Schneier on Security

Nick P • December 20, 2015 5:30 PM

@ fr0sty

Coincidentally, I burned the new TAILS, Ubuntu, and Mint a few hours ago. System needed a cleanse anyway. On Mint now. Briefly had Haiku on it but couldn’t figure out how to turn on wireless in the 10-15 min allotted. Getting my apps and data back on now. Will play with Haiku and A2 Oberon some more when Virtualbox is reinstalled. Darn, should’ve tried GenodeOS between installs now that I think about it. (shrugs)

Nick P • December 21, 2015 3:21 PM

@ Grauhut

Might try it. Meanwhile, Virtualbox dependencies are corrupted because of Linux’s take on dependency hell. I clicked install on the wrong icon and the problems apparently remain after I uninstalled it with gibberish error messages. Whatever. Miss how Windows apps uninstall then reinstall almost always worked.

I think I have KVM and now have a front-end for it. Might try to work with that instead. Once I figure out where the front-end went. Always this shit on Linux’s lol…

@ Dirk

re Haiku

Haiku is nice because it tries to preserve the superior [for desktops] BeOS architecture. Described nicely here. That’s how it did awesome stuff on old, Win98-era hardware like this. Skip to 4:45 to see how responsive it is with multitasking overload around 17:14 or so. I was envious when I watched that long ago.

Now, Haiku itself isn’t quite delivering yet as a knockoff by a small team. However, it and MorphOS are keeping alive the tradition of easy-to-use, lightweight, consistent, highly-responsive desktops. Good parallel tradition and knowledge base to have going on for diversity. Plus, when more robust, might make a good OS for cheap, air-gapped systems leveraging whatever security tech they can. Would be much easier with a small, consistent OS vs a UNIX. So, I’m just interested in it for architecture and long-term potential rather than day-to-day.

re Linux

I got Ubuntu to use for hardware support especially when fixing machines or getting files off them. It usually runs on about anything with little work. Mint is my day-to-day desktop because it’s pretty reliable, super-easy, and less scheming than Ubuntu far as I can tell. I plan to try Fedora, SUSE, and the BSD’s again in near future but had to reinstall immediately to deal with cruft (or spyware) that was bogging my system down. Moving FAST now. 🙂

@ Thoth, Dirk

I wanted to try GenodeOS just to see where they’re at. I agree on pushing it as a framework to build on and turn into something useful. Especially purpose-built systems or appliances. I’ve been promoting that for a while.

@ Clive

Um, are those spoilers or unrelated to actual content of the movie? I haven’t seen it yet. So, if spoilers, I’ll read them later.

Nick P • December 21, 2015 8:52 PM

@ Thoth, Wael

He likely both hacked their network with an undersized, smartphone keyboard then installed a chatterbot representing to respond if he wasn’t awake. His main AI is trained using a huge knowledge base, integration with Watson, and samples of his posts fed to a GPU-accelerated deep learning machine. Noticed how the chatterbot merely used a pile of comedy links rather than a long, detailed post. That’s a cheat to seem realistic. I bet soon… maybe within hours to a day… we’ll see the real capabilities of his Watson and DNN hybrid.

Nick P • December 22, 2015 11:16 AM

@ Clive Robinson

re links

Those were pretty funny. Putin link being my favorite. Even Vader wasn’t that villainous: he waited two movies. 🙂 I believe they threw in a Citizen Kane reference on the last one.

re hospital

” Thus I also got to know what was going on during the op. ”

Ahh that makes sense. Are you saying you were actually awake during the operation? I hear this happens but haven’t known anyone personally. What was that like?

“They were worried about me not using painkillers but I’ve had the first peacefull nights sleep for several weeks, so “no worries” there. ”

That’s how I do it. They always scoff at me avoiding painkillers when I’m sick or few times I had surgery. Took a tiny hit of them once after appendix being removed because the pain was unbearable. Plus, how else am I going to sleep in an American hospital with interruptions every 5-10 min? (Still didn’t: not enough morphine…) Regardless, I usually avoid them so I can mentally track my progress in healing & to be used to that sort of thing. One day I might not have medical backup…

On other end was a friend of mine. We’ll call him Jake. He’s normally a tough redneck but terribly afraid of needles. Wanted a tattoo done by my brother, an experienced artist. They got him set up, reassured him, put the tattoo gun on him once… mofo’ screamed and passed out instantly. Had to check his pulse and shit lol. “Still alive? Aight, let’s finish the tattoo.” He woke up later to find he got what he paid for even if he didn’t remember the specifics. Hope he didn’t have that experience in anything else he might have paid for. 😉

” “will I be able to play the piano”[1]…”

I could imagine him grinning with a bit of drool coming down his mouth with that line coming out as his head slowly fell back. Then the doctors smirk at each other quipping, “The stoners always say the damned things…”

@ BoppingAround

I was. My main haunt these days is Hacker News as the better technical discussions happen there most often. Quite a few of the old guard there, too, like John Nagle and people that worked LISP machines. Anyway, you’ll see my comments here. Also done things like slamming them on not leveraging prior work in safe programming and small, safe/secure runtimes for unikernels. However, the essay I put most time and thought into on where we need to go for robust, secure, day-to-day programming was this one. It focuses on imperative languages because I assume no major shift to functional programming. I commented more on how to build it and other tools with low-subversion in this thread.

@ Markus Ottela

You don’t have to grow up with it: here’s a great article on the various services that existed before the Web and their contributions. Written much more interesting & with more context than various timelines. Hopefully, you’ll get to share a similar one with your great-grandkids talking about how we used to use controllers to play game consoles on non-optical computers instead of the stuff they snort now days.

Nick P • December 22, 2015 11:07 PM

@ Gerard

“and that also won’t happen. C is here and here to stay.”

Hence all the work on improving C codebases, compilers, etc. You’re probably using C code to type your posts. It’s not going away and it’s too critical. So, gotta do something.

Nick P • December 22, 2015 11:42 PM

@ Gerard

Just got some good news. Well, I’ll just paste the comment:

“For anyone interested in Modula-2 as a potential replacement for C as a systems language, there is a small but hopefully growing revival of the language occurring on the Gnu Modula-2 mailing list and (especially) on comp.lang.modula2 . Right now there is a call on the newsgroup for testers of the Modula-2 to C (M2C) compiler. This is part of a larger effort for the Modula-2 Revision 2010 (M2 R10) language definition and implementation by Benjamin Kowarsch and Rick Sutcliffe.”

I still have the old Modula2-to-C compiler and Lilith report just in case. Might get some new tools. Hell, I might even do some alpha tests on that for them. A form of Modula-2 is one of the few alternatives to C that could get traction if benefits were explained. Anything C people can do, Modula-2 can do as well. You know, outside supported backends or popular libraries. A revival of that brings us a step closer to Modula-3: the best for industrial use. Need to ditch uppercase requirement and add macros for zero-overhead abstractions, though.

Anyway, just posting it in case you wanted to get on the mailing list or comp.lang.modula2 to get in on the revival or test out their tools.

Nick P • December 23, 2015 12:41 PM

@ Grauhut

Appreciate the tips! 🙂 CentOS also has the advantage of strong, SELinux support IIRC. There’s guides out there on using that with KVM, etc.

@ All

Great paper on usable, PKI implementation

Paper here. Even I was shocked that getting on secure wireless network and cert setup was a twenty-something step process even Ph.D.’s couldn’t understand. They narrowed it down to a few, intuitive steps with rest automated. Excellent example of improving security in a way people can use. More thinking like this needs to be applied to each product category and the apps that manage them.

Nick P • December 23, 2015 4:30 PM

@ Clive, Wael, Thoth, Grauhut

My position on knocking C out in favor of a safer, system language was it had to be simple and efficient. My favorite contender I’ve been pushing was a Modula-2 revamp or (ideally) Modula-3 as we can subset it. Modula-2 was nice because it was simple (65p specification), readable, safe in all kinds of ways, easy to compile, efficient in production, maps easily to stack architectures, and has no GC. A lot of nice traits. I wanted to drag it toward Ada some more in safety features albeit not complexity.

Anyway, there’s a Modula-2 revival going on with a revision and a new Modula-2-to-C compiler. Main site is here. However, you might want to start with the FAQ. It is a series of very, rational statements that I can’t argue against outside maybe uppercasing. Rare when I see promotional material for a programming language. 😉 Might be worth testing out and contributing to.

Plus, remember I’m thinking of it in terms of my overall vision for imperative language overhaul. And next step after that, once I got functional down, is automated conversion of best FP language I can find to the safe 3GL to leverage its compiler. If necessary or beneficial. I do know the LISP’s and ML’s are easier to verify plus there’s refinement strategies into stateful, imperative code.

Nick P • December 24, 2015 11:22 AM

@ Thoth

re PKI deployment

The troubles you describe plus what was in paper seem to suggest this market is ripe for Silicon Valley-style “disruption.” An easy-to-deploy, trustworthy solution might sell like hotcakes. Would be a high, initial investment getting it going, though. Lots of lawsuits to follow. So, probably best to operate that one in stealth mode as long as possible to get lawyer money together. And invest in sales over engineering as we both know. 🙂

re languages

Ada has always been its own language with direct to assembler. The main compiler uses GCC intermediate as Anura said. There’s commercial compilers that don’t. There’s everything from zero to minimal to significant runtime depending on what safety/features you want. Vendors of microkernel RTOS’s often have Ada runtimes that sit right on microkernel. So, it’s about as independent as a system language can get. Integrates with C well out of necessity.

Haskell, while even safer in theory, is a whole different situation. It uses a large, less-portable runtime that’s written in C I believe. The compiler itself is quite complex to the point that certified compiler work focuses on ML. I’ve seen one port of a Haskell backend to Forth to run on Forth chips. So, it’s conceivable. Plus, there’s my de facto solution of using subset Ada or SPARK to do the runtime of a similarly-safe language plus any native code or libraries. Mix and match. It would be a lot of work, though, that needed experts in compilers & runtimes for functional languages.

Back to shit I can comprehend… 😉

@ Wael

Your categories miss the popular option of creating a new language that solves the problems. It’s not a new paradigm or just a mod to an existing language. Not usually. It’s close to Horizon 2 but benefits from ability to ditch fundamental problems in existing languages. Design problems rather than just syntax or whatever.

Modula-2R10 falls somewhere in that category or Horizon 2 in your classification: original was an alternative language for new projects while this revises it to aim for same goal. Fits partly into Horizon 1 of legacy code if we’re talking about porting. There’s a significant mismatch between C and Modula-2 that means you want someone who understands the codebase doing the porting. It won’t be automatic. However, they’re pretty close to each other in what they can do if you think of expressions, control flow, structuring, and so on. Going from C to Modula-2 is a gap rather than the gulf that going to Java or C# would be. That’s where I see adoption potential.

” I would recommend you list out a more granular set of requirements that achieve the “efficiency” and “simplicity” you noted. These two requirements, in your view, indirectly lead to a more robust language. For each requirement you list, you’ll need to state it’s direct influence on security as well as its relation, conflicts, and tradeoffs with other requirements.”

That’s a lot of work and we discussed it. I could simplify here a bit to show the extremes along with how to get the middle ground. The left side has highest efficiency outside ASM. That would be SSA form for its portability and optimization potential. The drawback to SSA is that it’s hard to read for sizeable programs and it’s not safe at all. The right-hand side is max safety in an imperative language. That would be Ada for readability (to pro’s) and safety features for all the common errors. The drawbacks to Ada center on compexity: hard to learn, parse, and generate efficient code for.

So, this leads to some guiding principles:

1. Needs to be more readable than SSA or C.
2. Needs to have safety and “programming in the large” features of Ada where possible.
3. Needs to avoid Ada’s compilation difficulties, esp parsing. Side-effect of boosted productivity & QA time if compile-test cycles are fast.
4. Needs to aim for efficiency of SSA or C.

5. Should be easy to learn to get many eyes in FOSS and cheaper QA in proprietary. What? The latter is realistic requirement haha.

Modula-2 meets 1, 3, 4, and 5 without any further modification. The original language had some safety features of Ada with some more easy to add without trouble. Design-by-contract or SPARK proving would be difficult but is conceivable due to No 3 solved to extreme. So, there’s much more in direction of No 2 than asm, SSA, or C. So, by criteria 1-5, Modula-2 is already stronger than C for robust, productive, and efficient system programming. An update can make it more so.

“The arguments are mostly rational, but also superficial.”

What did you find superficial outside the capitalization given 1-5 above? The safety features they mentioned eliminated problems in practice. The OOP subset let people do that if they want while eliminating complexity found in C++ compilers. Just two examples I recall that weren’t superficial.

@ Anura
(@ Wael)

Good points on some safety kicking in without loss of performance. The general rule is there’s going to be a performance hit. The high end, shown in C safety, is around 40-70%. That high end probably has more to do with C’s design than safe programming in general. Plus, many programs are I/O bound where some CPU overhead is invisible in overall scheme of things if language is otherwise efficient. Last thing to remember for languages like Modula-2 is that Unsafe modules can be used for critical path functions if the safety makes performance unacceptable. I could see it happening in video decoding or a JIT.

Far as the balance, Go is probably our best evidence here as people keep migrating to it from Python and Java for speed boosts with success. I’ve seen huge speed boosts. Nobody in application space is complaining about the performance of a GC’d, Wirth-style language. Modula-2R10 should be faster outside compiler optimizations because it’s the simpler, non-GC style of Wirth language. Semantics-aware analysis to eliminate checks would be the next step as they do in Ada and the Midori research I’ve been reading. The former demonstrated acceptable tradeoffs in practice but the latter is showing it can be pushed further.

Note: This doesn’t even count the potential of using static analysis tools a la Astree or SPARK to justify eliminating checks in modules by showing the error can’t occur.

@ Gerard

“The only question is whether they can position the language in an area that is occupied with C and C++. That question depends on advertising and eco system (libraries, tools, documentation), and they may find a fierce competition with Rust which has lots of “modern” (think complex) features.”

Good point. Momentum killed everything else off so far with Go and Rust being few exceptions gaining ground due to momentum of who backs them. So, outside of education or niche that favors quality, it might be an uphill battle. That Astrobe is still selling Oberon for embedded use and Blackbox doing Component Pascal (really Oberonish) in Russia give a glimmer of hope.

Nick P • December 25, 2015 2:30 PM

@ Wael

“The OO support is minimal and not complete.”

That assumes OOP is the right way to do things. Lots of good software is written without it and easier to understand. Likewise, there’s all kinds of good software written with OOP that they claim is easier to understand. I’d love to see some science decide the issue one way or another but meanwhile there’s at least two styles to cater too.

An alternative with OOP style plus safety/performance is the Eiffel method and language. They popularized Design-by-Contract & safe concurrency (i.e. SCOOP model). Modula-3 & other Wirth languages show Modula-2 could be extended for OOP but generics are more popular among target group.

“What I find superficial is the idea of designing yet another general purpose programming language that will eventually suffer from the same “weaknesses” C/C++ have… They still have pointers”

In Modula languages, the things you do are robust and safe by default with acceptable performance. You have to go out of your way to do unsafe stuff, even explicitly marking it as Unsafe. Anyone doing Modula idiomatically will have many, fewer problems and faster, development pace than idiomatic C or C++. Plus it’s easier for compiler writers to extend or handle due to simplicity.

Only worry I have is the standard library. Approaches to concurrency, string handling, etc need to be decided well ahead of time with safe, effective defaults. Those problems of C/C++, where everyone reinvents it poorly, might kick in if one is not careful. A new language lets one get a good start, though, whereas older ones must keep baggage.

“Don’t you thing there should be a close relationship between a programming language and the operating system it sits on? What good is to use Modula-2 when the OS is written in “C”? ”

Ever seen Perlix? It’s a basic, UNIX user-land with shell and utilities written in Perl. They work better, are a bit more robust (individually haha), easier to modify, and so on. That’s because the language is better suited to those things than C. The FFI let’s it interoperate with C libraries or OS where necessary. Same with Modula-2 languages where the OS might be C but apps can benefit from safety. There is residual risk in the interface: even Ada had a vulnerability that came from abstraction gap at FFI level. So we have to watch out for that but it’s still interesting to note it’s always C dragging down safety of what’s calling it rather than vice versa. A good enough reason for me to ditch it.

“I’m not sure how much success or popularity they’ll achieve. ”

Probably minimal. It would still be worthwhile if enough community got together to maintain/optimize the compiler, IDE’s, key libraries, and so on. Safe-FFI techniques, ZeroMQ-style component models, or semi-automatic translation from C to Modula-2 can do the rest. Truth be told, we should’ve matured that kind of stuff by now anyway as we keep needing it every time a language gets popular.

You could say I hope it becomes another Ada, Eiffel, Common LISP, Ocaml, or Haskell. It’s there for those wise enough to use it for its advantages while the rest of the market ignores it & suffers greatly for that choice. Another secret weapon for elite shops differentiating on pace, quality or security. 🙂

Nick P • December 25, 2015 8:38 PM

@ Clive Robinson

“I don’t know what your learning style is, but few can go from quite esoteric theory to well found code.”

“As for lambda calculus it’s one of several ways you can get functional programing to work. ”

I learn the piece-by-piece, useful-stuff-first method like in the examples you linked. My goal isn’t to learn anything directly from theory. As I said, the books with theory are used as a reference to support advanced work of making the compiler.

Far as lambda calculus, major ones derive from different versions of it with sophisticated, type-systems. Of strongly typed, the type systems and many compiler techniques are ground in theory and need it to work. The imperative stuff I can just throw tactics at, often learned in isolation w/ little to no theory. Not so much for the functional languages as they’re highly mathematical in nature. Anyone that doubts that can try to explain monads, their sound implementation, and correctness-preserving transformations to amateur, functional programmers without confusing them. I already know that’s not going to work out from reading so many comments (by FPer’s) on FP sites. That’s just one sub-topic among many that might crop up.

So, the point of referencing landmark works in the field is only as references to support the work. I’d recommend each topic start as tutorials and more English stuff that gradually builds on thing on or alongside another. Paying attention to foundations as you stated. It’s just that you’ll need plenty of theory and complex techniques for FP compiler if you want it to work correctly and fast. Hence any supporting works. How much I’m still not sure of and all of it is currently out of scope for me past skimming and collecting until I can at least use a functional language as simple as ML. 😉

Note: Things like GHC are also said to be poorly documented with lots of magic in them to outsiders. So, there’s a documentation benefit to tricks it used ending up in books.

“Another issue is that even functionaly correct and verified code is of little use against “bubbling up attacks” from compromised hardware”

True, true. There’s lots of ways to handle that, mostly in logic that corrects itself + Correct-by-Construction HW methods. They’re already most of the way there in EDA tooling and methodology given the complexity of HW vs number of errata found. The main failure I see is, outside elite shops on cutting edge nodes, the HW vendors often don’t handle local failure post-manufacturing as well as they should. I’m sure there’s tricks yet to be discovered here but our old trick of voters works best even if inefficient. Recent learnings taught me voter logic itself can be implemented in self-correcting logic gates rather than triplicated. Research into decentralized voting hardware is still worth pursuing.

“It’s why I keep talking about “mitigation” not “verification” as the solution to “bubbling up attacks”.”

Best to do both in parallel. That’s what NASA always did and Galois is doing with Copilot DSL for embedded. They assume the failures will happen somehow. They come up with how they want to react ahead of time. They then use a combo of robust implementation plus monitors and recovery techniques. Do it on every component. Works wonders.

So, I say we keep doing both. Let’s not forget recovery-oriented architectures where they just keep testing for or assuming failures with availability-preserving restarts. Lots of restart and reset-based approaches that catch lots of things. Might be worthwhile to do, similar to your Prison or Tilera’s TILE chips, a grid-like approach that’s somewhat self-organizating (leader/master-election) that can work around bad nodes on boot. Then, part or whole ASIC can be reset to activate that process when problems are bubbling up or even before to detect them.

Nick P • December 26, 2015 9:41 AM

@ Wael

“How else would one maintain code composed of several millions lines of code? ”

The way people maintained hundreds of thousands of lines of code before OOP became a big thing: information hiding with modules, procedures/functions, interfaces, and complex data types. Layered, esp hierarchical design and decomposition help too.

“Seems you agree with “Horizon-3″.”

That’s what we said about OOP in the 90’s. Now it’s technically Horizon 1 although its users still all disagree about how to use it to achieve stated benefits. The only things they agree on, abstract concepts like information hiding or reuse, already existed in prior paradigms. So, I still consider the full promise of OOP to be Horizon-3.

“Parallel is likely, and so is heterogeneous with the use of specialized CPUs such as DSP and GPU. ”

For parallel, we’re seeing a lot of uptake in functional programming again. Actually, it seems to be better at that and OOP’s goals than imperative. Back to imperative, there’s been many attempts at parallel languages. I think ParaSail might be most worthy of copying.

re OOP approach

Turns out, my poor memory did me in again. A guy name Mayson showed up in another discussion on Oberon and Modula-2R10. Told me how he had to rescue a distributed OS in last 6 months of a 5-6 year plan that had basically no working code. Got it done with Modula-2 using a compiler from Logitech, who turns out to have been cranking out good dev tools back then. Paper is on the backlog: keeping it for historical reasons.

Anyway, he pointed out that the best one was Blackbox’s Component Pascal. That was an industrialized, improved version of Oberon-2. It had the readability, safety, compilation speed, and efficiency of the Modula/Oberon lines. It also had OOP, automated GUI’s, and a component architecture for plug-and-play style development. Developed a reputation for “if it compiles, it probably will work.” Great presentation in slide form on it here. So, there’s the start if one wanted an OOP, GUI answer to Modula style.

Note: It wasn’t a huge commercial success. So, they open-sourced it. However, it attracts a certain zeal in comments on forums that I rarely see. Nothing but praise from its users. Had significant uptake in Russia, too, on clean-slate projects. So, adopted by C crowd or not, it’s probably worth looking into, playing with, improving. To me, it’s like an industrial Pascal meets Visual Basic.

@ Wael, Clive

re Humor

Discussion about writing compilers popped up on Hacker News. One person asked how they’d do a Visual Basic for Applications compiler. A response said something like “I can’t wait to see what comments this gets.” I was happy to oblige but had to avoid tripping over moderation. Result was better than I expected. Here was the exchange:

Nick: “You have to start with the top-tier talent that delivers enterprise apps in Visual Basic 6. They need to know VBA language inside and out. They should implement templates for what every primitive does in terms of stacks, registers, and/or control flow (esp jumps). This includes common representations, type system rules, binary interfaces… you name it. Everything one needs to know to parse and implement VBA files along with reference implementations in VBA.

Then, you pay a LISP consultancy to implement that as a DSL in Racket or Common LISP that runs during development and outputs portable C for production w/ frameworks like WxWidgets and/or NPRS runtime. They should be able to throw the whole thing together in under a year. :)”

Critic: “I am not quite sure what you are making a parody of?”

Nick: “Domain experts, executable spec both parties understand, source-to-source compiler using DSL’s, and targeting C to reuse backends? Is that a parody or a recipe for VBA compiler small team can handle?”

Neutral: “It’s Poe’s law for software.”

(I DuckDuckGo Poe’s Law.)

Nick: “Lmao. That’s perfect.”

(Silence from critics.)

Nick P • December 26, 2015 11:44 AM

@ Clive

Another Jungian synchronicity at work it seems. As we’re discussing gradual works like your link vs compendiums like Simon Peyton Jones’, someone posts a gradual, FP compilation, text with evolving source code examples by… Simon Peyton Jones. Book here. Probably a nice start on way to other one. 🙂

Note: On mobile, so havent read it yet. Hence, the word probably.

Nick P • December 27, 2015 11:36 AM

@ Clive Robinson

The other thing it does is maintain, on many threads, the high quality of discussion and diverse array of commenters we saw here years ago. Hence, me spending more time there than other places.