Category: Development

Posted on

RAII, or why C++ doesn’t have a finally clause

One of the most common idioms I see in a delphi program looks like the following:

foo := TObject.Create;
try
    // Do something with foo
finally
    FreeAndNil(foo);
end;

It’s primarily because you always create objects on the heap, and everything involving an object, essentially, is a pointer. This makes for a little bit of a memory management issue. You have to remember to destroy objects after you’ve created them, and because if something goes wrong, that destruction needs to take place in a finally block. Having it take place in a finally block keeps you safe from exceptions. If an exception is triggered it always passes through the finally block on it’s way back up the stack. This gives you the ability to cleanup temporary objects as needed

C++ uses the RAII idiom, which means that objects that are defined at a certain scope are always going to be destroyed once that scope is exited. What this means is that if you define an object X in a function Y, once Y is returned from then X will be destructed/destroyed. As an example:

std::stringstream streamer;
// do something with streamer

There’s no awkward streamer.create call, and once you return from the function streamer is appropriately tidied up

But wait, you say, they are not the same, what you are doing in Delphi is creating an object on the heap, while in C++ you are creating it on the stack, so of course during the process of unwinding said stack, you will destroy the object. The more equivalent code in C++ would have been:

std::stringstream *streamer = new std::stringstream();
// Do something with streamer
delete streamer;

Hah you say, no try finally means that if an exception is triggered in the ‘do something’ piece of code, you leak a streamer object on the heap.

To which I respond, silly rabbit, that’s why you didn’t create a pointer in the first place with the first piece of code. If you want to perform something like this, then you should use a smart pointer, which takes care of the destruction of the object once the smart pointer exits scope, like so:

std::unique_ptr<std::stringstream> streamer(new std::stringstream);
// Do something with streamer

But really, if you were just going to create an entity for the duration of a function, it’s far easier to just create it in-place without such complications

This leads to a little gotcha that regulary catches non C++ programmers when they are creating methods. As they typically come from a pointer-based economy (e.g. Delphi, Java), when they create a method:

function doSomething(object : TObject) : integer

What they’re doing is actually passing in a reference to TObject (as it’s just a pointer), and because it’s pass-by-value in this case, what they’re really just passing in is the value of the pointer. In C++ it’s a little bit different. When you pass in an object using the form:

int do_something(std::stringstream streamer)

What actually happens is a copy is made of the item being passed, and it’s that which ends up in the function; not the actual object that you’re passing in. If you want to pass in a reference to the object, then you need to use the reference passing semantic:

int do_something(std::stringstream &streamer)

You can use the const modifier if the method you’re invoking is not going to modify the passed in reference, which allows you to restrict the things you can do with the reference. In this form you don’t need to perform any indirection on the object (e.g. getting a pointer to it) in order to pass it in. This makes for slightly tidier code, which isn’t strewn with &’s on the way in, and var->’s in the method itself.

And for those Delphi haters out there; the reason I picked Delphi rather than Java is because Delphi is, unless you’re using the .NET variant, a non garbage collected language, and as such requires the free, otherwise you get memory leaks.

Objective C is another kettle of fish. Between the original model of retain/release, the GC model that was available on OS X from 10.5, and now the totally shiny ARC mechanism, it makes some people cry.

Posted on

Gotcha!

So I found this little security clanger in the manual page for dlopen on Mac OS X, where it states:

When path does not contain a slash character (i.e. it is just a leaf name), dlopen() searches the following until it finds a compatible Mach-O file: $LD_LIBRARY_PATH, $DYLD_LIBRARY_PATH, current working directory, $DYLD_FALLBACK_LIBRARY_PATH.

Yes, current working directory, one of the classic vulnerability injection mechanisms. This is as epically bad a security clanger as Microsoft Windows’s LoadLibrary call but, apparently, nobody cares! Linux, and Solaris have a far more sensible mechanism, where it actually enumerates the places that it looks for the library, but unless you really, horrendously eff it up, it won’t look in the current working directory.

I nearly did a spit-take when I saw this explicitly called out. In this day and age, it’s an embarassment.

Posted on

Are you really trying to increase market share?

Microsoft have three different kinds of mobile phone operating system.

  • The 6.x series, which is really only usable with a stylus, and is old, out of date, and generally a pain to use.
  • The 7.x series, which is, fundamentally a step above the 6.x series, with a more modern UI. It is slick and elegant, but it is based on the kernel from the 6.x series, and as such is a little bit on the old side.
  • Now there is the 8.x series, which runs the proper windows kernel under the hood, but just with a mobile phone UI on top. It looks very similar to the 7.x series, but the hardware is significantly different; so much so that there is no way to upgrade a phone from the 7.x series to the 8.x series — you will have to buy a new phone to get the features of the new OS.

This new series of phones (the 7/8 series) is a huge step forward for Microsoft. There is a consistent UI, there is a defined design language. You have an App Store for buying all those must have applications; all in all everything you need for a modern phone.

Then there’s the desktop software. For 7, you have the Zune software. This is needed if you want to copy music or movies from your computer to your phone, or transfer photos back from the phone to your desktop.
I have no experience with the windows phone app for an 8 phone, as I haven’t had the opportunity to buy one of these new phones yet. I’m sure it’s an elegant piece of software that interacts well with the phone, allowing you to transfer media to and from. The device; after all, that’s what it’s supposed to do.
The problem is that this is the only way to interact with these phones and your desktop. There is no way to get anything from the phone by a direct connection without installing the software. Microsoft have gone directly to the same model as Apple with regards to device management, except less so — the Apple solution allows you to synchronise your email settings and contact information explicitly, while the Microsoft solution does not. Don’t get me wrong, a little management is a good thing when it comes to these devices which are significantly more complicated than older devices, but sometimes you just want to pull a picture from the phone and it just doesn’t happen.

If you plug an android phone into a computer up pops a hard drive icon that you can use to copy files from the device, or copy files to the device. It may be as raw as you get, but at least you can drag your music to the device and it just works. There are several third party programs that will allow you to manage the content on the device, so if you don’t like it then you can use one of the DoubleTwists, etc.

Transferring pictures from the phone provides a wide variety of social services, but gone is the simple ‘send via Bluetooth’ (again with the media management thing). Have you ever tried to print a picture from a photo kiosk on a Windows phone? It’s as difficult as with an iPhone — you just don’t bother. Lots of lovely images on the web, and not an actual photo to be seen 🙁

Posted on

Simple bash script for getting password-style user input

Here’s a little script for reading a ‘password’ field using dots for the typed characters.

#!/bin/bash -p

old_settings=$(stty -g)
trap 'stty $old_settings' EXIT HUP

echo -n "Enter Password: "
stty raw -echo
ichr=.
value=
oifs="$IFS"
IFS=
while [[ $ichr != "" ]]; do
    read -n1 ichr
    [[ -n $ichr ]] && echo -n '.'
    value="$value$ichr"
done
IFS="$oifs"
stty -raw echo
echo
echo "Value: '$value'"
Posted on

Knee jerk reactions to closed source software being purchased

Most of my work is closed source – it’s been done within/for companies that have no real interest in releasing the software to the wide community.

There is one primary reason for this – a lot of the power in the software is directly tied into the software itself – things are done that are difficult or tricky. The trick is in the doing, and it gives us a competitive advantage when selling, and gives our customers an advantage against their competitors that use the oppositions’ solution.

I love open source software – it means that I’ve got a huge amount of software that I can draw on to get things accomplished that I don’t have to pay a metric ass-ton of money for so I can get my work done. If open source software did not exist, I would be missing tools like flex, bison, perl, python, ruby and bash all of which get my job done.

But I still use closed source software – java (from snoracle), but there is a huge layer of open source software that we’re using to get the language itself to do the things we need it to do.

So, I read an article that mentions ‘Sparrow’s acquisition highlights the dangers of closed source’ which highlights that there were some bad reactions to the software being purchased.

To those people, I will have to say tough shit. I’ve been shafted year on year by proprietary software companies for the last 30 years. You have no entitlement to updates, you have no entitlement to new major versions. If I bought a car and the newer one came out the next year, would I expect to get the newer one automatically? No, I would not. Yet, for some reason, people expect the newest, shiniest version of the software they bought 5+ years ago. If you want the free upgrade train then hook yourself up with Debian, who have a very strong opinion on proprietary/closed source software, otherwise understand that you only paid for a pass for the train system now, not the jetpack and hovertrain system that will exist in the future.

I use open source software when I can. The reasons are simple. It’s pretty well documented if you can understand nerd, and it generally does what I want it to do without any complaints; and if it doesn’t then I have the facility to mess with it in whatever way I want to get the results I want without issue. All the changes I have made to open source software are available openly. As required by some of the licenses, but I make them available for all pieces of software I modify because #1, I’m not a prick (#2 is because it complies with most of the licenses).

I’d love it if all software was open source – it would make my life easier as I’d be able to use solutions to problems that I need whenever I wanted, using the best solution available. I work on such exciting projects as ‘PAM authentication for TACACS+ users’ that I’m sure there’s a huge, burgeoning community of like minded individuals that need this problem solved. Like f**k there is – I work on topics where there is probably 2 people (external to work) who actually care about the changes I make.

The perils of closed source software are simple – no real user actually cares if it’s open source or closed source. If it’s broken, then they bitch. They have no interest in how it’s broken or why; they just want it to work.

 

Posted on

Is that a password in your pocket…

I’ve seen it again and again… a developer wants to access some restricted data over the internet in a client application, but is unwilling to use a per-user login to access the data. As a result, they embed  a password into the application. Then they discover that the password is readable via some mechanism once the application is on the client. Developer scratches their head and tries to figure out how to secure the password. Developer gets frustrated as people say ‘that doesn’t work’.

Fundamentally, you are trying to hide a secret in a client application. There is a long history of trying to do this in applications. It forms the basis for pretty much all forms of application protection – and it is fundamentally impossible. If there is everything you need to run an application on a system, it just requires a certain amount of effort to determine the secret. The amount of effort varies, but in general it is a continual fight between the developer and the person trying to determine the secret.

Mechanisms have been developed to try and make the secret ‘something you have’. One of the earlier disk-based methods was to have ‘malformed’ sectors on a floppy drive that needed to be read. These sectors were only ‘malformed’ in that they were laid on the disk in a method that made them difficult to read normally. The sectors that were read became part of the code that was used to execute the application.

The fix to this form of protection was to read the protected content from an original and then putting this data into a new copy of the program, replacing the invalid content with this good data, and then skip/remove the code that performed the read of the drive data into that location.

An extension to this protection was to actually encrypt the code that is loaded from disk, and then decrypting it at execution time – the encryption varied from simple byte-level xor-based to more fancy xor with rotate. Typically this decryption code butted up to the decrypted code (sometimes even overlaying it), preventing you from setting a breakpoint at the first instruction following the decryption code). Solving this problem involved manually decrypting a few bytes (which at the time was a pen-and-paper operation), and then starting the decryption from the subsequent instructions. Sometimes easy, sometimes more difficult. This would typically be used in conjunction with the ‘special’ media to give a dual layer of protection.

Another mechanism was the hardware dongle. An oft-loved feature of expensive software, it typically embedded some data on the dongle that was necessary for the use of the application. Without the dongle, the application was useless. Some even went so far as to corrupt the data created from the application if the dongle was not present – e.g. straight lines would no longer be quite straight following a save-load cycle, making the files deteriorate following the transition (I think Autocad used this method).

The issue with hardware-based mechanisms is that they have a high cost associated with them on a per-unit basis. A quick search revealed a per-unit cost of €25 for low order quantities, which would need to be added into the cost of the application. In other words, this can quite often not be an appropriate for software which has a low price goal.

For any of these mechanisms, if someone obtained only one part of the solution (application without special disk/dongle) then a well written protection would mean that the application was unusable without the second part. Poorly written protections would use perform a simple test against the special item, and not actually make use of any of the underlying data from it. In general, once you have all the items that are needed for the running of the application all that mattered after that was skill and time.

Special media, encryption, dongles, packers, obfuscation, anti-debugging tricks are many of the tools that have been used to secure applications.

What has this got to do with the opening paragraph? Well quite a bit, actually. The developer needs to store some kind of secret in the application. This secret can be anything, but in general it is some form of key to gain access to some form of resource. Nowadays, the application is not going to be shipped with any physical media – after all, this is the 21st century, and the use of physical media is archaic. This tends to rule out special media and dongles from the mix.

This leaves encryption, packers, obfuscation and other anti-debugging tricks. There are some very good solutions out there for the packer/encryption/anti-debugging. A quick Google for ‘executable packer anti-debugging’ yielded some interesting results. It’s a fun and interesting area, where the developer is trying to outwit the villainous cracker. Some of the solutions are commercial – adding to the cost of application development, and reducing the ability to debug the application when deployed in the field. These generally are decisions that need to be made by the developer when deciding how to proceed to protect their application.

You have to do the math on it. If the cost of developing and implementing the protection exceeds the overall value that you have placed on the application then you simply cannot afford to spend time, effort and money on a solution that will cost you more than you will ever make.

The big take from this is that if you have a secret that you want to keep safe, don’t put it in the application – all that will accomplish is to keep it temporarily out of view. The truly wily hacker will be able to get it; and if the secret is a password to one of your important on-line accounts; then you should think of some other way to mediate access to the resource.