Posts by fg_swe

Regulated Industries, Cyber Threats

It must be noted that there are industries and application fields which operate under somewhat stricter regulations. A serous bug in an ABS brake system software will kill someone sooner or later. Same for bugs in railway, aerospace and medical systems. These industries use extensive documentation and testing to weed out these bugs. Standardized in DO178, ISO26262, and other norms.

An emerging thing is cybernetic threats, which can have very severe consequences (losing a war, for example) for the nation, bank, company or person who uses a certain system. These users will in some cases have a very dim view of commercial software such as Windows or Linux.

But I agree that every developer is at some point under commercial pressure to deliver "something working". If the compiler can help the developer to find as many bugs as possible(mostly due to the type system), this will be a powerful aid.

Re: The percentages could be a bit misleading...

Why should these numbers multiply ?

Assume a C program has a user space runtime of 5000ms, and an system call runtime of 1000ms. The equivalent system based on Sappeur would have 20% overhead: 6000ms in user space and 1200ms in the kernel.

That is a total runtime of 6000ms vs 7200ms. A total overhead of 20%.

Re: Thrashing about wildly looking for straws to clutch...

We always assume competent Java and competent Rust developers. Identical algorithms. Using standard libraries of each environment. Then the Java mark+sweep GC does generate a 2x RAM overhead, for very systematic reasons.

I have done this myself for an application that processes CSV files.

The RAM overhead could be pushed down by aggressive GC settings, but that meant Java runtime would no longer be competitive with Sappeur.

Re: Alright, so the way to save power in datacenters....

The energy consumption differential is very real. If you were an engineer, it would be of interest to you.

Intel never cared about energy consumption, so they missed out the mobile market. Mobile devices are very much constrained by battery.

So in fact it is an engineering-economic thing. Very much like cyber security, which is also a very real problem.

Re: Thrashing about wildly looking for straws to clutch...

Imagine all Java developers switching to Rust. We can assume memory consumption would go down by 50%, based on experimental results so far.

That would definitely be a reduction in energy consumed for manufacturing RAM and for operating RAM.

Re: Experience

I completely agree. I found lots of bugs in my own code, but no bug in the compiler. And of course, good things of a non trivial nature require learning.

A Pity

We have so many interesting projects in Europe, but American standards (almost) always win.

To name a few:

Pascal

Modula 2

Oberon

Transputer

Occam

Eiffel

The success of C shows this is not for the better. Rather, it is a breeding ground for criminals and warmongering.

Re: The percentages could be a bit misleading...

All the application-level performance data we have so far suggests kernels and database servers could be written in a memory safe language with only moderate runtime penalties(in the order of 20% or less).

Even before Unix became popular, there were successful lines of Algol mainframes, which used at least partial memory safety inside the kernel (ICL, Unisys, Moscow). According to Sir Tony Hoare, this worked rather efficiently.

In the world of high security computing (government+mil) they already use memory safe languages.

Did it ever occur to you that the rules and structure of a language limits its runtime efficiency ?

For example, Java needs 2x the RAM of an equivalent Sappeur program. No compiler can change that fact, because this follows from the mark+sweep GC approach.

Compilers are not the same as unicorn horses.

Barking Up Wrong Tree

Even expert software engineers will create severe bugs then and now. The evidence in the CVE database is very clear. The cost and security threats from these bugs can no longer be ignored. Memory Safe languages are a very important safety/security approach along with firewalls, MMUs, sandboxing, strict input parsers and so on.

The latest novel C exploit reports are about medical devices running VxWorks. They had an exploitable bug in the TCP stack, which means the device could be commandeered by simply sending "bad" IP packets to the device.

Re: Job creation scheme...

I can assure you that when it matters, much more efficient approaches are used. For example, one major stock exchange uses C++ for the trading system. They employ expert developers and even Linux kernel experts.

No

Non-trivial multi-threaded C or C++ programs need plenty of Mutexes to protect shared memory. If you share a variable by accident without mutex protection, chances are you get heap cancer. Best of luck finding the root cause of this cancer.

The Rust and Sappeur compilers will force you to have proper Mutex protection.

Re: Very confused researchers

For systemic reasons, Java cannot use memory as efficient as C++, Rust or Sappeur. For example, you cannot allocate programmer-defined objects on the stack. Stack allocation is the most efficient allocation approach you can think of, because it is essentially just incrementing the stack pointer and calling the constructor. The memory most likely is already in the cache, which is also critical.

Your idea of "allocating once and forever in Java" can be done for hard-realtime systems (I guess it was done for the Barracuda drone), but it totally defeats the idea of using the Java Standard Library and many popular programming patterns.

Re: Thrashing about wildly looking for straws to clutch...

There are many use cases where energy consumption matters. Think of aerospace applications that have a tight space and cooling budget. Think of mini satellites with small solar panels. IoT sensors. In memory databases.

Just because energy is still cheap and your accounting code can be done in Python means little.

C and the Cyber War Domain

If we use your terms for one second, the engineers building the Linux, Windows and HPUX kernels were "f-wits".

In the next second we should realize that humans are not robots and we DO make mistakes then and now. Small mistakes should not mean an attacker can take over the process or the entire system(kernel exploit).

See this http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf

Re: "Apparently Telcos don't care about power consumption"

Well, it could very well be that the age of insane energy consumption comes to an end. Apparently there are fuel shortages here and there, plus exploding cost for methane. Methane is what drives the electricity grid on cloudy days with little wind.

As soon as energy is not longer near-free, economics might force us to use more efficient approaches.

Cynical View

Could you be a little less cynical ?

Even though these benchmark games have their flaws, the general observations are correct:

1.) Compiled Languages are more energy-efficient

2.) mark+sweep GC creates at least 2x more RAM demand than refcounted objects. (it is actually easy to understand why - you cannot run GC all the time, so you must accumulate garbage)

3.) C and C++ are indeed highly efficient in runtime and RAM consumption

4.) Rust and similar languages such as Sappeur aim to provide similar time+space efficiencies as C and C++. They come close.

5.) Strong typing means efficiency. Dynamic typing comes at very serious cost.

(I do think the TypeScript benchmark is somehow using an inefficient algorithm)

Experience

I have used the Rust compiler for small projects and never found a bug. The error messages and terms are a steep learning curve, though.

The C and the C++ folks have tried to graft static checkers onto C and C++ programs in order to achieve the same goals as the Rust and Sapper type systems.

Wrong

Rust and Sappeur do provide wholly new capabilities to safely execute multithreaded code without risking nasty memory bugs. C, C++ and most other languages were never designed to robustly handle multithreaded heap access.

Sappeur uses a simple approach, details of which fit a page

http://sappeur.ddnss.de/manual.pdf

(Section 9.2)

Cyber Security & Memory Safety

AppArmor can only help you defend other sections of you system, but not the exploited process itself. For example, imagine a multi threaded web server written in C. An attacker will use a memory access bug to inject his malware. Then the attacker has access to all user sessions processed via this Linux process. He might even gain access to cryptographic keys, if you do not use an HSM.

See this presentation for details: http://sappeur.ddnss.de/Sappeur_Cyber_Security.pdf

Much Easier: Sappeur

If you know Java, C or C++, you might have a look at Sappeur. It reuses as many C++ concepts and terms as possible and generally adheres to the KISS principle.

http://sappeur.ddnss.de/

And yes, consumes only 50% RAM of an equivalent Java program. Starts in milliseconds.

Re: New fresh security holes

xxxx

Re: Rust Alternatives and Roots

1.) Indeed Sappeur is similar to TypeScript. But with enough effort, you could create a compiler that directly compiles Sappeur source into assembly code. For many reasons (both economic and engineering), this would not be wise at this point. For example, I could not create code for the Russian Elbrus CPU, as MCST keeps the instruction set secret (because Elbrus CPUs are part of sensitive government/military systems).

1.2) Some Eiffel compilers compile into C. That also works nicely.

1.3) Sappeur is definitely a language of its own. In grammar, syntax and semantics. It is *related* to C++, though.

1.4) ANY environment can be targeted from the Sappeur 3.4 compiler. From Atmel 16 bit Micrcontroller to 64 bit Mainframe processors. All you need is a halfway decent C++ compiler/code generator.

2.) The Sappeur 3.4 compiler is indeed closed source and requires a paid license of 300 Euro/developer for commercial use. It is free for non commercial use or evaluation.

2.2) SUN gave away Java for free, the entire world's corporations use it. They also gave away other great software such as StarOffice. Now they are bankrupt. Free by itself is not sustainable, check Mr Torvalds (see my other posts here) for details.

Re: Rust Alternatives and Roots

"and when things went wrong you got nice stack trace"

That is exactly what I mean when I say "memory safety". Java, Swift, Rust and Sappeur have much more robust and deterministic failure-detection mechanisms than C and C++.

Re: Moderation is an important (and thankless) job

Now, why does Linus Torvalds not need a formal moderator ?

What was the benefit of "moderating" Mr Galileo ?

Most people will be shamed into "normality" if they say truly horrible things.

CoCs definitely smack of censorship. Powerful actors want to control speech and thoughts, as they did then. We should submit ?

Re: Ten Tribes

"Mr Galileo was not adhering to our Code of Conduct. We had to remove him from our team."

Re: Rust Alternatives and Roots

Sappeur programs can be almost as tiny as efficient C programs are. They can also start in a few milliseconds, do their work and be done in another few milliseconds. Like the C based Unix userland tools. Unlike most Java VMs.

That is because a Sappeur program is in fact a C++ program with little overhead for refcounting, stack overflow and array index checks. Multithreaded programs have some Mutex checking effort. All the system libraries are thin wrappers around the POSIX or Windows APIs.

The resulting memory safe C++ code is compiled using g++ or any other moderately modern C++ compiler such as xlCr (or whatever the name is on AIX), SUN CC, VC++, Elbrus tcc,... All tested with success, not just theory.

Follow Money etc

https://en.wikipedia.org/wiki/Linux_Foundation#Corporate_members

Linus earns about 700k/year from these corporations, which is O.K. with me. He is a businessman-engineer who operates in a kind of cooperative setup. Like the Raiffeisen-thing in Germany or coop banks in other countries.

Just don't assume he has no overlords. Linus is an employee of all those megacorps who have pooled their efforts in the OS sector.

http://techrights.org/2020/08/16/the-linux-racket/

Re: Rust language community

Harsh words, why ?

Re: Rust Alternatives and Roots

Java is memory safe, even (kind-of) with multithreading. C++ is not.

C++ is very efficient and semi-realtime capable even with using heap memory.

Java is not semi-realtime-capable if you allocate dynamic memory during usual processing steps.

C++ has RAII, Java has not. RAII is the most efficient way of acquiring and releasing expensive resources such as database connections, sockets and file handles.

C++ has synchronous destructors, Java has not.

Sappeur aims to merge the good things of both.

Sappeur is arguably superior to Java in ensuring multithreading synchronization of shared data access.

Java is superior in its ability to collect cycles of garbage objects, over (traditional) C++ and Sappeur. The latter two can only reclaim memory if cycles are broken by explicit code.

Torvalds Checks+Balances

Mr Torvalds certainly must answer to the corporations (such as Google, HP, IBM, Amazon) who are heavily invested in Linux.

These corporations would probably fork Linux in a whim, if they had unfixable trouble with him.

Also, FreeBSD, OpenBSD and quite a few more wait in the wings.

Commentards on ElReg.

We know about the problems of dictators with unlimited power, so there should be some amount of checks and balances. Mr Torvalds always seems to apologize for occasional aggressive speech, which means there is a balance of some sorts.

Maybe Rust needs a king controlled by some kind of parliament ?

Or maybe public naming&shaming would be enough to control the Rusty King ?

Re: If the Child/Beast is Just Teething is there Any Need to Be Griping?

Well Mars, maybe it is a matter of simply questioning some parts of the ruling ideology ? What might follow is to get rid of the unnecessary politics they have attached to themselves.

Re: Garbage Collection

"How do you reference-count an integer numeric constant? Please explain."

Of course the interesting thing is to share an object with an integer variable inside.

Example for a Sappeur class to collect the sum of all ages of a population from a set of population files.

Objective is to determine average age. All threads reading the population files will update an object of the following type:

<pre>

class AgeSum multithreaded

{

longlong ageSum;

longlong numberHeads;

methods:

void addHead(int age);

int averageAge();

};

void AgeSum::addHead(int age)

{

ageSum = ageSum + age;

numberHeads++;

}

int ageSum::averageAge()

{

return cast(int,ageSum/numberHeads);

}

</pre>

Objects of this class will have both a reference counter and the methods of the generated C++ code will be protected by pthread_mutexes. Both listed methods can be called from any number of threads at the same time safely.

As a final note, this is certainly not the most efficient way of doing this calculation (as it requires a lock/unlock pair for each head processed), but for educational purposes it is good enough.

Re: "Reference Counted"

You are right, gethostbyname() was "just" an exploit in glibc. Bad enough, because it enables process takeover and it is used in many exposed places such as web browsers, MTAs and many more types of programs. Attackers could place a virus inside a HTTP URL, for example. One click and browser is pwned.

Here is a list of Linux kernel bugs; see yourself how many could have been avoided by a memory safe programming language: https://www.cvedetails.com/vulnerability-list.php?vendor_id=33&product_id=47&version_id=0&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=7&cvssscoremax=7.99&year=0&cweid=0&order=1&trc=729&sha=27cc1be095dd1cc4189b3d337cc787289500c13e

Re: Orbital stuff at different speeds?

An elliptic orbit will even have position-/time-dependent velocity in the same object. You can have any number of different elliptic orbits, any number of circular orbits in different heights and any number of inclinations relative to the equator. And combinations of those. All of those usually have differing speed at the same time.

Re: Thuggism

Back in the world of grown-ups, we should better freeze both Ukraine and Taiwan into place.

Instead of all the childish talk and childish action, which could result in very nasty consequences.

They also have long-range, nuclear armed cruise missiles, which are nigh on impossible to intercept.

First ASAT Kill: USAF

https://theaviationgeekclub.com/f-15-satellite-killer-asm-135a-asat-missile/ height 555km.

So in other words, tears of crocodile.