD randomly locates pages of memory and allocates small objects from these pages. It improves security by avoiding the effect of certain errors. Like DieHard, it is resilient to double and invalid frees. It places guard pages around large chunks and frees such large chunks back to the OS (causing later references through dangling pointers to fail unless the chunk is reused). It attempts to block some buffer overflows by using page protection. Finally, it shuffles some allocated objects around on a page, randomizing their location within a page.

DieHard goes much further. First, it completely segregates heap metadata from the heap, making heap corruption (and hijack attacks) nearly impossible. On OpenBSD, a large-enough underflow on OpenBSD can overwrite the page directory or local page info struct (at the beginning of each page), hijacking the allocator. This presentation describes several ways OpenBSD's allocator can be attacked. By contrast, none of DieHard's metadata is located in the allocated object space.

Second, DieHard randomizes the placement of objects across the entire heap. This has numerous advantages. On the security side, it makes brute-force attempts to locate adjacent objects nearly impossible -- in OpenBSD, knowing the allocation sequence determines which pages objects will land on (see the presentation pointed to above).

DieHard's complete randomization is key to provably avoiding a range of errors with high probability. It reduces the worst-case odds that a buffer overflow has any impact to 50%. The actual likelihood is even lower when the heap is not full. DieHard also avoids dangling pointer errors with very high probability (e.g., 99.999%), making it nearly impervious to such mistakes. You can read our PLDI paper for more details and formulae.

-- Emery Berger

Re:Vista already doing some of this

[DrSkwid]

Virtualisation adds another attack vector, suddenly ALL of your programs could be vulnerable.

If your OS can only be trusted in a virtual environment, what's the point of using an OS at all?

Re:Vista already doing some of this

[pcmanjon]

Is this feature standard in Linux yet? I'd hate to see us OSS guys get shown up by Bill... ;^)
You do know *BSD is open source software these days, right?

Re:Vista already doing some of this

[Thalagyrt]

Gotta love the AC that calls the developer of the application the article's talking about a fanboi.

Re:Vista already doing some of this

[cloudmaster]

What? OpenBSD is Open Source Software? How are common people supposed to know that?

Re:Vista already doing some of this

[DeadboltX]

Windows XP is over 4 years old and this is their first new release since then.
One could argue that Microsoft could have put this in SP1 or even SP2 but I am no expert and have no idea if implementing it in Windows XP would even be plausible or if it would mess up too much stuff or cause old programs to stop working.
Since Vista is the first new release of Windows since XP a bit over 4 years ago it seems a bit harsh to call Microsoft out about being behind the times.

Re:Vista already doing some of this

in it's own
with it's Palladium

"its".

Different program?

I thought DieHard was a random number generator test suite. It is annoying when people dont even look around for other programs with the same name and do similar things.

Re:Different program?

[j00r0m4nc3r]

Yeah, he should have named his project Die Harder

Re:Different program?

[baldass_newbie]

Or DieHardWithAVengeance...

Re:Different program?

[RAMMS+EIN]

``I thought DieHard was a random number generator test suite.''

So it is. Speaking of which, does anyone here know how to interpret the numbers it generates? I ran it on the deadbeef random number generator a while ago (test results linked from that page), and my interpretation is that deadbeef_rand does well on some tests and very poorly on others. Am I right? Can one distill from DieHard's output what the weaknesses of the PRNG are?

Re:Different program?

[Werkhaus]

I thought the random number generator was DieBold?

Re:Different program?

[Joebert]

No, you're thinking of the random Vote generator.

Re:Different program?

Or follow Wil Wheaton's example and call it CleverProjectName.

Re:Different program?

Yes, and I hope George Marsaglia sues them for trademark infringement.

Re:Different program?

[gbobeck]

Or DieHardWithAVengeance...

That is so 1995. Update to 2007 and call it "Live Free or DieHard"

Re:Different program?

[pacinpm]

Problem is it is not so random.

Re:Different program?

[the_doctor_23]

Then it is not very good.

Re:Different program?

[wolverine1999]

You are right, it is. This is something else with the same name....

Correction

[realmolo]

"Still, programmers are privileging speed and efficiency over security..."

Speed and efficiency of *development*, maybe.

Which is the problem. Modern software is so dependent on toolkits and compiler optimizations and various other "pre-made" pieces, that any program of even moderate complexity is doing things that the programmer isn't really aware of.

Re:Correction

[MBCook]

This is one of the arguments for a language running on a VM like Java, C#, or Python. They can do runtime checking of array bounds and such and throw an exception or crash instead of silently overwriting some other variable that only may or may not cause a crash or some other noticeable side effect later.

Re:Correction

[AKAImBatman]

"Still, programmers are privileging speed and efficiency over security..."

Speed and efficiency of *development*, maybe.

No, it was right the first time. Java is several orders of magnitude more secure by default than any random C or C++ program. Yet mention Java on a forum like, say, Slashdot, and you'll hear no end to how much Java sucks because "it's slow". (Usually ignoring the massive speedups that have happened since they last tried it 1996.) It doesn't matter that the tradeoff for that speed is flexibility, security, and portability. They want things to be fast for some undefined quantity of fast.

In fact, I predict that someone will be along to argue just how slow Java is in 3... 2... 1...

Re:Correction

Java is so slow that I had to hook up a calendar for my profiler! *rimshot*

Re:Correction

[Bill+Dog]

They want things to be fast for some undefined quantity of fast.

No, we want things to be as fast as they can be.

From TFA:

These problems wouldn't arise if programmers were a little less focused on speed and efficiency, which is rarely a problem these days, and more attentive to security issues, says Berger.

He must be criticizing open source programmers only. Because in business, programmers aren't focussed on speed and efficiency, they're focussed on what their bosses are breathing down their necks about: getting it out the door. Berger sounds like a VM-language bigot (or paid ($30K from MS) .Net Runtime shill) who doesn't understand how most software is really made, and prefers to believe in caricatures of programmers.

Re:Correction

[TopSpin]

Speed and efficiency of *development*, maybe. Which is the problem. Modern software is so dependent on toolkits and compiler optimizations and...

I wondered where all those vulnerabilities were coming from. It's not humans misusing memory references and overrunning ad hoc fixed length buffers, etc. It's the toolkits, libraries and compilers! Glad we got that figured out.

From the post:

Our computers have thousands times more memory than 20 years ago. Still, programmers are privileging speed and efficiency over security...

This implies is that because memory is larger less attention can be paid to efficiency, but the hapless programmers don't know better. I used to use quicksort when I had 640 KiB of RAM, but now that I have 8 GiB, I'll just use bubble sort. Brilliant.

Re:Correction

No, we want things to be as fast as they can be.

Maybe, but most programs are not written in a way which will achieve this goal.

Programmer time is a limited resource. This is true even on a hobby project with no deadlines and everybody working for free; you want to ship sometime. Making programs run fast takes a lot of programmer time, even when you use a language which is supposedly fast by default such as C or C++.

C and C++ make you spend a lot of time working around weaknesses in the language and fixing bugs that other languages can never have. A great deal of programmer time is put into developing the broken and slow implementation of half of Common Lisp that every sufficiently complex program must contain.

All of this time spent is time that does not go into making the program fast.

By using a language that makes programmers more productive, you get a lot more time to make the program fast. You can do this by optimizing in the "slow" language you started with, by rewriting inner loops in C, by changing the whole algorithm to run on the GPU, etc.

The 90/10 rule says that your program spends 90% of its time in only 10% of its code, and that optimizing the other 90% of the code is basically a waste. And yet people who want their programs to "go fast" are writing that 90% in a low-level language, effectively wasting a large amount of effort.

You may also end up getting your program working, realize that it actually is fast enough despite being written in a really slow interpreted language, and spend the time you saved making more cool software. Or you can go back and make the original product fast. It's up to you.

There are many good reasons to use C, and many good reasons to write entire programs in C, but "it's fast" is not a particularly good reason. An app written in pure C is probably not as fast as it can be unless its scope is very limited.

Re:Correction

[Jeremi]

He must be criticizing open source programmers only. Because in business, programmers aren't focussed on speed and efficiency

Business software isn't the problem. The software that is the problem is the software that runs on every naive home user's PC ... Windows, Outlook, IE, Mozilla, AIM, etc etc. This is the software whose security problems allow spam, credit card fraud, virus outbreaks, etc. And last time I checked, all of that stuff is still written in C or C++, not in any VM.

Berger sounds like a VM-language bigot (or paid ($30K from MS) .Net Runtime shill)
who doesn't understand how most software is really made, and prefers to believe in caricatures of programmers.

Great, you've called the guy a bigot, a shill, and an idiot, without even having understood what he was talking about.

Re:Correction

[dodobh]

As a user, my concern isn't about development time at all. It's about how the application consumes my resources. Java is great on the server side (one app, long run times, lots of memory). On the desktop side? Not yet (less memory, lots of concurrent apps, short run times for most apps).

Re:Correction

[evilviper]

It doesn't matter that the tradeoff for that speed is flexibility, security, and portability. They want things to be fast for some undefined quantity of fast.

I've got to call you on the "portability" crap.

Java is about as portable as Flash... Sure, the major platforms are supported, but that's it. 3rd parties spent a lot of time trying to impliment java, but never did get everything 100%. Licensing issues, above all else, made it a real hassle to get Java on platforms like FreeBSD.

Meanwhile, C and C++ compiler are installed in the base system by default.

The only "portability" advantage Java has is perhaps in GUI apps, and that's at the expense of a program that doesn't look or work remotely similar to any other app on the system...

There are a great many reasons people don't use java. Performance is only a minor one.

Re:Correction

"Java is slow" is the stated reason. As you noted, it is not the actual reason. To tell the actual reason is difficult, but in short Java reminds us too much of what it should have been.

The basic complaints I have heard are these:

Complaint 1: Java is slow.
  As you stated, this is not a meaningful complaint.

Complaint 2: Garbage Collection stinks
  GC is an obvious requirement of a "safe" language. As implemented in Java, it is downright stupid. When doing something CPU intensive, the GC never runs, leading to gobbling up memory until there is no more and thrashing to death. I'm sure that somebody is going to dig up that paging-free GC paper, but pay attention: that is a kernel-level GC.

Complaint 3: Swing is ugly/leaks memory
  The first is a matter of opinion. The second is well-known. Swing keeps references to long-dead components hidden in internal collections leading to massive memory leaks. These memory leaks can be propagated to the parent application if it is also written in Java.

Complaint 4: Bad build system
  Java cannot do incremental builds if class files have circular references. In a small project of about ten classes I was working on, the only way to build it was "rm *.class ; javac *.java"

Complaint 5: Tied class hierarchy to filesystem hierarchy
  This was just stupid and interacts badly with Windows (and anything else with a case insensitive filesystem). It is even worse for someone who is first learning the language. It also makes renaming classes have a very bad effect on source control.

Complaint 6: Lack of C++ templates
  C++ has some of its own faults. Fortunately its template system can be leveraged to fix quite a few of them. Java's generics have insufficient power to do the same thing.

Complaint 7: Lack of unsigned integer
  These are oh-so-necessary when doing all kinds of things with binary formats. Too bad Java and all its descendents don't have them.

Complaint 8: Verbosity without a point
  It has gotten so bad in places that I am strongly tempted to pass Java through the C preprocessor first, but I can't do that very well because of 4.

Re:Correction

by rewriting inner loops in C

Been there, done that, with a twist. The original loop was a nice find/replace loop in Word automation. Knowing for certain this was a bottleneck and also knowing the code would be ugly no matter what language it was in,
I didn't bother rewriting in .NET first but went straight to C. Having pointer arithmetic actually made the problem easier despite finding several pointer-related bugs, so big win there.

Re:Correction

[M.+Baranczak]

Licensing issues, above all else, made it a real hassle to get Java on platforms like FreeBSD. Sun just formally announced that they'll release Java under the GPL.

Re:Correction

Complaint 8: Verbosity without a point

This was bad in C++ (I blame iostreams for leading down that path) and got a million times worse in java. Seriously, something like 'parse this coma delimited string and pull out the numbers as hex digits, then pack the result into an array" should be 10 lines of code *max* including robust error checking - java turns this simple example into a giant silly game that is verbose for ZERO gain. Long type and functions names, multiple type swaps, and pulling in an extra library or two. The C++ situation is no better.

Sometimes the "do what I say, exactly that, and nothing more" approach of C is the right approach.

Re:Correction

[tulrich]

Java is several orders of magnitude more secure by default than any random C or C++ program.

Do you know what "several orders of magnitude" means? For variety, next time you should write "... exponentially more secure ..." or "... takes security to the next level!"

BTW, it's funny you should mention Java performance in this thread -- one of the DieHard authors published this fascinating paper on Java GC performance: http://citeseer.ist.psu.edu/hertz05quantifying.htm l -- executive summary: GC can theoretically be as fast as explicit malloc/free, if you're willing to spend 5x memory size overhead (gulp).

Re:Correction

[chromatic]

When they finish the process, the Java portability problem will start to go away.

Re:Correction

[owlstead]

It does not have to be *as* fast as malloc/free. It needs to be sufficiently fast to run applications with. Explicit malloc/free's are very problematic, you need to keep score of each object, and that is not always easy to do. At least it is already much faster (the default GC of Java) than smart pointers (reference counting), which is the direct opponent against the GC I suppose.

And I agree, speaking on "several orders of magnitude" is taking it a bit far. It's much more secure, but since security is *very* hard to quantisize, talking of things like magnitude is stretching it. The idea still seems correct though, buffer overruns are virtually non-existent in Java. And applications generally don't crash with "this program referenced memory on 00000000h" or cryptic messages like that.

Which is also the problem with this approach, you still will be able to perform a buffer overrun, only the application will crash, enabling a denial of service attack. With cryptic error messages etc.

Re:Correction

[tulrich]

Which is also the problem with this approach, you still will be able to perform a buffer overrun, only the application will crash, enabling a denial of service attack. With cryptic error messages etc.

A crash is the best thing for this situation. Much better than undefined (possibly exploitable) behavior. The log should not be cryptic; it should contain a backtrace showing you where your code was when it died. Not very different than a Java exception log.

Re:Correction

[WNight]

Ruby:
"12,2a,3f".split(',').collect {|num| num.to_i 16 }
=> [18, 42, 63]

And I got to write/test it interactively... I do agree about needless verbosity. Most programs would be better finished than optimized, code them in Ruby or Python and optimize any speed critical areas with C or anything else. C *is* premature optimization.

Re:Correction

[Lisandro]

C and C++ make you spend a lot of time working around weaknesses in the language and fixing bugs that other languages can never have. A great deal of programmer time is put into developing the broken and slow implementation of half of Common Lisp that every sufficiently complex program must contain.

One mans' weakness is another mans' strength. If you have to spend a lot of time to implement functionality missing from a language, perhaps you chose the wrong tool for the work. This is one of my peeves with the endless Java-vs-C arguments: ok, you think language "x" is better... to do what, exactly? I wouldn't write a device driver with Java just as i wouldn't write web applets in C.

Don't get me wrong, i wouldn't write much in Java anyway, as i hate the language with a passion (i think there're much better choices for interpreted/bytecoded languages), but discussing weaknesses must be done within a frame of reference.

Re:Correction

[smallfries]

This implies is that because memory is larger less attention can be paid to efficiency, but the hapless programmers don't know better. I used to use quicksort when I had 640 KiB of RAM, but now that I have 8 GiB, I'll just use bubble sort. Brilliant. You are really misrepresenting his point here. We both know that bubble sort would run much slower on a 8Gb dataset than quicksort. The real comparison is "should we some really tricky and nasty code for this particular function or should it be a giant lookup table?" When memory is (relatively) cheaper than processor time, the set of tradeoffs changes. Some of these tradeoffs then mean than code can be written more correctly (securely) at the expense of higher memory usage. These tradeoffs are intuitively bad to someone who cut their teeth on a 16bit processor with hardly any memory, but as I'm sitting writing this there is only 130Mb out of 1Gb in use (not counting the cache) - who is to say that doubling memory usage is bad if it removes a whole class of bugs and holes?

Re:Correction

[hal9000(jr)]

Ok, I wil bite. I am not a programmer, but a user and yes, Java apps are slow and tend to consume lots of memory and not let it go. I don't know if that is due to the language or the developers use of the language, but I do know that whatever the cause, the net effect is slow apps.

Other issues, let's see, for some reason, firefox hangs when more than one java app is run in the browser. I see alot of Java apps where dialogs are non-modal (you can access/view one window at a time). Java apps aften *require* a specific version of the JVM and why for the of all that is holy can't a computer have multiple versions of the JVM and let the damn app choose the right interpreter? An example, Concur expense reporting application requires JRE 1.4.[something]. Nearly everything else that I use requires at least JRE 1.5. So I maintain a VMWare image just to interact with Concur. Now that makes sense. so there is also backward compatabilty. Java, write once, run everywhere. What a pipe dream.

Re:Correction

[DrSkwid]

Java sucks because it's Java

Re:Correction

[DrSkwid]

and I thought Perl was the king of write only code

Re:Correction

[ufoot]

And last time I checked, all of that stuff is still written in C or C++, not in any VM.

Not totally true. It's true that most of the *core* of these software is written in C/C++, but most of the time they end up using scripts. Take Mozilla for instance, you might think it's C/C++, but in fact running Mozilla you're very often running JavaScript code over XUL interfaces. So the design for these is rather logical: build up a core in the "as fast as possible language" (that is, C), then run scripts on top of it, in a very VM-like fashion. Of course you could build the core engine over Java, but then you would "sandbox" stuff twice. Once running a Java VM, then on top of it an XPFE (XUL+JavaScript and the rest) engine, then your application scripts, that is, Mozilla itself, which in turns interprets a third-party code (the HTML+JavaScript you actually want to read). That's a lot of software layers...

Same thing for Apache, on any server I've seen in production, most of the CPU time is eaten in mod_php or mod_perl, that is, executing scripts.

I don't think it's such a necessary move to use Java, as long as your program is complex enough to justify the creation of your own virtual & scriptable environnement. Java is of course an option, but using Python/Perl/Lua/Lisp/Ruby/... bindings is equally efficient.

Re:Correction

Complaint 7: Lack of unsigned integer
    These are oh-so-necessary when doing all kinds of things with binary formats. Too bad Java and all its descendents don't have them.

So the actual problem is you need to handle binary formats and twiddle individual bits. In which case, just use a bitsream library, as I do.

Re:Correction

[WNight]

If you could possibly post easier to understand code stand does the same, in any language including English, I would be interested in seeing it. Try not to use any obfuscated function names like split or collect though, they're so hard to read.

id10t

Re:Correction

[arkanes]

The equivalent Python: for num in "12,2a,3f".split(","): print int(num, 16) The least obvious bit is the need to tell int() (or to_i) to use base 16. A more exact Python version would be a list comprehension: [int(num, 16) for num in "12,2a,3f".split(",")] Which is slightly less readable to someone who doesn't know Python. I have only a very passing knowledge of Ruby but figured out what the snipped did without trouble.

Re:Correction

[sgtrock]

Complaint 4: Bad build system
    Java cannot do incremental builds if class files have circular references. In a small project of about ten classes I was working on, the only way to build it was "rm *.class ; javac *.java"

emphasis added

I'm very surprised that no one else jumped on this one. I've never seen a well designed app that had circular references of any sort. I'll stipulate that such probably do exist, as there seems to be a case for doing things that would otherwise be dumb for just about any 'exception to the rule' that you could name. However, if you're designing your app correctly, shouldn't you be working hard to isolate your code enough that circular references aren't necessary?

Re:Correction

[Lord+of+Hyphens]

Meanwhile, C and C++ compiler are installed in the base system by default.

The major assumption that you've appeared to make is that people will compile from source (and so therefore portable C/C++ code is preferable to Java). Java's portability stems from its binary-compatibility, which is the desirable setup for light applications.

Of course, Java's portability comes at the cost of looking completely like it's in its own little world most of the time (GUI) and some performance hits (which usually can be ignored unless you must have heavy time-critical computations running). Both of which you mentioned in your post.

That all being said, I avoid Java whenever I can, because I have an irrational dislike of the language. :)

Re:Correction

[RAMMS+EIN]

In support of your point, I want to share the followind PDF: Lisp as an Alternative to Java. The study compares programs written in Java, C/C++ (they lump these togeter), and Common Lisp / Scheme (again, lumped together). The findings are basically:

1. The fastest programs are written in C/C++
2. On average, Lisp/Scheme programs are fasted, followed by C/C++ programs, and Java programs are way behind.
3. Development time is shortest for Lisp/Scheme, with Java and C++ being more or less equal.
4. C/C++ programs used the least memory, with Lisp/Scheme and Java being about equal.
5. There was very little variation in the run time and development time of Lisp/Scheme programs, and a lot of variation everywhere else.

The PDF contains some nice graphs illustrating all this.

Re:Correction

[typicallyterrific]

Well, that's why you make it impossible for buffer overruns to occur in the first place.

In any sufficiently important program, crashing and then throwing up in your lap (assuming the version crashing even was compiled with debugging info) is or should be completely unacceptable. Much better if the program can realize what's going wrong and work around it - whether that means re-asking the user for that input again, retrying reading the IO buffers or emailing a developer.

The beauty about exceptions and error codes is that when they occur, you know something is wrong and can do something about it while the program is still running. Thats what they are for. No more of this silent, absurdly hard to find corruption of memory going on. If I don't have to manipulate memory directly, there is just should be no reason for me to have to worry about whether malloc is returning null or to have arrays allow me to access memory past their bounds anymore -- goddamnit, the compiler/interpreter can do that just fine, thank you.

I haven't been programming for very long, but I can't think of too many situations where you absolutely *NEED* to be able to perform pointer arithmetic. And in those situations you probably can't or shouldn't use an interpreted, object oriented language to begin with.

All of this is much, much better than spending time reinventing garbage collection with fewer features.

Re:Correction

[julesh]

GC is an obvious requirement of a "safe" language.

No, it isn't. Memory safety can be achieved without the use of garbage collection, by avoid reallocation of freed memory to a differently-typed object. Access to freed pointers can be caught by page table manipulation. Sure, there's an overhead to these techniques, but then there's a non-trivial overhead to GC as well.

I'm sure that somebody is going to dig up that paging-free GC paper, but pay attention: that is a kernel-level GC.

Which just indicates that there's been a lack of forethought in OS design resulting in the impossibility of implementing this at user level. I'm not sure, but pretty confident it could be done in user mode in a well-designed microkernel (e.g. L4). Not sure how relevant this is at this point, though. We've gone too far down the current line of OS development to just drop everything in favour of a new design just to be able to do a couple of neat tricks like this.

Complaint 3: Swing is ugly/leaks memory
    The first is a matter of opinion.

Yes, but it's a very popular opinion. Swing (and JDK) is also exceptionally slow. Most people don't realise it, but almost all of the slowness traditionally associated with Java can be attributed to those toolkits. Don't believe me? Try writing a program with another toolkit. I haven't tried it myself, but you could give wxjava a go.


Complaint 4: Bad build system
    Java cannot do incremental builds if class files have circular references. In a small project of about ten classes I was working on, the only way to build it was "rm *.class ; javac *.java"

Have you tried jikes? It has a superior incemental build system to sun's compiler. Not sure it'll fix your issue, but anything's possible.

Re:Correction

[Lumpish+Scholar]

... in business, programmers aren't focussed on speed and efficiency, they're focussed on what their bosses are breathing down their necks about: getting it out the door.

Which means even less emphasis on security.

Berger sounds like a VM-language bigot (or paid ($30K from MS) .Net Runtime shill) who doesn't understand how most software is really made ...

Seems to me he's a researcher who's noticed that "most software is really made" by C and C++ programmers in a hurry. He's addressing the needs of developers (and users!) of such software.

Re:Correction

[durdur]

> Sure, the major platforms are supported, but that's it

What platforms do you want? Java is on 32- and 64-bit Windows, 32- and 64-bit Linux, Solaris (SPARC + Intel), AIX, HP-UX, OS X (Intel + PPC), IBM z/OS and iSeries, AND FreeBSD (http://www.freebsd.org/java/) among other platforms. FreeBSD guys negotiated a license (but with Java GPL now they won't need to in future).

I would also disagree about portability of code. J2SE apps are very portable. Usually with zero platform specific code changes. J2EE is another story.

Re:Correction

[Pastis]

So you're showing a survey made in 2000, ranking small developments (all under 100 hours) programmed by 14 volonteers. What does it prove ?

First in the enterprise world, choise of technology is almost never dictated by pure engineering recommendations.
Second in the same world, nobody is going to look at this survey to decide what language to use in their next project. Nobody.

And I would suggest that hard code lisp developers are probably better developers on average than randomly selected java developers.

Re:Correction

[Abcd1234]

How is that write-only? I've never used Ruby, and I know exactly what that means. Anyone with even a little background in Smalltalk, Python, or Lisp should be able to figure that out.

Perhaps you just need to further educate yourself?

Re:Correction

[drinkypoo]

Complaint 1: Java is slow. As you stated, this is not a meaningful complaint. Complaint 2: Garbage Collection stinks GC is an obvious requirement of a "safe" language. As implemented in Java, it is downright stupid. When doing something CPU intensive, the GC never runs, leading to gobbling up memory until there is no more and thrashing to death. I'm sure that somebody is going to dig up that paging-free GC paper, but pay attention: that is a kernel-level GC.

Complaint 2 leads to complaint 1 being correct. So it's not slow all the time - it's only slow when you need it most! Great. What a fucking feature.

Re:Correction

[drinkypoo]

We've gone too far down the current line of OS development to just drop everything in favour of a new design just to be able to do a couple of neat tricks like this.

It's never a bad time to do things correctly. Marketing it is another issue. But I hope that the next open source phenomenon OS is something modern, not a rehashing of things ancient - no matter how much I love Linux, and I do.

Re:Correction

[RAMMS+EIN]

``So you're showing a survey made in 2000, ranking small developments (all under 100 hours) programmed by 14 volonteers. What does it prove ?''

Nothing, besides the performance of said programmers on one task. Which I thought was interesting enough to share.

``And I would suggest that hard code lisp developers are probably better developers on average than randomly selected java developers.''

That's probably true, but that's not what the study is about. IIRC, the average Lisp experience of the Lisp coders in the study was less than the average Java experience of the Java coders. Still, you're right in that bias from programmer skill cannot be ruled out.

Re:Correction

Well, coming from someone used to Perl it's quite understandable, it just looks strange to me to call a member function (?) of a string literal. That is, assuming I'm right about what it is, and not just about what it does.

Honestly, the data mixed in there threw me for more of a loop at first than the actual code.

Re:Correction

[Abcd1234]

Well, considering you can do that exact sort of thing in Java, Python, Perl 6, and probably most other conventional 'pure' object-oriented languages (Java isn't 'pure', in the strict sense, but it tries), I repeat, educate yourself! :) Experimenting with other languages and programming paradigms can really open your eyes to new development methods and techniques. It also gives you a larger number of tools, which means you'll do a better job picking the right one for a given task.

Re:Correction

[julesh]

As a spare-time kernel writer, I couldn't agree more. The problem is that a few small improvements like this won't make a new kernel viable. It needs to be a radical improvement over existing systems. Witness Plan9.

Re:Correction

[Bill+Dog]

Which means even less emphasis on security.

Too true.

Seems to me he's a researcher who's noticed that "most software is really made" by C and C++ programmers in a hurry.

That may be so. But that's not what he said. He makes no mention of thinking that programmers are too much in a hurry. He only talks about how he thinks they're all so busy agonizing over speed and efficiency. They aren't. By a long shot. Thus, he's a kook with an axe to grind, either genuinely held, or feigned (towards making his funders feel good about the grant money they've given him). That said, his project looks very worthwhile.

Re:Correction

[cyber-vandal]

I looked at that with disbelief as well. Which programmers are privileging speed and efficiency of code? I've not seen that in any of the big software packages I use (including the OSS ones I might add). I'd also dispute the speed and efficiency of development too. For all the extra shit available to supposedly speed up development and/or make software more reliable it still takes too long to come up with something that still doesn't work properly. RAD tools only allow some programmers to make a turd more quickly but it's still a turd.

Re:Correction

I've never seen a well designed app that had circular references of any sort.

public class MyObject
{
  private MyListener listener;
 
  public void addListener(MyListener listener)
  {
    this.listener = listener;
  }
 
  public void fireEvent()
  {
    listener.doListeningThing(this);
  }
}
 
public class MyListener
{
  public void doListeningThing(MyObject object)
  {
//Manipulate MyObject
  }
}

Pretty much anytime you have two-way communication between two classes, you have a circular reference. Granted, most of these references are hidden behind decoupling interfaces, but sometimes that's just too much of an overkill for a one-off communications link. :)

Re:Correction

[tulrich]

In any sufficiently important program, crashing and then throwing up in your lap (assuming the version crashing even was compiled with debugging info) is or should be completely unacceptable. Much better if the program can realize what's going wrong and work around it - whether that means re-asking the user for that input again, retrying reading the IO buffers or emailing a developer.

In any sufficiently important program, if you're catching array bounds exceptions and continuing, you need to fix the underlying bug, or you may be exploited. Exception catching is one mechanism for dealing with such errors, but not one that I consider good practice.

The beauty about exceptions and error codes is that when they occur, you know something is wrong and can do something about it while the program is still running.

If you don't know specifically what is wrong in your exception handler, and you try to keep going, then you are in undefined territory, and you're open to dangerous exploits. Granted, crashing is a kind of exploit (DoS), but a more visible and less dangerous kind than undefined behavior.

No more of this silent, absurdly hard to find corruption of memory going on.

A crash with backtrace should make memory corruption EASY to find, that's the whole point.

Re:Correction

[Rich0]

In Ruby - EVERYTHING is an object.

Note - I am not a Ruby expert, but 5+3 == 5.+(3) == 4.next+2.next - literals are objects and have member functions (which they inherit from some underlying class). Operators are just shortcuts for calling functions (5+3 == 8 is the same as 5.+(3).==(8) ).

Anybody with more knowledge of Ruby feel free to chime in - I'm just starting to learn Rails in my spare time.

Re:Correction

[Rich0]

Until recently most large java apps would not run on 64-bit linux, because of the buggy VM implementations. Sure, anything small worked fine, but try Freenet or Eclipse or anything like that and you were up the creek. And many apps would work with Sun's JRE and not with Blackdown, and vice-versa. It got to the point where I just built everything without java support.

Now things seem to have improved quite a bit, and I expect that the GPL will help them quite a bit. However, I can feel the original poster's pain.

What a load of shit.

[QuantumG]

1. Roland Piquepaille
2. It's just heap randomization, again.

Nothing to see here.

Re:What a load of shit.

While heap randomization is not new I don't know of another project that uses comparison of replicas to identify inconsistancies. From the abstract of thier paper: "By initializing each replica with a different random seed and requiring agreement on output, the replicated version of Die-Hard increases the likelihood of correct execution because errors are unlikely to have the same effect across all replicas.". Can you provide a cite for your "nothing to see here comment" or is that just your knee jerk reaction? Personally I think the utility of DieHard from a security standpoint might be limited, but it has the potential to be freakin useful for tracking down complex pointer problems.

Re:What a load of shit.

> is there a middle way between Intelligent Design and Neo-Darwinism?

is there a middle way betwen geocentrism and heliocentrism?

Re:What a load of shit.

[QuantumG]

wow, someone who gets my commentary on british politicals, brilliant.

Re:What a load of shit.

I did a quick read of the whitepaper and sort of see it as heap randomization+. I have very little faith in the claims of low overhead. But leaving that aside, there are 2 major problems here:

1) If there is a program crash, it may be possible to reproduce the bug on the same computer, but probably not on 2 different ones, such as the user's and the developer's.

2) It discourages programmers from good design and thorough testing by leading them to believe that bugs won't occur.

The claim for DieHard (from the whitepaper) is that it "tolerates memory errors and provides probabilistic memory safety". But bugs will still happen! I once added about 10 lines of code to log a bug our team was having a hard time tracking down. It turned out to have its own bug that would be hit if:

- Two threads were accessing the same buffer
AND
- One of them was swapped out during the execution of 3 machine instructions (out of about a million)

It took my moderately sized customer base 2 weeks to hit it. The only way to avoid memory errors is to make the code bulletproof, which means fixing it when bugs are reported.

Re:What a load of shit.

[jnf]

At a 50-75% memory usage increase no less.

Re:What a load of shit.

Yes... If the planet has a mass close to the mass of the star.

Re:What a load of shit.

[ebichete]

Not sure what the typical mass of a star is meant to be...

However, using Sol (and our solar system) as an example,
anything within an order of magnitude will no longer be a planet.

I think you need at least two orders of magnitude difference
for a "well defined" orbit.

(end of pointless information, now returning to your regular Slasdot)

Cue Diehard quotes in...

[Mogster]

5...4...3..

Yippee-ki-yay

Um, no.

[Duncan3]

No, putting arrays on the stack causes buffer overflows. Which is trivial to not do, and trivial to check for.

The fact that Microsoft doesn't HAVE a security model, IE/Outlook are jokes, and users run as admin has a bit more to do with it.

Re:Um, no.

[codegen]

Buffer overflows can also happen in the data segment (both global variables and heap).
And it is almost as easy to exploit. Intead of overflowing to the return address, you overflow
to the nearest vptr (if C++ is being used), to the nearest function pointer or to the nearest green bit.

Re:Um, no.

[jorghis]

There are pointers to the code segment in every section of memory. (heap, stack, you name it) Do you honestly think that the only time a pointer to code gets followed is when you are bouncing around in between stack frames?

I am amazed that you would so arrogantly declare that simply doing a bit of static analysis would be sufficient to fix all (or even most) buffer overflows in complex programs with hundreds of thousands or even millions of lines of code. It sounds like you just looked at one tutorial of the 'classic' buffer overflow with overrunning in a stack frame causing arbitrary code execution and decided that was the only case programmers had to worry about. It seems like its always people who have a small amount of knowledge about computers (but really not all that much) who are the most eager to rip on MS.

Re:Um, no.

What is a "green bit"? Thanks!

Re:Um, no.

[codegen]

Sorry for not responding sooner. Green bits are the extra house keeping values
that are stored to manage the memory. The actual layout and use of the green bits
differs depending on the management library. But in general, when a block is
allocated by new or malloc, there is slightly more allocated and some values
are stored at the beginning of the block. The value returned by the allocator
is the location just after the green bits. When the block is freed, some libraries
add the free list pointer values in the first part of the block as well.

Let's solve voting security.

[Wilson_6500]

If you were somehow to install DieHard software on a DieBold machine, does the universe collapse in on itself? This is one of those pasta plus antipasto situations, I think.

Re:Let's solve voting security.

[j00r0m4nc3r]

Quiet, you! The last thing we need is an El Queso terrorist strolling into a crowded airport with a voting machine strapped to his chest...

Movie sequel no. 3

[Bob54321]

Offtopic but does anyone know what happened to Die Hard 4 (probably with a name like Die Hardest???). I read they were making it with Britney Spears as John McLean's daughter. Would of probably put me off one of my favorite movie series with her bad acting. I guess that was the answer to my own question!

Re:Movie sequel no. 3

[nwbvt]

Yeah, its coming out soon, its going to be called "Live Free or Die Hard". I saw a trailer for it before "The Good Shepherd", though all I can tell you from that is that there will be a lot of big explosions and car chases.

Re:Movie sequel no. 3

[dbIII]

Die Hard 4 (probably with a name like Die Hardest???) ... with Britney Spears

Die Hard 4 - going commando.

Re:Movie sequel no. 3

[Coucho]

Die Hard 5 - Hardly Dying

Re:Movie sequel no. 3

[Bob54321]

From the link i see my original post was very on topic (ish...). It seems the movie is about internet terrorists shutting down the USA. Obviously because we a insecure coders! (And yes, you get none of that from the trailer.)

wtf?

Today's computers have more than 2,000 times as much memory as the machines of yesteryear, yet programmers are still writing code as if memory is in short supply.

I stopped reading after that first line.

Programming is not a matter of simply writing until things get full.

Re:wtf?

[julesh]

        Today's computers have more than 2,000 times as much memory as the machines of yesteryear, yet programmers are still writing code as if memory is in short supply.

I stopped reading after that first line.

Yeah, it was pretty dumb. I mean, we've been building digital computers for over 50 years now. You'd have thought by now that we'd have written all the software we'd ever want, right?

No. We keep writing new software because we're doing new things that older computers couldn't do. That means that all that memory is necessary, because otherwise the application we're working on would have been written 20 years ago.

So...

Microsoft helped develop a program to uninstall Windows?

Algorithms demand perfection

[Progman3K]

You should never program thinking about security issues.
Write the algorithms correctly and there won't BE any buffer-overflows.

What's so hard about this?

Re:Algorithms demand perfection

[wallet55]

so much to do, so little time. So much easier to dash off some code, patch the bugs, jury rig the gaps, and append new features.... then clean up the more screamingly ridiculous messes in service pack x+1

Re:Algorithms demand perfection

Well, one possible reply is

"lol, fire lusers who write buggy code that overflows!1!! i bet m$ dont do this, lusers, i write secure code because i use TEH LUNIX lolz!"

The less slashdotty but more sensible response is that even the best programmers make mistakes. Show me a program you've written that doesn't have bugs in it, and I'll show you a liar. Some of the worst security holes are written by a genius that made one slip up. Which is why having automated tools to prevent these kinds of mistakes helps. This can include anything from DieHard-like tools, to virtual machines with enforced safety, to the C++ STL (down with char* !).

Re:Algorithms demand perfection

[Jeremi]

Write the algorithms correctly and there won't BE any buffer-overflows.

What's so hard about this?

The "write the algorithms correctly" part. The demand for programs is much larger than the supply of sufficiently trained/disciplined/talented programmers. Therefore, we need a solution that gives acceptable results even when the programmer isn't a guru (and preferably when the programmer is a trained monkey, because he often will be)

Re:Algorithms demand perfection

[sqlrob]

The STL is not a panacea. You still need to interact with the OS for any non-trivial program, which is going to take/return raw chunks of memory.

Re:Algorithms demand perfection

[drinkypoo]

Not only that but I think we should be reaching towards a time when everyone can be a "programmer". Oh, maybe most people will never learn to write all that useful code, but if they can plug a bunch of tinkertoys together and produce a program that works for them and achieves their goals then we're one step closer to being free of the tyranny of commercial software.

Sears Diehard Movie Software???

[davidwr]

If you watch Diehard, the movie, in your car DVD player running off a Sears Diehard battery while running DieHard on your laptop, does that mean you died hard 3 times over?

Our computers have thousands times more memory...

[Stormx2]

Well thank god we have Vista to fill up that uptapped goldmine!

Wouldn't a language do the same job?

[rolfwind]

Wouldn't using languages like Lisp do basically the same job? I mention lisp, besides it being a favorite language of mine, because I know the end product can be coded/compiled fast and efficiently while maintaining security in many cases. Other more popular languages like Python, while getting more lispish, seem to have a inherent speed penalty that cannot be reduced as easily come compile time though I am not sure, saying this as more of a spectator to that language.

Note: I'm sure other functional languages can do the job of memory management and protect from buffer overflows as well as Lisp, I'm just no expert on them so I can't speak for them.

It's just that over the years, I have seen products come out for C family of languages that protect the programmers from the trickiers parts of C..... which seem to come up again and again even for expert programmers and where there is no bulletproof solution. I'd want to know if another language wouldn't do the job in 90% of the cases.

Re:Wouldn't a language do the same job?

[russellh]

Wouldn't using languages like Lisp do basically the same job?

Yes.

But it's not a practical solution for about 185 different reasons starting with the fact that very few commercial apps are written in any kind of dynamic language, let alone LISP, and they're not likely to be rewritten anytime soon for such an intangible reason as security. rpg was right that worse is better, and the last language will be C. he wrote that before java, ruby, etc., but I think it's still right. Like it or hate it.

Re:Wouldn't a language do the same job?

[QuoteMstr]

Lisp is all that safe a language, and can be somewhat strange: I'm a little confused by the specification's discussion of safe versus unsafe operations, but as I recall, you can specifically instruct the Lisp compiler to ignore array bounds checking at the expense of speed. You'd have to be insane to do this, however, but it is possible. Consider this function:

(defun bar (array i x)
  "Set the Ith element of array ARRAY to X"

  (declare (type fixnum i)
           (type (simple-array fixnum) array)
           (optimize (speed 3)
                     (safety 0)))

  (setf (aref array i) x))

Now, let's test it:

(let ((x (coerce '(0 1 2 3)
                 '(array fixnum 1))))
  (bar x -4 31)
  x)

That does indeed cause various memory errors under SBCL.

OTOH, if we were to specify safety 3 and speed 0 in that function, an error would be signaled and all would be well.

Lisp is a great language, but the Scheme is too simple and lacks a real packaging system, and Common Lisp suffers from C++-style overcomplexity. (Take the mess that is the intersection of the vector, simple-vector, array and simple-array types for example.)

CL's macro system allows these flaws to be overcome, but it's still an overcomplex PITA sometimes.

Re:Wouldn't a language do the same job?

[chromatic]

... very few commercial apps are written in any kind of dynamic language...

Commercial in what sense? Shrink-wrapped software, perhaps, but I've written a fair few commercial applications (licensed or sold or for clients) in dynamic languages.

Re:Wouldn't a language do the same job?

[krischik]

Yes, I never had a buffer overrun when using Ada - unless I used one of the following:

with Interfaces.C:
pragma Import (Convention => C, ...

got the drift? One problem is that the OSs itself are written in C.

Martin

Pastamancer?

This is one of those pasta plus antipasto situations, I think. Sounds like you might be a Pastamancer.

Re:Pastamancer?

[Wilson_6500]

God, no! Disco Bandit for life. I called myself a "Senator" and gave all my pets names that started with Intern. I miss that game sometimes.

Not quite

[gr8_phk]

There is nothing wrong with putting an array on the stack. I once had the need to copy a function into a local int[50] and run it from there - no issues (embedded system, the function needed to run from RAM). The problem is when people write code that can blow right past the end of an array. They don't stop to think that the functions they call to dump data in there don't know where the end of the available space is. Oh right, the data told me how much space to allocate and I just allocated that much and read until EOF. ;-) ok, that's a heap (not stack) buffer overrun. Anyway arrays on the stack are not inherently bad.

Re:Not quite

[Teresita]

The problem is when people write code that can blow right past the end of an array.

Why not? This is the era of kerjillion dollar lawsuits that blow right past the GDP of the host country.

Re:Not quite

[TapeCutter]

"Anyway arrays on the stack are not inherently bad."

Maybe not "inherently bad", but certainly inefficient as regards speed and space since the entire array must be copied to the stack rather than just an array pointer.

Re:Not quite

[jorghis]

I dont see why you necessarily have to copy an entire array.

void foo(){
int arr1[52]; /* a bunch of code that stores values into arr1 and then manipulates them and reads them back*/
}

The only overhead that had to be done here was moving the stack pointer down an extra 52*4 bytes, which is no more work than what it was doing already. Assuming you are in a language that doesnt initialize every element of an array when you declare it. Arrays on the stack are not inherintly inefficient although they certainly can be if you dont use them right.

Re:Not quite

[TapeCutter]

Ah, my bad, I thought you meant something like...

foo(char str[BIG_NUMBER])
{

Re:Not quite

[Chrax]

Are there any languages that copy the whole array when you do this?

The array notation is equivalent to pointer, as far as the program is concerned. Its only use is in telling the programmer to expect an array, and not a pointer to a single value. I think every other language I know passes every variable by reference or does a copy-on-write (and I'm not sure any of them do that).

Re:Not quite

[TapeCutter]

I belive in vanilla C that specifying of the size of the array in a formal parameter changes things slightly (for a start, you must pass an array of that particular size), but as you say it is probably optimised away.

Irony

Funny how Mozilla crashed continually after enabling this software. I'm glad I don't go to UMass...

Re:Irony

good point - thanks for validating the point of the software! are you sure you read the article?

jeers for your stupid comment about umass though. They do pretty neat research there.

Re:Irony

[TrumpetX]

Mozilla crashed for me as well... then I uninstalled it.

Re:Irony

I thought I had read the article... I'm pretty sure it mentioned something about the program ensuring that programs "run correctly". So yes, by definition of "correctly", the program failed at its purpose.

And I was being sarcastic about UMass. You need to get a sense of humor.

Way more memory

FTA:
""Today we have way more memory and more computer power than we need," he says. "We want to use that to make systems more reliable and safer, without compromising speed.""

I guess he hasn't tried Vista yet. Already out day; such is the industry.

Buggy

[The+MAZZTer]

Firefox 2 crashed for the first time ever (I've used it since beta 1 came out) for me today... suspiciously, less than five minutes after I turned DieHard on. Hrm.

Re:Buggy

[jomama717]

I used to write code for a company that made a runtime-replaceable (no re-compile) garbage collecting allocator for C/C++ apps and in the process came across numerous cases of our allocator causing crashes by fixing memory errors in the app. E.g. Netscape on Solaris would crash on our buffer-overrun detection flag because the app was depending on the word after the end of a buffer to be all zeros. When it hit our flag it puked (Maybe you are seeing the same bug!!).

It only takes a couple of cases like this to make you believe that these products are just too intrusive to be practical for day to day use. I would bet that ~15-30% of all commercial software will react poorly with DieHard.

Sounds like systrace

[methodic]

Am I wrong in thinking this is just another implementation of systrace?

http://www.citi.umich.edu/u/provos/systrace/

Re:Sounds like systrace

[napir]

Yes. What does this have in common? Other than it's software and it has something do do with security or reliability or something?

Don't need it...already have it....

[AetherBurner]

It is called WindowsXP. When I kill it on a regular, daily basis, its Dies Hard.

Anyone who professes to be involved

with the computer software industry and still confuses the word "hacker" with someone engaged in bad behavior has to be considered clueless.

Re:Anyone who professes to be involved

[westlake]

with [in] computer software industry [who] still confuses the word "hacker" with someone engaged in bad behavior has to be considered clueless.

clueless is thinking you can reclaim the meaning of a word once a new definition becomes common usage in a larger world

You must remember...

[jd]

...the number of programmers like ourselves who learned how to code correctly is vanishingly small in comparison to the number of coders who assume that if it doesn't crash, it's good enough. Whether you validate the inputs against the constraints, engineer the program such that constraints must always be met, or force a module to crash when something is invalid so that you can trap and handle it by controlled means - the method is irrelevant. What matters is less that you're using a method than you remember to use a method.

Even assuming nobody wants to go to all that trouble, there are solutions. ElectricFence and dmalloc are hardly new and far from obscure. If a developer can't be bothered to link against a debugging malloc before testing then you can't expect their software to be immune to such absurd defects. A few runs whilst using memprof isn't a bad idea, either.

This assumes you're using a language like C, which is not a trivial language to write correct software in. For many programs, you are better off with a language like Occam (provided for Unix/Linux/Windows via KROC) where the combination of language and compiler heavily limits the errors you can introduce. Yes, languages this strict are a pain to write in, but the increase in the initial pain is vastly outweighed by the incredible reduction in agony when debugging - if there's any debugging at all.

I do not expect anyone to re-write glibc in Occam or any other nearly bug-proof language. It would be helpful, but it's not going to happen.

Re:You must remember...

[jorghis]

Thats quite bold of you to claim that you are in an elite group that can churn out large programs in C with zero bugs.

Your claim that smart programmers using dmalloc, electric fence, or some other bounds checker will find all buffer overflows seems misguided to me. Those tools are great for catching buffer overflows that are actually being caused by your test suite. But arent most buffer overflow security holes caused by weird corner cases noone though of? I mean in the real world its never caused by something as simple as "=" versus "".

Re:You must remember...

[gillbates]

I would go farther than that and say that writing a correct program in any language is not trivial. While it is true that certain languages (like Java) limit the kinds of errors a programmer can make, they do nothing to limit the number of errors a programmer can make.

While I understand there are some languages more appropriate for solving certain types of problems, making a language programmer-proof is never a worthy goal. Usually, the attempt to make a "better COBOL" ends up evolving like this:

1. Researcher notices that programmers have difficulty understanding concept X (i.e. pairing free() and malloc). Researcher notices that many programmers create bugs because of their misunderstanding.
2. Naively, researcher thinks of better way(TM) to solve same problem (i.e. Garbage Collection). Researcher creates a new (language | library | program) which solves said problem. True, the solution encompasses only a subset of the original functionality, but the researcher feels the trade-off is worth the reduced functionality because it solves a very common set of bugs.
3. New programmers learn to use researcher's solution. Instead of learning what is really going on under the scenes, they learn the new API/paradigm.
4. Now, the new generation of programmers are one step farther removed from understanding how computers work. Due to lack of understanding, they create new kinds of problems (i.e. - creating an object/class instance for everything, even when unnecessary).
5. Researcher notices that programmers have difficulty understanding concept Y (i.e. Garbage Collection). Researcher notices that many programmers create bugs because of their misunderstanding....
6. Repeat ad infinitum. Oh - and don't forget to have the researcher collect his paycheck for delaying the real solution to the problem.

There's no silver bullet to solve stupidity, or lack of rigor, or any of the several management "problems" which lead to bad code. It seems that whenever a different paradigm is introduced with the explicit purpose of reducing programming mistakes, it always backfires. Witness COBOL, for example. Instead of making things easier for programmers, it created a mess of unmaintainable spaghetti code - as it was marketted not to the experienced, knowledgeable programmer - but rather, to businesses with the implicit assumption that secretaries would be writing code.

I think the problem is that some in the research community believe have a holier than thou complex when it comes to writing code. They assume programming errors can be eliminated by proper choice of language. In reality, the language used is the least relevant. My experience has led me to believe these are the top sources of program errors:

1. Unrealistic schedules. Programmers are trained to do fast, now, and do it right, later. Problem is, later never comes. The poor programmer finds himself writing lousy code first as a matter of choice - to meet deadlines - and later as a matter of habit, having forgotten the importance of doing things right.
2. Unrealistic designs - for example, requirements which go beyond what the language/programming environment is actually capable of doing.
3. Inadequate/faulty design - designs that are incomplete, contradictory, or just plain wrong. Said designs force the programmer to make decisions beyond their level of understanding, with the attendant errors.
4. Unrealistic management - i.e., outsourcing critical business programming overseas to programmers with no knowledge of the business or the implicit requirements of the project.

Programming is a skill, not a commodity. It requires knowledge, rigor, and discipline. We'll all be better off when business wakes up and recognizes this.

Re:You must remember...

[jd]

Heh! No, it's not brave of me at all. It's just called Formal Methods and it's only an "elite" group because people prefer to have crappy results now over superior results later. (Actually, it's not that "elite". I'd say that virtually all European universities teach Formal Methods.)

The point of Formal Methods is that there is no such thing as a case you haven't thought of. Formal Methods define the complete set of valid cases and (by definition) also the complete set of invalid cases. You explicitly define every boundary and can therefore test every boundary condition, but if you have followed the methodology correctly, there should be nothing much to test for.

First, you draw up a specification. You define the preconditions of each and every function - those things that absolutely MUST be true on entry to that function. You define the postconditions of each and every function - those things that absolutely MUST be true when you apply the intended operations to the preconditions. You define the invariants which MUST hold true after external functions have been called or data has been loaded. You do not care at this point how the program is implemented, you are only concerned with what must hold true at any time that there is the potential for such a requirement to be invalid.

Specifications should always be derived from the top down and should NEVER be skimped on. If the spec calls for a string of six characters and a null terminator to be placed in a dynamic buffer of seven bytes, you make damn sure that ONLY six characters are added AND that there is a null at the end AND that the malloc() function records that the structure is exactly seven bytes long.

Second, and this has become fashionable with "Extreme Programming", you develop a test harness for each function, starting from the bottom and working up. Test harnesses should attempt to violate each of the conditions given, as well as test for every boundary condition identified and some valid cases.

Third, you program to the combination of specification and test harness, again from the bottom up. It is a good idea to use assert() statements to ensure that the specification is totally adhered to. If a module meets all the specification requirements AND passes all the defined tests, then it is essentially free of defects for valid inputs.

You build up a trust hierarchy which matches the program hierarchy. If X is called by Y and X is OK if passed valid data and Y will always generate valid data, then there is no circumstance in which X can ever be invalid, even if theoretical defects exists. You don't have to prove the non-existence of defects that cannot be exposed, although the above mechanism will have eliminated most such issues. You don't have to test every permutation of conditions - once X is verified as correct, you only have to prove Y is valid. You do not need to prove the pair of Y and X, other than to ensure invariants are adhered to on return from X. This means that the test requirements are superlinear, not exponential. Exponential complexities are not good. Superlinear isn't great, but it is well within the limits of what can be achieved.

Once you have reached the point of showing that each module in the hierarchy is valid if the one(s) above are correct, up to the main program entry point, then provided you validate the parameters on startup, the program is as close to free of defects as has any meaning.

None of this requires arcane wizardry (Ai! Ai! Cthulhu!). It only requires that you know what you are doing before you try to do anything, and to understand what the implications are.

Re:You must remember...

[jd]

I completely agree with what you say, with one caveat. There are some excellent special-purpose languages that are not "programmer-proof" in the least within that special-purpose but which should never be used outside of the field for which they are intended. Because they are not general-purpose languages, they can trap conditions that are just plain stupid for that purpose, preferably by crashing rather than to out-program the programmer. "Smart" languages generally aren't.

(LOGO is great for controlling plotters or other simple X/Y-based robots - but I wouldn't write a wordprocessor in it.)

Re:You must remember...

[jorghis]

That may work great at the high level, but it doesnt gaurantee you made no mistakes in the implementation. It is inevitable that some functions are going to be very tricky. Add in enough functions and sooner or later someone is going to make a mistake that isnt caught in unit testing.

As an example, I remember seeing code that looked like the following once:

lock semaphore
do 50 things safely
unlock semaphore
do one more thing that we should have done before unlocking

Thats the sort of absent minded mistake that will never be caught by a test suite and will very rarely manifest itself. And of course the high level idea of what its doing will still be correct. I realize this is a simple example, but there are more complicated ones that crop up too.

Testing boundary conditions and so forth may sound all wonderful in the world of academia, but in the real world it wont catch all bugs. And frankly, I cant remember the last time I saw a simple boundary condition error in the real world. Just putting in the "obvious" test cases usually doesnt do much in my experience.

You are implying that unit testing every function is somehow equivalent to mathematically proving nothing can go wrong and that simply isnt true. I'll give you that it does improve quality to a degree, but bugs will still be there. Even if it were perfect, conforming to DO-178B, EAL or whichever standard is you favorite is cost prohibitive and not really practical for most software development.

Re:You must remember...

[jd]

I favour ISO/IEC 13568:2002, although that would come as a shock to my former lecturers. :)

You made one major error in your interpretation of what I outlined, in assuming it was unit testing. It is integrated testing that uses some unit testing methodology. In order to test correctly, you must test EVERYTHING below the point in the code structure you are interested in. The structure is a fundamental part of the code and must be tested in conjunction with that code. No exceptions and no shortcuts. And, yes, it would have caught that error you outlined. Let me illustrate how:

You have the function itself, which would be roughly drawn up as:

• Function preconditions, including that semaphore is unlocked
• Lock semaphore
• Lock semaphore postcondition (ie: semaphore is locked)
• Do a task
• Check semaphore is still locked (that is the invariant in this code block)
• Unlock semaphore
• Unlock semaphore postcondition (ie: semaphore is unlocked)
• Buggy call goes here
• If our formal spec requires the buggy call finish with the semaphore still locked, this gets tested here
• Postconditions for the function, including that the semaphore is unlocked

Now, remember that each call still validates its pre- and post-conditions in the methodology I described, along with all invariants. You don't exhaustively exercise them, but the checks are still there. Now, let's get into the buggy function call...

• Buggy call's preconditions (which, if a lock is called for, damn well should include checking the lock - NO skipping steps and NO shortcuts are acceptable when doing rigorous testing)
• Buggy call's code
• Buggy call's postcondition (which, since the semaphore is left locked, MUST include the fact that the lock is there)

Ok. We run the code. It gets to the buggy function call and hits the precondition. It fails and barfs on the lock test. We comment out the call to the function but leave the invariant check in place. (Since the function call shouldn't alter anything that's invariant - duh! - then the check must be valid whether the call is made or not.) The check fails, because the lock component of the invariant isn't true.

The invariant is incorrect, so that rules out the call itself being incorrect (which would make the precondition fail but the invariant succeed). However, it does say that the function call is being run under the wrong conditions. We therefore establish the nature of the bug and the scope of the bug. From there, you can inspect the postconditions at the end of each scoping block to see where the conditions no longer satisfy the invariant. Ah! When we perform the unlock, we violate the conditions! Ergo, the call must be moved to before this point.

You move that section of code back, the invariant is satisfied. Good. You uncomment the call. The precondition and postcondition are now also satisfied. Our code block structure is now correct.

Some Software Engineers and Computer Scientists take shortcuts - testing individual procedures in complete isolation. This is invalid. I don't care if you use Jackson Structured Diagrams, Abstract State Machines, Z Formal Notation, Backus-Normal Form, or the back of an envelope. If you don't include the structure, the whole structure, and nothing but the structure, then all you have is meaningless scribble. Syntax alone says nothing without the semantics. Testing one and not the other is an exercise in futility.

going by the movies

[game+kid]

It would probably mean that you died hard with a vengeance.

nothing to do with VMs - just exception handling

Ada's been doing that kind of runtime checking and throwing exceptions for 20 years now without needing a VM to enable exception handling.

Ren and Stimpy said it best

[Dachannien]

"Don't whiz on the Electric Fence!"

Speed being privileged? In these times?

Still, programmers are privileging speed and efficiency over security, which leads to the famous "buffer overflows" which are exploited by hackers.

...Riiiight. Programmers are certainly privileging speed over security. That students are being taught nowadays that speed is the last thing you should care about, and that the inexplicable popularity of managed languages and so forth exists is completely irrelevant. And the combined losses in efficiency from many programs running at once causing things to run far slower than they have any good reason too...

I'm sure that the buffer overflows certainly aren't caused by programmers just not realising that they're there. There's no way programmers are that absent-minded.

Lots of memory available?

[NorbrookC]

In reading this article, I started to wonder a lot about this. writing to conserve memory is a bad thing? I will say that I haven't noticed that in most software, regardless of whether it's OSS or closed-source. If anything, there seems to be a variation of Parkinson's Law in effect. Yes, computers these days have a lot more memory available, however, the number of applications and the size demands of each application has grown almost in lock-step with that. 15 or so years ago, yes, you had one OS and one application running - maybe, if you were lucky or were running TSR apps, two or three. These days, the OS takes up a hefty chunk, and it's not uncommon to see 8 or 9 (if not more) applications running at once. What they all seem to have in common is that they assume they have access to all the RAM, or as much of it as they can grab.

I have to wonder if he's actually looked at things these days. I don't see where programming (properly done) to conserve memory is a bad thing. If anything, it seems that few are actually doing it.

Re:Lots of memory available?

[Jeremi]

What they all seem to have in common is that they assume they have
access to all the RAM, or as much of it as they can grab.

They don't assume "access to as much RAM as they can grab", they assume "access to as much RAM as they need". Given the presence of gigabyte RAM modules, virtual memory, and near-terabyte hard drives, this is usually a reasonable assumption.

I have to wonder if he's actually looked at things these days. I don't see where programming (properly done) to conserve memory is a bad thing. If anything, it
seems that few are actually doing it

Certainly one shouldn't gratuitously waste memory, but it's possible to go to far the other way too... you can become so wrapped up in reducing memory usage that the other aspects of your program (e.g. runtime performance, code simplicity, code correctness, or maintainability) suffer. I'd much rather have a program use a lot of memory and work well, than one that uses a teensy amount of memory but crashes, or doesn't get the job done. Memory is dirt-cheap these days, and if you've got it you might as well put it to use.

Re:Lots of memory available?

[laffer1]

As an open source developer and college student, I can clarify the problem. We are taught that memory is cheap and there will always be enough. Of course that is stupid. Anyone who uses Firefox, Gnome, KDE or Vista can tell you that modern software is using way too much RAM. Granted three of those products are trying to work on the problem a bit. In the case of Microsoft, it helps them sell new PCs which then ship with new versions of their software.

If you want to solve this problem, professors need to teach that there is a tradeoff between performance and security. There are not unlimited resources to work with and yet we must try to maintain a reasonable level of security. Then again the age of the professor is important. Some like C++ or Java while others only live by .NET. A few I've had love linux or BSD. Their tastes seem to control what's taught in class.

Re:Lots of memory available?

[NorbrookC]

Memory is dirt-cheap these days, and if you've got it you might as well put it to use.

You have an interesting definition of "dirt cheap". Doing a quick check, 1GB RAM is running around $175-$200. Admittedly, that's a lot cheaper than 12 to 15 years ago, when it was averaging $25 a MB, but I don't consider that "dirt cheap." The problem, as you pointed out, is that they grab as "much as they need", or more correctly, as the developer(s) think it needs. That's fine in an isolated system, where it's the only application running, and usually developer's computers have more power than most people's computers, so it works there. It is not true in real life. I get a little fed up every time I get told to throw hardware at a problem. I'm running a computer that's more than an order more powerful than the one I had a few years ago, and I'm still running out of RAM.

Re:Lots of memory available?

[ip_fired]

Don't know where you buy memory, but it looks like it's $100 for a GB of RAM (at newegg.com)

Look, if you want to run RAM hungry apps, you need to either purchase more memory, or open fewer apps at once. Or, I guess you could go back to using the apps that you were using a few years ago. I'm sure they'll run with the same, small memory footprint that you want them to.

Re:Lots of memory available?

[Jekler]

I think you're rightfully fed up with throwing hardware at a problem. Hardware isn't as cheap and easy to come by as some developers believe. Waste can be seen if you look at things like the ATI Catalyst Control Center (CCC). It occupies 60mb-70mb of memory persistently. Am I to believe that the CCC is several times more complex and contains several times more data than the entirety of the Windows 3.1 operating system? (obvious cracks about Windows aside)

Re:Lots of memory available?

I don't really care how cheap memory is, the amount of memory that can go in a single machine is a limiting factor as well. $100-$200 for another gig of memory isn't the end of the story. If it requires a second machine, it can easily involve: retooling procedures for a second machine or replacement, OS upgrades and subsequent regression testing, rack buildout, power supply buildout, switching buildout, failover and backup changes, etc, etc, etc.

So the actual memory may be cheap, but throwing memory at a problem may involve a *lot* more than just buying a stick of memory and installing it in a machine.

Re:Lots of memory available?

[unicode]

There is an interesting piece of software called FirstClass. It has advantages and disadvantages, as does any system. However, one of the biggest problems I see with this software is that under OSX it hogs %100 of the CPU, even when not doing anything.

The developers need to sort this out. This is an example of people thinking that their software package is the most important package which will be running and therefore should have full access to resources.

***** PLEASE IF YOU WORK AT OPENTEXT RESOLVE THIS ISSUE *****

Re:Lots of memory available?

[Rich0]

If an app wastes RAM then it WILL slow down the system, even if it happens to use CPU cycles slightly more efficiently.

RAM that is unused gets used by the OS for buffering and caching. So, even if the system has 50GB of RAM free, it will run faster if your application uses only 3GB rather than 4GB.

And $100/GB isn't cheap - not when CPUs sell for $200-300 for a pretty nice model. In most systems RAM tends to remain rate-limiting, and so it needs to be treated as a valuable resource and not wasted.

Re:Lots of memory available?

[ip_fired]

Oh, I agree that applications need to be more frugal when it comes to using memory. I'm just tired of people who complain about how a certain apps use more memory in new versions, when the programmer intentionally did that in order to improve performance or add some feature to the application.

Swapping to disk is very slow compared to caching something in memory. In older programs, it was often necessary to only have in memory what you were working on at that very moment in time.

There is a trade-off between performance and memory usage.

And $100/GB *is* cheap. I had to pay $300 for 8MB back in the day. To get a GB of ram at those prices would have cost me $38,400 (I'm sure glad I don't have to use my Pentium-60Mhz anymore..heh).

Re:Lots of memory available?

[Rich0]

I'm just tired of people who complain about how a certain apps use more memory in new versions, when the programmer intentionally did that in order to improve performance or add some feature to the application.

Swapping to disk is very slow compared to caching something in memory. In older programs, it was often necessary to only have in memory what you were working on at that very moment in time.

Actually, I tend to get the best performance by keeping -Os in my CFLAGS - smaller code means more cache hits and less swapping.

Some memory/speed tradeoffs are probably worth it. However, with modern VMs this isn't always the case. If you're going to dump stuff to disk you might as well do it and read it back when needed - or MMAP the file - the OS will swap in and out for you. If you need to hold a buffer temporarily you're best off just keeping it in RAM - let the OS decide when to swap it out (you might never dump it to disk that way).

Basically, you need to keep in mind that sometimes the OS can do a better job managing memory than you can, and sometimes the reverse is true. If you put a lot of thought into your algorithm and it is tailored to what it needs to do, then it will probably beat the OS. If you just tossed something together the OS might do a better job. And of course if you use a popular library you're probably going to make good use of RAM.

What is portable?

[tepples]

It doesn't matter that the tradeoff for that speed is flexibility, security, and portability.

"Portable" can mean that it runs on more than one PC-type platform, or that it can also run on handheld platforms with small CPU, RAM, and battery. True, there's J2ME, but it's hard for an individual in North America to buy a device to run midlets that isn't locked down in some way by the operator of a mobile telephone network. There's a reason that GBA games are written in C and that Nintendo DS games are written in C++ and not Java.

Mod parent up!

This was one of the smartest jokes I've read here in ages. If I'd only have some mod points...

Old News

Methodologies for writing secure code have been known for decades. A far more interesting article would be one that attempts to discover or explain why certain engineers and organizations refuse to use them, or, for that matter, why they refuse to learn them in the first place.

Note: there are new breeds of software developers who do NOT buy into the old-school lines of bullshit that have brought us where we are. Hopefully, these smarter heads will prevail as we move forward.

Re:Old News

[Alioth]

Some of it can come down to the lack of teaching things like assembly language in programming courses. Everyone says 'why bother' about asm. However, you only have to do some elementary asm programming in even just a simple 8 bit architecture to know at a visceral level WHY buffer overflows are bad things - because then you get to see your unchecked buffer write all over the call return address in the debugger. You realise how things tend to get arranged in memory, and why these things happen.

People who haven't done asm generally have heard the term 'buffer overflow' but don't really understand why it's so dangerous because they've never watched the return address of their function call get replaced by something else. It's likely that they don't even understand that function call return addresses are not something that's held in a special internal CPU memory [0], and is just in normal RAM along with all their code and data. If they don't understand this it's unlikely they will have a gut understanding of what happens when their stack gets smashed.

[0] well, unless it's a PIC microcontroller with a separate stack memory.

Re:Old News

[NormalVisual]

A far more interesting article would be one that attempts to discover or explain why certain engineers and organizations refuse to use them, or, for that matter, why they refuse to learn them in the first place.

In my experience, the article you suggest could be summed up in just one sentence:

"Our quarterly numbers are dependent on getting code out the door, and it's far more important to management to hit those quarterly numbers than to guarantee quality."

Re:Old News

[NormalVisual]

Not just PICs, but in general chips with a Harvard architecture don't run into these kinds of issues very often.

Re:Old News

[julesh]

[0] well, unless it's a PIC microcontroller with a separate stack memory.

I understand that a number of more recent CPU architectures have taken the step of putting the return address into a register, rather than on the stack. Itanium is an example.

Re:Old News

[julesh]

Harvard architecture chips would still be susceptible to "return-to-libc" style exploit code: overwrite the return address with the address of code already on the system that you want to execute, and follow it with the parameters you want to execute it with.

Re:Old News

[Alioth]

That's all very well, but it severely limits the depth of the nesting of your calls and limits the flexibility of the CPU (pretty much rules out recursion, and puts an arbitrary limit on the complexity of your programs unless you use special programming techniques to avoid the use of function calls from other function calls).

Addendum

[The+MAZZTer]

I should probably clarify that I can't be 100% sure DieHard was the problem, but I still think it's possible. Sadly I can't reproduce the error (not surprisingly, given DieHard's random nature). Although given the sheer volume of drivers and apps interacting on this comp, which still manages to stay stable normally, it's surprising DieHard didn't bring my whole house of cards down instantly. :)

Randomness. Nooooo!

[istartedi]

The worst bugs are the ones that are hard to reproduce. In fact, when faced with a bug that's difficult to reproduce, I've been known to quip "yet another unintentional random number generator". The suggestion that they're going to apply a pseudo-fix that involves random allocations raises all kinds of red flags. I'd much rather have fine-grained control over which sections of code are allowed to access which sections of memory, and be able to track which sections of code are accessing a chunk of memory. I'd much rather have strict enforcement of a non-execute bit on memory that's only supposed to contain data (there is some support for this already). Introducing randomness into memory allocation? Worst. Idea. Ever. It's like throwing in the towel, and if they put that in at low levels in system libs and things like that, we're screwed in terms of every being able to *really* fix the problem. If their compiler is going to link against an allocator that has this capability, I hope they provide the ability to disable it.

has been done before

[oohshiny]

These techniques are old hats: several malloc implementations offer randomization, and ElectricFence finds pointer errors by spreading out and aligning allocations across virtual memory.

In practice, however, a decent set of test cases together with valgrind will make any of those runtime gymnastics unnecessary.

Re:has been done before

[napir]

No other (known) malloc implementation randomizes *every* allocation. ElectricFence requires a page (usually 4K) per object. A decent set of test cases is always nice, but many software packages don't have enough. In practice, Valgrind will find errors which manifest themselves every time, but not every time, as the most heinous-to-debug errors tend to do. It looks like DieHard (at least in non-replicated mode) mitigates all of the above problems.

Re:has been done before

[oohshiny]

It looks like DieHard (at least in non-replicated mode) mitigates all of the above problems.

First of all, none of what you say invalidates what I was saying: the underlying techniques are well-known, so DieHard is at most an engineering effort.

Is it better than those other systems? I don't think so; DieHard just makes a different set of tradeoffs than other systems. In fact, DieHard can't even find all the problems that Valgrind finds.

Overall, I think retroactive attempts to fix C/C++'s memory management and runtime safety problems by fiddling with the memory allocator are pointless: there just is no good solution that works well for everything. C/C++ with any such hack is still going to be worse than if you just port everything to Java or C#.

(And are you sure you know what "mitigate" means?)

Corrections

[SuperKendall]

Basically almost every point you raised can be addressed simply by saying "get your head out of five years in the past". Moderm GC can take little overhead, and will run when needed even with the CPU being consumed.

Swing does not really have the problems you speak of any longer, if you are using it right... heck, it didn't really have those problem to any great degree about seven years ago when I was building a large custom client app all in swing for only desktop deployment.

Complaining about the build system is like saying GCC has a bad build system - really it has no build system, and you should use something made for building Java. That is why we have Ant and the like...

Of the remainder, I really only think #7 has much in the way of merit. Have you looked into the java.nio package? This makes working with binary data much simpler...

Re:Correction -expansion

[Umuri]

"programmers are privileging speed and efficiency over security..."

This comment, at least the way I read it, is actually rather language independent. It has to do with programmers writing bad code in the first place. It has to do with them using variables that are too small to hold what they need to hold. Other bad practices is allowing users to define what goes into a variable, but then not validating the user input to make sure it is a valid and nonerroneous input. Most programmers nowadays are just being taught to just write an error handler for the basic stupid shit that may happen, instead of just writing a handler to prevent stupid stuff from ever causing an error in the program in the first place, which brings why the parent post mentioned java, as it has better erroneous variable control then it's predecessors.

However i again mention that it is language independent, and it's more bad programming practice then anything.

metaphors

[Joseph_Daniel_Zukige]

metaphors, you have to understand them.

Re:metaphors

[julesh]

metaphors, you have to understand them.

Judging by that article, I think a more appropriate response would be to wipe them off the face of the Earth.

Code Optimisation - A lost Art

Back in the days when Memory was indeed in short supply, a decent programmer would use all sorts of tricks to reduce the overall memory footprint of the code.
It would often have the side effect of speeding up the code as well...
However, in these days of C#, Java etc, code optimisation seems to be a dying if not lost art.
IMHO, CS graduates these days do not understand the implications of the code they are writing. For example...
I did a code review a few months ago where in one place that was inside a FOR Loop, there was a lot of statements that always returned the same values and never used any of the values that changed between iterations of the loop.
I asked the dev why this 'redundant' code was there.
His reply was that he had coded it as a single pass module and then later added the FOR loop controls. He had never been taught the costs in terms of CPU cycles the repeated recalculation of these unchanging values would have.
He said that they always left it to the compiler or runtime environment to sort out and anyway all Computers these days come with lots of RAM so who cares
Whereupon I proceeded to bang my head against a brick wall.
I 'optimised' the code for him. Then we compared the compiled code size (using the JAVA compiler) and mine was almost half the size of his.
so, we ended up with a module that was
1) Smaller (less memory used)
2) Faster (less CPU cycles used)
And probably most important, given the end customer of this code
3) More Maintainable (Easier for a human to read and understand)

Re:Code Optimisation - A lost Art

[julesh]

IMHO, CS graduates these days do not understand the implications of the code they are writing.

IMHO, lots of programmers today don't understand the power of the tools they use.

For example...
I did a code review a few months ago where in one place that was inside a FOR Loop, there was a lot of statements that always returned the same values and never used any of the values that changed between iterations of the loop.

Did you try compiling it and looking at the resulting code? Most modern compilers automatically perform an optimization called loop-invariant code motion, which takes that stuff that does the same calculation on each iteration and only runs it once at the start.

Virus signature?

[krishn_bhakt]

http://www.avira.com/ is picking SPR/Hook.MadTool.B signature in C:\WINDOWS\system32\madCHook.dll file.

Do NOT INSTALL THIS

[cowholio4]

BTW Do not install this crap... I do software development and this program has made it impossible to compile/run my programs (even after I uninstalled it) and also while it was running it would not allow Eclipse to run. So basically this program screwed me over big time. I am writing a database that is is to be deployed tomorrow morning. **&**&**&*&* ..... Note to self: Do this crap in a virtual machine and not while developing a program.

Re:Do NOT INSTALL THIS

[cowholio4]

yeah im not a troll. It really messed things up for me. I ended up pulling an allnighter, I'm still not done with the DB I was working on but I did uninstall and fix all the errors caused by DieHard.

It's the programmers fault?

[X-Phile]

I don't think it's typically the programmers fault that there are security issues with the software. If the programmer was taught how to do things properly, then they would do things properly. Also, if they weren't so rushed to get a product out the door, they would be able to do a proper review and test of the code and find a majority of the bugs before the product hits the streets (or the server room in the case of custom software)

Typically, a programmer is doing their job. The programmers manager is doing their job, by squeezing the work and deadlines of the programmers.

My $0.02 CDN

Re:It's the programmers fault?

[DrSkwid]

> If the programmer was taught how to do things properly, then they would do things properly.

It is a programmer's responsibilty to find out what properly is.

Speed - buffer overflow?

[BagOCrap]

Still, programmers are privileging speed and efficiency over security, which leads to the famous "buffer overflows"... Am I the only one who finds the above sentence just strange? In my books and experience, speed optimisations most certainly don't result in buffer overflows. Recklessness does, however.

Re:Speed - buffer overflow?

[Lxy]

He's talking about what aspects the programmer is focusing on. If you're concentrating on makign a program fast and efficient, you may not be looking at writing it securely. Speed doesn't create buffer overflows, but lack of attention on the programmer's part certainly does.

Re:Speed - buffer overflow?

[TropicalCoder]

programmers are privileging speed and efficiency over security, which leads to the famous "buffer overflows"...

See my post a few comments above - a "my worst bug" story about a buffer overflow.

"It turned out that I had made a bad assumption about the data that would enter that buffer - assuming (for good reasons) that it would always be some multiple of 8 bytes. I was doing some assembler language processing of that data in this module that realized a significant optimization based on this assumption."

That was exactly my error - "privileging speed and efficiency over security, which leads to the famous 'buffer overflows'"

are you sure it's not the sequel?

[way2trivial]

the film "live free or die hard" is on it's way. The synopsis alone makes me wanna gag..

http://www.imdb.com/title/tt0337978/
When a criminal plot is in place to take down the entire computer and technological structure that supports the economy of the United States (and the world), it's up to a decidedly "old school" hero, police detective John McClane (Willis), to take down the conspiracy, aided by a young hacker (Long).

Double Jeopardy!

[ptelligence]

"DieHard is a piece of software which helps programs to run correctly and protects them from a range of security vulnerabilities." Isn't that what the operating system is for? Why is there such a huge market for third-party products that compensate for the shortcomings of unstable and insecure software. If you paid once for the OS and the software, why should you have to pay again for third-party applications to secure them? Doesn't make sense to me.

Re:Double Jeopardy!

[able1234au]

Malware writers will target any holes in an OS. A more secure OS means less holes but malware writers will always find a way in. Many viruses will still work on a secure OS by tricking the user into running a program they shouldnt. So if we ever see a 100% secure OS there will still be viruses, spyware etc. Vista will not solve this problem (and Vista will not, and is not, 100% secure) As long as there are bad guys there will be the need for security products. Of coures, the OS providers could also provide the security products, and Microsoft is trying to do this. But there is a cost to write security products and so they will have to pass that cost along. Just because they might be good at writing Operating Systems doesnt mean they might be good at writing security products. Different skill set completely. In fact, the skills in being responsive and making tradeoffs to deliver security quickly is completely different to the skills required in writing Operating Systems so you could argue that it would make them BAD at writing security products.

Why the restriction to "non-commercial" use?

[grandpa-geek]

Why not just license under the GPL, LGPL or some other open source license? This business of being "free for non-commercial use" restricts users who use open source software for commercial purposes. This software is really "non-free" according to any definition of the FSF or Open Source Initiative, which explicitly forbid discrimination against fields of endeavor. Perhaps you should say "non-free, but gratis for non-commercial use."

Re:Randomness. Nooooo!

[DrSkwid]

A rare voice of sanity, thank you.

from the plan 9 fortune file :

Almost all good computer programs contain at least one random-number generator.

And this is more efficient than a memory manager?

I haven't seen problems that would be solved by this application in years--I've been using Java.

The only reason left to choose C++ over Java seems to be some perception that it is significantly faster. Now you have a system that is tracking every allocation and deallocation you do. Heck, with Java's memory management there is absolutely no code run for 99% of the deallocations, so it's possible that Java-style memory management is actually quicker than a version of C++ that is almost as safe.

I'm not saying Java is the only answer, but for OO programming, Garbage Collected memory management is absolutely the only way to go.

Another Movie Sequel?

[MidVicious]

"DieHard is a piece of software which helps programs to run correctly and protects them from a range of security vulnerabilities. " So it's basically a Tron program?

Die Hard has Split Personality

On one hand you say that Die Hard is resiliant to random crashing due to double frees, etc. On the other hand, "It places guard pages around large chunks and frees such large chunks back to the OS (causing later references through dangling pointers to fail unless the chunk is reused)" - which encourages crashing. So, which is it? A bad-program crasher or a crash preventer?

Re:Die Hard has Split Personality

[Ristretto]

No, that's what OpenBSD does. Sorry for any ambiguity -- that whole paragraph was about OpenBSD.

-- Emery Berger

Thanks but NO

[ericartman]

Installed it, Firefox became unusable due to freezing up continually, removed it. Thanks anyway.

Re:Thanks but NO

[Ristretto]

If you encounter a problem using DieHard, I'd appreciate hearing some details (send me mail). Obviously, the system works fine for me and others. I'm using it now, and have been doing so for months without incident.

Thanks,
-- Emery Berger

Re:Thanks but NO

[ericartman]

Done and done the night I tried die hard. Sent email to the first person on the first web page at your site. Will now try your address.

Patented?

[mkcmkc]

The big question is: Will the author or his institution attempt to patent this?

If so, it's essentially irrelevant for my purposes...

This is almost certainly not a troll.

[drinkypoo]

If you look back up through the stories you can see that others have reported problems. Programs which have workarounds for memory problems rather than actually fixing them (read: Mozilla and descendants) may be likely to fail when running in this environment. Whoever marked this guy as a troll is a) an idiot and b) should have their moderation powers taken away permanently for not familiarizing themselves with the material before moderating.

waitaminute...

[Medievalist]

OK, I don't use Java, but still:

Swing does not really have the problems you speak of any longer, if you are using it right...

I don't know of any case where a memory leak can be considered user error so saying "you have to use it right" sounds pretty fishy to me.

We solved this in the 1970s

[Medievalist]

The 90/10 rule says that your program spends 90% of its time in only 10% of its code, and that optimizing the other 90% of the code is basically a waste. And yet people who want their programs to "go fast" are writing that 90% in a low-level language, effectively wasting a large amount of effort.

Um, I recommend to you reusable code modules. In any language.

At least 90% of that 90% should be implemented as library routines.

Back in the day we talked about OTL and RTL, before the black ships came and we lost the secret of hose gartering that never ravels, er, but I digress...

I guess I forgot something

[DrSkwid]

% sarcasm = `{hget 'http://slashdot.org/comments.pl?sid=214522&cid=17 431396' | grep comment_body_17431396 | sed -E 's/<[^>]+>//g'}
% cat /env/sarcasm
        and I thought Perl was the king of write only code
%

Developer

[SuperKendall]

Users do not "use" swing directly, they use application written using the Swing API. So by saying "you have to use it right" means you have to be careful to use the API correctly, or at least you used to. The swing app we wrote did not have memory leaks, it was meant for standalone desktop situations to be running at long stretches. We used a number of profilers extensively (including HAT) to figure out where memory leaks were coming from, and shut them down. Most people who think Swing leaks memory are probably not realizing some memory leaks are their own fault. People too often think that just because you have a GC, you need not be concerned about memory but it's just not the case.

Java 1.5 features like weak references helped provide support for mechanisms to address a number of common programming patterns that lead to memory leaks, this is why I noted that the complaint was probably not against any modern version of Swing.

Re:Randomness. Nooooo!

[TropicalCoder]

I fully agree with you to the extent that it would be a grave error to attach the Diehard or simlilar thing to software under development. We would never know where we are.

A few weeks ago I had one of the worst bugs I had ever encountered in a decade of C/C++ programming. Something was overwriting the end of a buffer in a multithreaded program where each thread used the same algorithm, processing different data. Thankfully, the bug was reproducible under a complex setup of inputs, but for a long time I could not be certain which element in the series of test data was causing the problem, or why it caused it, or even in which thread it happened. In the end, it took quite some time to solve the problem. Rather than being in the new code, it was in a module that I suspected the least since it had been running in the field for over a year with no problems. It turned out that I had made a bad assumption about the data that would enter that buffer - assuming (for good reasons) that it would always be some multiple of 8 bytes. I was doing some assembler language processing of that data in this module that realized a significant optimization based on this assumption. The thing was, it turns out in the end that there are some potential generators of that data that just don't behave the way I expected. Fortunately they had never been encountered yet in the field. By luck rather than design, my test setup included such a generator.

This leads me to my conclusion: We must always follow best practices and do proper testing. Then, when all is properly done and ready ship, I don't think it would hurt at all to recompile with the Diehard system or something similar, as an insurance policy against unforeseen circumstances.

Oxymoron???

[Puppet+Master]

... -- and Microsoft. DieHard prevents crashes and hacker attacks by focusing on memory.

Shouldn't Microsoft use this software on their own products to fix these types of problems?

Completely avoid buffer overflows: code in Pascal!

[macraig]

Perhaps the reason we endure so many buffer-overflow exploits and need stopgaps like DieHard is because too many mediocre programmers were playing with "dangerous" languages like C(++)? No rules and no boundaries leads to bad behavior... every parent knows this. Too bad IT project managers never figured that out....

as far as i remember

DieHard was a virus bad in the 386 days. Funny how virus names become security names suddenly

... less focused on speed and efficiency ...

[krischik]

These problems wouldn't arise if programmers were a little less focused on speed and efficiency, which is rarely a problem these days, and more attentive to security Indeed. And one could start of by using using a programming language which is "attentive to security" [1].

I did and I never looked back. It is a damm lot easier then trying to fix the deficiencies of a speed, speed and only speed focused language (C/C++) by the means of tool.

I tried [2] - and it did not work well. A add-on tool just can not beat build in buffer overrun protection by no means.

In the case of Splint static analysis is just not enough, you need runtime checks as well.

And in the case of Die-Hard all the protection bolted on later at runtime. And that will relay be great for performance.

Only ... the JPEG-Virus was based not on a buffer overrun, it used an integer range overrun. Ada has build in protection for integer range overruns. Haven't read anything about Die-Hard protecting anything but memory.

$360,000 wasted because the majority of programmers are to lazy to learn a new programming language (those present are of course not meant).

Or there bosses rather buy a tool then a course for them.

Martin

PS: If you like to try Ada you get the free and open source version here [3].

[1] http://en.wikipedia.org/wiki/Ada_(programming_lang uage)
[2] http://en.wikipedia.org/wiki/Splint_(programming_t ool)
[3] https://libre2.adacore.com/

Memory protection is an architectural issue,

[TheLoneGundam]

The System 360/370 series, and their successors, solved the "memory overflow" problem decades ago by a combination of hardware and OS architecture. Each page of real storage in hardware has a "storage bump" containing, along with the recently-used bit that enables paging, a storage key. Programs do not allocate memory - instead they make OS calls and the OS allocates memory. It allocates this memory in the key of the program being executed, usually. OS and system-level programs execute in keys 0-7, and non-OS programs execute in key 8. Things like communication buffers and the like are allocated by system functions, not by your application program; and if your key 8 program tries to store into a key 0-7 area without calling some authorized system function to do so, your program is terminated. This mechanism prevents a lot of malicious stuff from happening because you cannot generally store into any OS-related areas. You can, of course, modify your own program via array overflows or whatever, but depending upon various ways you bound / linkedited your program that also could get it killed. I doubt that the current set of applications in Windows world will allow migration to the above kind of architecture on Intel hardware - but the example is there for any who want to follow it.

Indeed: choose another language

[krischik]

Sad that our posts are at the bottom so almost no one will see them. I posted almost the same before I saw your post. Only I suggested Pascals more powerful sister [1].

But anyway: they will just continue to produce new tools to fix the deficiency if C/C++ so programmers won't need to learn new languages, or because hirering will be easier.

I have not much hope for the software developing industry.

Martin

[1] http://en.wikipedia.org/wiki/Ada_(programming_lang uage)

Re:Indeed: choose another language

[macraig]

Yeah, Ada also makes the point and is a more functional strongly typed language, but I mentioned Pascal because it had wider familiarity and was used as a teaching language. Perhaps the trouble started when Pascal was replaced by C in classrooms?

Re:Indeed: choose another language

[krischik]

Perhaps the trouble started when Pascal was replaced by C in classrooms?

Yes, that could well be. The teachers/schools thought the students have to learn a language which is also used in the industry.

And that is of course wrong. They should teach programming and software engineering.

But I don't blame them, the pressure came and still comes from managers and personal officers. They think that learning a programming language is difficult - which is wrong - learning programming is difficult.

Martin

Re:Indeed: choose another language

[macraig]

Absolutely! The specific language itself and its syntax is immaterial; if students are taught proper techniques and principles - in effect taught how to solve problems logically and programmatically - then good coding form naturally follows. Unfortunately... it requires people of strong character who can resist temptation! It's certainly possible to forcibly code the functional equivalent of strong typing etc. in C(++), essentially SELF-IMPOSING rules and limits rather than the language imposing them, but that requires self-discipline and self-control that too many programmers just don't have: they'll stoop to pretty much ANY silly and risky coding stunt that the particular language syntax allows. Pascal (and Ada and others) produce more stable code merely because they impose "ten commandments" in stone rather than relying on an "honor system" like C(++) and others.

Yep, too bad it's only two pair of eyes seeing this thread now! 8-/

Mark

Strike the Balance

[krischik]

No conserving memory or CPU cycles is not bad - but you have to strike a balance between that and safety, security, reliability. And C and it's successor C++ have got that wrong - especially now where almost every computer is wired to the internet.

If you look at the great language shootout [1] then you will see that i.E. Ada [2] uses only marginally more memory or CPU cycles but it offers a lot more on the safety, security, reliability part.

As for Die-Hard: From what I read it is going to be a lot more wastefull on memory or CPU without delivering what Ada can do.

Martin

[1] http://shootout.alioth.debian.org/
[2] http://en.wikipedia.org/wiki/Ada_(programming_lang uage)

Yes and No

[krischik]

I am possible one of the programmers who know C++ really in deeps. And yet there was allays room for surprise as the Ruby community would call it. Up to the point that I decided that C/C++ are not the right tools and I switched to Ada [1].

C and C++ are so focused on speed - speed of execution and speed of code hacking:

If:

signed x;
unsigned y;

why must

x = y;

be allowed? I mean you will need:

x = (signed)y;

but do you really need that quick hacking shortcut which is difficult to maintain and may hide a book.

And here comes the "NO" part: Most programmers are not allowed to choose there programming language.

Martin

[1] http://en.wikipedia.org/wiki/Ada_(programming_lang uage)

PS: Yes I am a bloody Ada advocate who plasters this discussion with damm Ada links :-).

Re:Correction -expansion

then it's predecessors

"than its".

MOD PARENT UP!!!!

+1 Insightful
+1 Informative
-1 Obvious
---
+1 Total