It's not true that doubling L1$ and adding a selection bit costs you nothing. In fact, the size of L1$ is rather limited, and cutting size in half substantially increases the miss rate. It is also fairly expensive to add selection bits.
SMT also doesn't save you from cache miss latency. Out-of-order instruction issue saves you from that.
The main advantage of SMT is that it gives computer architecture scholars something interesting to study:-)
IMHO, SMT is a load. Modern microprocessors are mostly cache-starved. SMT puts two processors on the wrong side of the L1$, aggrevating the cache bandwidth problem. Worse, the two processors in SMT degrade referential locality, further degrading the performance of the cache.
I'm much more interested in enhanced cache ideas like IRAM that seek to enhance performance by putting a very large L2$ on chip by combining the discrete logic circuits of the CPU and static L1$ with the capacitor cell circuits of DRAM.
Patents appear rather quickly for that. Patent #6,000,000 was granted December 7, 1999, and #6,100,000 was granted August 8, 2000. That makes 406 patents per day. Small wonder that the prior art search is lame.
Upon reviewing the excellent technical summary over at Securityfocus, we found that Immunix's FormatGuard stops all three of the exploits that Ramen uses:
I e-mailed them to bitch about the blank web page, and they said they had problems this morning, but you can now get non-flash pure HTML here http://www.infosplit.com/no_flash.htm
It's not just you; I also get a blank page. I even enabled Javascript, and still got a blank page.
Presumably, they have a Flash home page (I don't have a Flash plug-in, and don't want one). I don't object to web developers using Flash, but I do object to Flash being critical to content & navigation.
For a great deal of technical data on how buffer overflows work, and how to stop them, read this paper. While I appreciate the plug that Bruce gave me for StackGuard, it does seem that he has not researched this topic very well:
Make the stack non-executable: Yes, this works, and security-conscious people will use Solar Designer's Kernel Patch to do that. It works great.
Make the data segment non-executable: This works a whole lot less well. Too many UNIX programs depend on being able to execute code in the data segment. This is UNIX's fault, not Intel's fault.
Use the MMU For Enforcement: Ancient Burroguhs mainframes (the 6500 IIRC) actually stored each array in a separate segment. They also ran like a dog compared to modern RISC(y) architectures. We tried the MMU approach for StackGuard in 1997, and it imposed an 8000% overhead to do it that way. Read about it in this paper.
Crispin ----- Immunix: Free Hardened Linux Chief Scientist, WireX
Once again, Microsoft seems to have invented 20-year-old technology. The "type in-line" interface sounds exactly like the ancient "adventure shell".
Cliff is right: it is not better to type move all files beginning with the letter a to the directory called 'foo'" than to type "mv a* foo". I predict this one will be as much of a hit as Microsoft's Bob.
Crispin Cowan ----- Immunix: Free Hardened Linux Chief Scientist, WireX
I totally agree with this comment. We even have empirical evidence to support it: Java.
Java is (IMHO) the coolest popular language around, and the most popular cool language around. Before jumping on me with your favorite language, let me explain these terms:
coolest: supporting the most wizzy features, e.g. type safety, distributed computing. Thus the list of "cool" languages is very, very large, and would include the likes of Java, Eiffel, Haskall, Scheme, ML, Hermes (my personal favorite) and the hundreds of others that the PL community has produced.
popular: used by so many people that you can reasonably post a job ad seeking programmers with experience in that language and expect to get responses. Thus the list of "poplular" languages is relatively short. This list is nearly inclusive (I may have left out a few):
C/C++
Pascal
Java
VB (very popular, not so cool:-)
PERL (very popular, coolness hotly disputed)
Python ("popularity" getting marginal here)
So now do the intersection of the two, and just about the only languages that are both "cool" and "popular" are Java, and maybe Python (depending on whether you believe that Python is either "cool" or "popular").
Now, how did Java get to be so popular? I argue that it has nothing to do with how "cool" Java is. Java could be every bit as sucky as VB, and still be nearly where it is today. Java became popular through the networking effect of being first to enable animated web pages. Yep, that's right: dancing pigs.
If Java had come out three months after animated GIFs instead of three months before, then no one ever would have heard of it.
Topical flamebait: Yes, functional programming languages are obscure and impractical. They may be "cool", but because they are hard to understand without a degree in mathematics, they have zero chance of ever becomming "popular". You will continuously see FP showing up in niche markets where correctness matters, no matter what the cost, (e.g. verifying CPUs such as the AMD/ACL2 case mentioned elsewhere, or the Hawk project being used to verify Intel processors) but you won't see FP enter the mass programming market.
The vast majority of Internet e-commerce fraud is people buying stuff with stolen credit card numbers. When a merchant ships goods to someone and the number turns out to be bad, the merchant gets to eat the loss. This action looks like a merchant that has been burned once too often trying to protect themselves.
Perry Wagle (principle StackGuard developer) has done some analysis comparing libsafe to stackguard. Here's the short version:
Use StackGuard when you can, because it's safer:
Libsafe only protects selected library string functions, while StackGuard protects all potential sources of stack overflow.
Libsafe depends on the existance of the frame pointer in the stack frame to parse/detect the stack frame. Unfortunately, the frame pointer may not be there, either because of a compile option to remove it, or because the optimizer took it out.
Use libsafe where you cannot use StackGuard. It's better than nothing, and it can protect closed-source apps where StackGuard cannot.
My further comment on libsafe: the paper that the authors will be
presenting at USENIX in June presents two forms of defense ("library
intercept" and binary-rewrite (BRW)) and only the library intercept
appears to be embodied in the publicly available libsafe, which is why
libsafe only protects against overflows that use particular string
library functions.
The BRW method is a pseudo-compiler that can transform binaries into "safe" programs by transforming the binary. It copies program onto the heap, inserting checks as it goes. The copy-to-the-heap is to make space for the additional checks. I really like the BRW method, and hope it becomes available.
If my understanding is mistaken, and BRW is actually in the distributed libsafe, please correct me.
There are two projects you may be interested in. The first is the Linux BSM project at U.C. Davis (home of an excellent security research lab by the way). The project's goal is to provide TCSEC-compliant auditing for Linux. They appear to have made reasonable progress. The last update to the web page was Feb. 15.
The second project you may want to consider is that SGI is building an "orange book" Linux, with a goal of C2 by October, and B1 by next spring.
Note that this question was posted to Slashdot last year so you probably want to go check out the responses there.
Finally, while I'm here, I'll plug my own security-hardened Linux distro: Immunix. Immunix is not TCSEC compliant or anything like that. Rather, it is designed to be extremely difficult to break into, while preserving a high degree of Linux compatibility. Currently, it is just Red Hat hardened with StackGuard, but we will be releasing additional security technologies shortly.
The problem with Geek Finder is that it is really just a front for Dice.com. Unlike all the other resources mentioned, dice.com charges employers for listings, instead of being community-based and advertiser-supported.
Instead, I would recomend the following additional job portals, where I have actually posted jobs:
I think it does have to do with active content. The active content threat is that servers that allow anonymous users to post HTML code (such as this here Slashdot thingie:-) also enable attackers to post HTML that contains tags that point to malicious scripts.
Thus a nefarious AC could post a slashdot comment that contains malicious tags, and just by surfing through here, your browser gets sacked.
Now, Slashdot is not actually vulnerable to this threat, because slashdot has a short list of permitted tags, and all others are stripped. But a site that takes any kind of HTML input can become an attack script re-broadcaster for anyone silly enough to surf with Javascript enabled.
I blame mobile code for this fiasco. My precise definition of "mobile code" is "code that crosses a trust barrier". Thus examples of things that are mobile code include:
Java and Javascript applets
Macros attached to MS Office documents
ActiveX "controls"
"Foreign" active network applets running on "my" routers
E-mail attached.exe files
Examples of things that are not mobile code include:
computational functions migrating around a distributed cluster
agents migrating around a LAN or a distributed virtual LAN
vendor-supplied upgrades to a system
duly authorized installation of new software
Java applications that were explicitly installed to add functionality
By these definitions, I argue that mobile code presents far more threat than benefit. The "weak beneift" argument is that most of the benefit provided by mobile code comes in the form of dynamically interactive applets. The applets provide finer-grained interactivity with the user. This is strictly an ease-of-use issue, as the server must check everything that the appliet produces. The only applications where this actually matters is games, and people who give up security for gaming get what they deserver:-) Less flippantly, game applets are easy to effectively sandbox by giving them absolutely zero access to the client workstation.
The "major hazard" part comes from the difficulty of effectively confining an untrusted applet such that it gets controlled access to the client host workstation. The more complex the semantics of interpreting downloaded information, the more difficult it is to establish whether it is safe (cf recent discussion on firewall-wizards about whether CheckPoint FW1 is effectively stripping dangerous tags from HTML content). The more powerful the semantics of the downloaded information, the more able the adversary is to build attacks that escape static analysis by computing the actual attack code on the fly.
I think that powerful tools are required to enable administrators to enforce a ban on active content. These tools might include:
a filter that can strip macros from MS Office documents
firewalls and browsers that detect active content (Java, Javascript, ActiveX, MS Office macros, etc.) and send back an e-mail to postmaster@originating.site explaining that their active content has been stripped, and they had best prepare documents and web pages that work without the active content.
That last tool is an especially powerful thing that the open source community can do to try to smarten up giddy web developers who think that every new feature to come along is just so cool that it must be used. To make the web safe to surf, we need to push back against the goobers who ware re-defining HTML to require scripting to make a site usable.
I agree with many of the other posters; most of Bret's frustrations appear to be self-authored. Approach a hardware vendor with an in-your-face attitude, refer to products as "lobotomodems", and you should EXPECT to get the brush-off. There are advanced techniques like "tact" and "diplomacy" that need to be employed to successfully convince a vendor to invest effort (i.e. money) in supporting alternative systems.
Furthermore, the whining about the isolation of the Linux Business Expo is also invalid. We were there selling our Linux-based product and promoting our free security portal and it was our choice to place our booth in the Linux Business Expo. Anyone who wanted to be in mainland could have chosen to do so.
How can anyone write such an article without citing news:comp.risks? Peter Neumann's comp.risks mailing list/news group/news letter/column has been studying this problem for TWENTY YEARS. It is the premere source of news and information about the risks involved in computer usage. All of the other sources quoted in Katz's article are newbie amateurs by comparison.
On the contrary, Mr. Katz. I'd like to offer the view that "The Phantom Menace" is nothing other than the biggest independent film ever made. Note that Lucas personally put up the $115 million to make the film: no studio money. This gave Lucas complete artistic freedom to do whatever he wanted. This is normall the realm of art/independent film makers, people too independent to tow to the studio line. Lucas is so wealthy from his success that he can afford to blow off the studios, and make exactly what he wants.
Look at this as a brave new experiment in film: the very first time that 9 digits of money was spent on a film totally under the control of an imaginative film maker, instead of a gang of bankers and focus groups.
Crispin
----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI
NEW: Protect Your Linux Host with StackGuard'd Programs:FREE
OMU sounds a lot like OS/9. Back in the mid-80's, the cool & low-cost way to get a UNIX-like platform was to put OS/9 on your 6809-based Radio Shack Color Computer.
6809 processor
64 KB of RAM
Real multi-tasking and real multi-user
If you didn't like the chicklet keyboard, you could hook a terminal to the serial port and get a login prompt.
Slashdot Mirror
SMT also doesn't save you from cache miss latency. Out-of-order instruction issue saves you from that.
The main advantage of SMT is that it gives computer architecture scholars something interesting to study :-)
Crispin
----
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc.
Immunix: Security-hardened Linux
I'm much more interested in enhanced cache ideas like IRAM that seek to enhance performance by putting a very large L2$ on chip by combining the discrete logic circuits of the CPU and static L1$ with the capacitor cell circuits of DRAM.
Crispin
----
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc.
Immunix: Security Hardened Linux Distribution
Crispin
----
Chief Research Scientist, WireX Communications, Inc.
Immunix: Hardened Linux Distribution
- WU-FTPD format bug
- rpc.statd format bug
- LPRng format bug
Crispin----
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc.
Immunix: Free Hardened Linux Distribution
Crispin
---
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc.
Immunix: Free Hardened Linux Distribution
Presumably, they have a Flash home page (I don't have a Flash plug-in, and don't want one). I don't object to web developers using Flash, but I do object to Flash being critical to content & navigation.
Crispin
----
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc.
Immunix: Free Hardened Linux Distribution
Crispin
----
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
Crispin
----
Immunix: Free, Hardened Linux Distribution
Chief Scientist, WireX
Crispin
-----
Immunix: Free Hardened Linux
Chief Scientist, WireX
Cliff is right: it is not better to type move all files beginning with the letter a to the directory called 'foo'" than to type "mv a* foo". I predict this one will be as much of a hit as Microsoft's Bob.
Crispin Cowan
-----
Immunix: Free Hardened Linux
Chief Scientist, WireX
Java is (IMHO) the coolest popular language around, and the most popular cool language around. Before jumping on me with your favorite language, let me explain these terms:
- coolest: supporting the most wizzy features, e.g. type safety, distributed computing. Thus the list of "cool" languages is very, very large, and would include the likes of Java, Eiffel, Haskall, Scheme, ML, Hermes (my personal favorite) and the hundreds of others that the PL community has produced.
- popular: used by so many people that you can reasonably post a job ad seeking programmers with experience in that language and expect to get responses. Thus the list of "poplular" languages is relatively short. This list is nearly inclusive (I may have left out a few):
- C/C++
- Pascal
- Java
- VB (very popular, not so cool
:-) - PERL (very popular, coolness hotly disputed)
- Python ("popularity" getting marginal here)
So now do the intersection of the two, and just about the only languages that are both "cool" and "popular" are Java, and maybe Python (depending on whether you believe that Python is either "cool" or "popular").Now, how did Java get to be so popular? I argue that it has nothing to do with how "cool" Java is. Java could be every bit as sucky as VB, and still be nearly where it is today. Java became popular through the networking effect of being first to enable animated web pages. Yep, that's right: dancing pigs.
If Java had come out three months after animated GIFs instead of three months before, then no one ever would have heard of it.
Topical flamebait: Yes, functional programming languages are obscure and impractical. They may be "cool", but because they are hard to understand without a degree in mathematics, they have zero chance of ever becomming "popular". You will continuously see FP showing up in niche markets where correctness matters, no matter what the cost, (e.g. verifying CPUs such as the AMD/ACL2 case mentioned elsewhere, or the Hawk project being used to verify Intel processors) but you won't see FP enter the mass programming market.
Crispin Cowan
-----
CTO, WireX Communications, Inc.
Immunix: Free, Hardened Linux Distribution
Crispin
--------
Crispin Cowan, CTO, WireX Communications, Inc.
Free Hardened Linux Distribution
- Use StackGuard when you can, because it's safer:
- Libsafe only protects selected library string functions, while StackGuard protects all potential sources of stack overflow.
- Libsafe depends on the existance of the frame pointer in the stack frame to parse/detect the stack frame. Unfortunately, the frame pointer may not be there, either because of a compile option to remove it, or because the optimizer took it out.
- Use libsafe where you cannot use StackGuard. It's better than nothing, and it can protect closed-source apps where StackGuard cannot.
The long version of the analysis is here.My further comment on libsafe: the paper that the authors will be presenting at USENIX in June presents two forms of defense ("library intercept" and binary-rewrite (BRW)) and only the library intercept appears to be embodied in the publicly available libsafe, which is why libsafe only protects against overflows that use particular string library functions.
The BRW method is a pseudo-compiler that can transform binaries into "safe" programs by transforming the binary. It copies program onto the heap, inserting checks as it goes. The copy-to-the-heap is to make space for the additional checks. I really like the BRW method, and hope it becomes available.
If my understanding is mistaken, and BRW is actually in the distributed libsafe, please correct me.
Crispin
-------
CTO, WireX Communciations, Inc.
Immunix: Free Hardened Linux
Crispin
--------
CTO, WireX
Immunix: Free Security Hardened Linux OS
The second project you may want to consider is that SGI is building an "orange book" Linux, with a goal of C2 by October, and B1 by next spring.
Note that this question was posted to Slashdot last year so you probably want to go check out the responses there.
Finally, while I'm here, I'll plug my own security-hardened Linux distro: Immunix. Immunix is not TCSEC compliant or anything like that. Rather, it is designed to be extremely difficult to break into, while preserving a high degree of Linux compatibility. Currently, it is just Red Hat hardened with StackGuard, but we will be releasing additional security technologies shortly.
Crispin
-------
CTO, WireX Communications, Inc.
Immunix: Free hardened Linux
However, at the end they recomend four job portals: Linux.com, Linux Today, User Friendly's GeekFinder and Linux.org.au. I agree with the first two, and (since I'm in North America) have no valid opinion on Linux.org.au.
The problem with Geek Finder is that it is really just a front for Dice.com. Unlike all the other resources mentioned, dice.com charges employers for listings, instead of being community-based and advertiser-supported.
Instead, I would recomend the following additional job portals, where I have actually posted jobs:
- Superexpert.com: not great, but it does host linux jobs.
- JustLinux: a smaller Linux portal, with a nice jobs page.
- Free Software Jobs Page: This is the GNU jobs page. It is strictly for free software jobs, so only hard-core open source jobs get posted there.
Finally, WireX's research jobs are here and our production jobs are here.Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.
Immunix: Free Hardened Linux Distribution
Jobs!
Thus a nefarious AC could post a slashdot comment that contains malicious tags, and just by surfing through here, your browser gets sacked.
Now, Slashdot is not actually vulnerable to this threat, because slashdot has a short list of permitted tags, and all others are stripped. But a site that takes any kind of HTML input can become an attack script re-broadcaster for anyone silly enough to surf with Javascript enabled.
- Java and Javascript applets
- Macros attached to MS Office documents
- ActiveX "controls"
- "Foreign" active network applets running on "my" routers
- E-mail attached
.exe files
Examples of things that are not mobile code include:- computational functions migrating around a distributed cluster
- agents migrating around a LAN or a distributed virtual LAN
- vendor-supplied upgrades to a system
- duly authorized installation of new software
- Java applications that were explicitly installed to add functionality
By these definitions, I argue that mobile code presents far more threat than benefit. The "weak beneift" argument is that most of the benefit provided by mobile code comes in the form of dynamically interactive applets. The applets provide finer-grained interactivity with the user. This is strictly an ease-of-use issue, as the server must check everything that the appliet produces. The only applications where this actually matters is games, and people who give up security for gaming get what they deserverThe "major hazard" part comes from the difficulty of effectively confining an untrusted applet such that it gets controlled access to the client host workstation. The more complex the semantics of interpreting downloaded information, the more difficult it is to establish whether it is safe (cf recent discussion on firewall-wizards about whether CheckPoint FW1 is effectively stripping dangerous tags from HTML content). The more powerful the semantics of the downloaded information, the more able the adversary is to build attacks that escape static analysis by computing the actual attack code on the fly.
I think that powerful tools are required to enable administrators to enforce a ban on active content. These tools might include:
- a filter that can strip macros from MS Office documents
- firewalls and browsers that detect active content (Java, Javascript, ActiveX, MS Office macros, etc.) and send back an e-mail to postmaster@originating.site explaining that their active content has been stripped, and they had best prepare documents and web pages that work without the active content.
That last tool is an especially powerful thing that the open source community can do to try to smarten up giddy web developers who think that every new feature to come along is just so cool that it must be used. To make the web safe to surf, we need to push back against the goobers who ware re-defining HTML to require scripting to make a site usable.Furthermore, the whining about the isolation of the Linux Business Expo is also invalid. We were there selling our Linux-based product and promoting our free security portal and it was our choice to place our booth in the Linux Business Expo. Anyone who wanted to be in mainland could have chosen to do so.
Crispin
How can anyone write such an article without citing news:comp.risks? Peter Neumann's comp.risks mailing list/news group/news letter/column has been studying this problem for TWENTY YEARS. It is the premere source of news and information about the risks involved in computer usage. All of the other sources quoted in Katz's article are newbie amateurs by comparison.
On the contrary, Mr. Katz. I'd like to offer the view that "The Phantom Menace" is nothing other than the biggest independent film ever made. Note that Lucas personally put up the $115 million to make the film: no studio money. This gave Lucas complete artistic freedom to do whatever he wanted. This is normall the realm of art/independent film makers, people too independent to tow to the studio line. Lucas is so wealthy from his success that he can afford to blow off the studios, and make exactly what he wants.
Look at this as a brave new experiment in film: the very first time that 9 digits of money was spent on a film totally under the control of an imaginative film maker, instead of a gang of bankers and focus groups.
Crispin
-----
Crispin Cowan, Research Assistant Professor of Computer Science, OGI
NEW: Protect Your Linux Host with StackGuard'd Programs
http://www.cse.ogi.edu/DIS C/projects/immunix/StackGuard/
Support Justice: Boycott Windows 98
This is an old story from LinuxWorld. What is news is that CNN is now picking up stories from IDG/LinuxWorld. Crispin
- 6809 processor
- 64 KB of RAM
- Real multi-tasking and real multi-user
- If you didn't like the chicklet keyboard, you could hook a terminal to the serial port and get a login prompt.
It wasn't free, but it was very cheap. Crispin