12.7: summary:
. this explores types of pointers
needed for adda's space-efficient style of oop,
and support of safe pointers .
Showing posts with label safe pointers. Show all posts
Showing posts with label safe pointers. Show all posts
2013-03-31
combined hardware-virtual isolation
addm/security/combined hardware-virtual isolation:
2.9: 3.31: intro:
. certain attributes of data are essential to security;
eg, by retagging arbitrary data so that it is
usable as a pointer to code,
we can treat malware data as instructions to follow .
. generally all data can be tagged
just as it is done by xml .
. there are 2 possible ways to enforce
process isolation and ROM attributes:
# HW (hardware) mem'mgt,
# VM (virtual machine) mem'mgt .
. hardware mem'mgt can enforce VM mem'mgt:
the VM's run-time exec never needs to change;
so, HW mem'mgt can see that code as const;
also, any file that the VM is trying to interpret
can be treated by the HW mem'mgt as
something that only the VM process can modify .
. finally, the VM has its own process space
and this should keep other processes
from corrupting its work space .
2.9: 3.31: intro:
. certain attributes of data are essential to security;
eg, by retagging arbitrary data so that it is
usable as a pointer to code,
we can treat malware data as instructions to follow .
. generally all data can be tagged
just as it is done by xml .
. there are 2 possible ways to enforce
process isolation and ROM attributes:
# HW (hardware) mem'mgt,
# VM (virtual machine) mem'mgt .
. hardware mem'mgt can enforce VM mem'mgt:
the VM's run-time exec never needs to change;
so, HW mem'mgt can see that code as const;
also, any file that the VM is trying to interpret
can be treated by the HW mem'mgt as
something that only the VM process can modify .
. finally, the VM has its own process space
and this should keep other processes
from corrupting its work space .
2013-03-09
managing self-modifying code
1.31: adda/managing self-modifying code:
(inspired by python unpickle vulnerability)
. the safe pickle is built by the system .
. it can be compared to the decompile,
how is it extensible? that is to ask
how are objects built in the first place?
(inspired by python unpickle vulnerability)
. the safe pickle is built by the system .
. it can be compared to the decompile,
how is it extensible? that is to ask
how are objects built in the first place?
2013-01-31
virtual C
1.11: adda/dstr/safe pointers/virtual C:
. adda's pointers can feature arithmetic exactly like c;
yet it can still remain safe because
the addresses are not absolute;
the pointers are actually actually just offsets .
. adda's pointers can feature arithmetic exactly like c;
yet it can still remain safe because
the addresses are not absolute;
the pointers are actually actually just offsets .
2012-10-06
safe pointer details consider concurrency
8.4: adda/dstr/safe pointers/
space-efficiently pointing to both static type info and obj:
. we need to point at the symbol table index
not the obj itself, because,
only the symbol table index has the type tag
in the case when the type is static .
. as for space-efficiently doing this
at first I was worried about the
huge length of full paths
(process#, act'rec#, symbol table index);
but, [8.3:
just like urls have versions,
{fullpath(absolute), filename(relative addressing)},
pointers too should be available as
both long and short versions:
the full path is
(process#, act'rec#, symbol table index)
but if you are in the same act'rec,
you'd use a shorter version of the pointer:]
. if you are in the same activation record,
then the pointer is a mere 16bits:
(we assume here that a pointer needs a 3bit type tag,
and that the max# of symbols is 2^13 .
[8.21: 3bits?
. locally we need no tag at all,
because we just assume everthing is local;
otherwise, if it's a general pointer,
it will have the general type.tag arrangement
which usually means a static supertype,
and a dynamic on-board subtype,
which in the case of pointer needs 2 bits
for these 4 cases:
( internet address,
, local to system
, local to process
, local to act'rec ) .]
8.26: processID irrelevant:
. do we need to track the processID?
. any obj' we'd want to point at
is located within some act'rec;
so, isn't the act'recID enough?
8.28: 8.26:
. the act'rec obj' could have a subtype.tag
so that the same act'rec supertype
could represent all sorts of objects
like subprograms, coprograms, type mgt obj's, etc .
10.6:
. the main place to for finding out
how the current act'rec is related to a process
is by asking the task mgt who is
using this act'rec ID as a node index
into a tree of processes and their act'recs .
8.28: processID irrelevant despite pointers:
. when using pointers, the process ID matters;
because, we can give a pointer for assignments?
but that's not the problem of our pointer:
it has only to locate a target,
and it's up to exec to do the right thing .
. any time an assignment takes place
the target must be either a global obj,
(these are essentially act'recs because
they're made thread-safe by msg-taking functions)
or the owner had to have ordered the assignment
(that means either the owner is suspended for a subroutine
or the target is locked for a promised assign by an async).
8.26: processID fundamental?:
. we'd like to keep pointer sizes small,
so if we could know that an act'rec would
stay local to a particular process,
then we could possibly divide the number of act'recs
by the number of processes .
. we could say that each process has its own heap;
and, just as each act'rec has few symbol nodes,
a process has few act'recs,
so this is another form of subheap
the process subheap vs an actrec subheap .
8.28:
. unfortunately, given the use of recursion,
the number of act'recs per process can still be
arbitrarily large, so this would do nothing for
the size of an act'rec ID .
. the situation where process is fundamental
would be in systems with unprotected vars;
because, then process is a unit of thread safety:
anything can access any var within the process,
and then the process has only one thread .
. what we could have instead,
is a system where encapsulation and locks
are the basis of thread-safe computing:
. anything accessing a var must instead
ask that var's type mgt to do the accessing,
and then the type mgt has only one thread .
. a var lock gives sole ownership of a var
to another thread .
. in that sort of system,
a process is nothing more than an act'rec
that is run concurrently vs sequentially .
space-efficiently pointing to both static type info and obj:
. we need to point at the symbol table index
not the obj itself, because,
only the symbol table index has the type tag
in the case when the type is static .
. as for space-efficiently doing this
at first I was worried about the
huge length of full paths
(process#, act'rec#, symbol table index);
but, [8.3:
just like urls have versions,
{fullpath(absolute), filename(relative addressing)},
pointers too should be available as
both long and short versions:
the full path is
(process#, act'rec#, symbol table index)
but if you are in the same act'rec,
you'd use a shorter version of the pointer:]
. if you are in the same activation record,
then the pointer is a mere 16bits:
(we assume here that a pointer needs a 3bit type tag,
and that the max# of symbols is 2^13 .
[8.21: 3bits?
. locally we need no tag at all,
because we just assume everthing is local;
otherwise, if it's a general pointer,
it will have the general type.tag arrangement
which usually means a static supertype,
and a dynamic on-board subtype,
which in the case of pointer needs 2 bits
for these 4 cases:
( internet address,
, local to system
, local to process
, local to act'rec ) .]
8.26: processID irrelevant:
. do we need to track the processID?
. any obj' we'd want to point at
is located within some act'rec;
so, isn't the act'recID enough?
8.28: 8.26:
. the act'rec obj' could have a subtype.tag
so that the same act'rec supertype
could represent all sorts of objects
like subprograms, coprograms, type mgt obj's, etc .
10.6:
. the main place to for finding out
how the current act'rec is related to a process
is by asking the task mgt who is
using this act'rec ID as a node index
into a tree of processes and their act'recs .
8.28: processID irrelevant despite pointers:
. when using pointers, the process ID matters;
because, we can give a pointer for assignments?
but that's not the problem of our pointer:
it has only to locate a target,
and it's up to exec to do the right thing .
. any time an assignment takes place
the target must be either a global obj,
(these are essentially act'recs because
they're made thread-safe by msg-taking functions)
or the owner had to have ordered the assignment
(that means either the owner is suspended for a subroutine
or the target is locked for a promised assign by an async).
8.26: processID fundamental?:
. we'd like to keep pointer sizes small,
so if we could know that an act'rec would
stay local to a particular process,
then we could possibly divide the number of act'recs
by the number of processes .
. we could say that each process has its own heap;
and, just as each act'rec has few symbol nodes,
a process has few act'recs,
so this is another form of subheap
the process subheap vs an actrec subheap .
8.28:
. unfortunately, given the use of recursion,
the number of act'recs per process can still be
arbitrarily large, so this would do nothing for
the size of an act'rec ID .
. the situation where process is fundamental
would be in systems with unprotected vars;
because, then process is a unit of thread safety:
anything can access any var within the process,
and then the process has only one thread .
. what we could have instead,
is a system where encapsulation and locks
are the basis of thread-safe computing:
. anything accessing a var must instead
ask that var's type mgt to do the accessing,
and then the type mgt has only one thread .
. a var lock gives sole ownership of a var
to another thread .
. in that sort of system,
a process is nothing more than an act'rec
that is run concurrently vs sequentially .
2012-08-31
parasail is big win for reliable concurrency
12.7.2: news.adda/co/ParaSail
(Parallel Spec and Impl Lang) is by Ada's Tucker Taft:
first siting of parasail:
11/09/11 Language Lessons: Where New
Parallel Developments Fit Into Your Toolkit
(Parallel Spec and Impl Lang) is by Ada's Tucker Taft:
first siting of parasail:
11/09/11 Language Lessons: Where New
Parallel Developments Fit Into Your Toolkit
By John Moore for Intelligence In Software
The rise of multicore processors and programmable GPUs
has sparked a wave of developments in
parallel programming languages.
Developers seeking to exploit multicore and manycore systems
-- potentially thousands of processors --
now have more options at their disposal.
Parallel languages making moves of late
include the SEJITS of University of California, Berkeley;
The Khronos Group’s OpenCL;
the recently open-sourced Cilk Plus;
and the newly created ParaSail language.
Developers may encounter these languages directly,
though the wider community will most likely find them
embedded within higher-level languages.
. ParaSail incorporates formal methods such as
preconditions and post-conditions,
which are enforced by the compiler.
In another nod to secure, safety-critical systems,
2011-04-30
unique pointers
4.21: news.adda/dstr/unique pointer:
. the idea behind the unique pointer
is that they can be safely moved between threads
and they never require locking;
--
[. I first saw this idea in ms`singularity;
the msg's are instantanious because
they involve moving
only a shared heap pointer
rather than a record between process heaps .
problems with maintenance:
. after a move for a unique pointer,
the source has to be set to null?
--
I thought a simpler idea would be
a handle to a record (pointer, owner ID );
and then, in order to use the pointer,
you had to set the owner ID to
the process you were passing it to .
. anyone using it would first have to check for
whether they actually owned it at the moment .
once they were done with it
they would hand it to the system (ID=0)
or they could communicate it to a co.process .]
making concurrent programming safer:
. he proposes to do this by
extending the type system.
. two major challenges in multithreaded programming
are identified as:
Avoiding races -- approachable,
Preventing deadlocks -- pie in the sky.
. his main reference is:
Object Types against Races (pdf):
. Cormac Flanagan and Mart ́ Abadi .
. the idea behind the unique pointer
is that they can be safely moved between threads
and they never require locking;
--
[. I first saw this idea in ms`singularity;
the msg's are instantanious because
they involve moving
only a shared heap pointer
rather than a record between process heaps .
problems with maintenance:
. after a move for a unique pointer,
the source has to be set to null?
--
I thought a simpler idea would be
a handle to a record (pointer, owner ID );
and then, in order to use the pointer,
you had to set the owner ID to
the process you were passing it to .
. anyone using it would first have to check for
whether they actually owned it at the moment .
once they were done with it
they would hand it to the system (ID=0)
or they could communicate it to a co.process .]
making concurrent programming safer:
. he proposes to do this by
extending the type system.
. two major challenges in multithreaded programming
are identified as:
Avoiding races -- approachable,
Preventing deadlocks -- pie in the sky.
. his main reference is:
Object Types against Races (pdf):
. Cormac Flanagan and Mart ́ Abadi .
This paper investigates an approach for
statically preventing race conditions in an oop language.
The setting of this work is a variant of
Gordon and Hankin’s concurrent object calculus.
We enrich that calculus with a form of
dependent object types
that enables us to verify that threads
invoke and update methods only after
acquiring appropriate locks.
We establish that well-typed programs
do not have race conditions.
2011-03-31
dsm means full code generation
3.7: news.adda/domain-specific modeling and full code generation:
. when you hear about thousand-fold
increases in productivity from applying
industrial-age engineering techniques
it is from the use of domain-specific modeling
being the facilitator of full code generation .
. it's like the idea of a module-connection language
extended to generate code for
not just the connections but the entire app .
. it's like domain-specific support libraries
extended to include control structures
-- and anything else you need in order to
keep your hands out of source code [3.31:
(in contrast to Literate Programming,
which eases the transition between dsm and
the chosen manual code generation) .]
ieeexplore.ieee.org`Computer 2002/(pdf)
Model-integrated computing (MIC):
finding the fundamentals like math does
but in an elegant unified local-friendly language . ]
-- . the article was seen here first: softwaretechnews.thedacs.com,
and authored by metacase.com
todo:
how completely can adda merge with this?
get more .edu data about what this is .
. weed out dsl's:
Domain-Specific Languages: An Annotated Bibliography
. the key to productivity is full code generation;
that leaves you with what the modeling lang' should be;
well, starting from scratch then,
being dom'specific helps;
but you can go quite far with a general-purpose lang'
that offers user-defined control structures .
. when you hear about thousand-fold
increases in productivity from applying
industrial-age engineering techniques
it is from the use of domain-specific modeling
being the facilitator of full code generation .
. it's like the idea of a module-connection language
extended to generate code for
not just the connections but the entire app .
. it's like domain-specific support libraries
extended to include control structures
-- and anything else you need in order to
keep your hands out of source code [3.31:
(in contrast to Literate Programming,
which eases the transition between dsm and
the chosen manual code generation) .]
ieeexplore.ieee.org`Computer 2002/(pdf)
Model-integrated computing (MIC):
--[ . this is a reminder that adda is supposed to be. To be useful, a reusable framework for
creating domain-specific design environments
must have a meta-metamodel lang
ie, generic enough to be applicable to
a wide range of domains.
meta-metamodeling:
as defined by math fundamentals of
logic, set, category, quantification, ...:
containment,module interconnection,
multiaspect modeling, inheritance,
textual-numerical attributes.
Metamodeling:
. eg, the metamodel of a fsa is a subclass of graph:
the edges are state transitions
and nodes are states .
modeling:
the model of a fsa
would then be a particular graph .
The one predefined language in this scheme
— the metamodeling language— expresses metamodels:
domain modeling languages .
. and is itself expressed in by a meta-metamodeling lang;
The MIC framework consistently applies
a meta-level architecture:
a layer is always described in terms of
the next higher layer in the hierarchy.
finding the fundamentals like math does
but in an elegant unified local-friendly language . ]
-- . the article was seen here first: softwaretechnews.thedacs.com,
and authored by metacase.com
todo:
how completely can adda merge with this?
get more .edu data about what this is .
. weed out dsl's:
Domain-Specific Languages: An Annotated Bibliography
. the key to productivity is full code generation;
that leaves you with what the modeling lang' should be;
well, starting from scratch then,
being dom'specific helps;
but you can go quite far with a general-purpose lang'
that offers user-defined control structures .
2011-02-28
menucode
2.4: adda/dstr/menucode:
. menucode is a variation of the index-style pointer
. it's a finite enumeration that is then mapped to
pointers or indexes .
2.14:
. what pointers and indexes have in common is
being addresses of a memory implementation .
. this is in contrast to opcodes and menucodes
which are specifying what you want to address
rather than where its address is .
. menucode is a variation of the index-style pointer
. it's a finite enumeration that is then mapped to
pointers or indexes .
2.14:
. what pointers and indexes have in common is
being addresses of a memory implementation .
. this is in contrast to opcodes and menucodes
which are specifying what you want to address
rather than where its address is .
2010-03-31
mem'mgt's array range checking
3.26: adda/mem'mgt/array range checking:
one reason you would set limits on
for-loop var manipulation
is so you could check the array access just once
during the first entry instead of every re-loop ?
. I was worried about how to
efficiently do range checking
but my segmented memory idea is not efficient anyway!
. it's an array of 256 ptrs to
data arrays of some small size like 4k,
the bits are divided so that the high 8bits
will address the ptr,
then the lower bits will address into the data array .
. perhaps this is a bit too low level to commit to;
instead,
you program to a higher interface,
and then let a mem module of the translator
try out various strategies for mixing ideas about
segmented mem with other ideas like
copy to allow array growth .
. either way, the lang' I'm mapping to is c,
and that requires me to explain
just how I avoid alloc'block bounds errors .
. modular arithmetic does seem the way to go;
eg, if the platform allows
unsigned rollovers of only certain ranges,
then that range is the size my
alloc'd blocks need to be .
023:
. another cool way is to give every process a 16bit range
from which all its blocks come from,
and then that process can
completely scramble its own space
but at least there will be interprocess modularity .
Java requires range checking on. that must be a misunderstanding,
every array access
one reason you would set limits on
for-loop var manipulation
is so you could check the array access just once
during the first entry instead of every re-loop ?
. I was worried about how to
efficiently do range checking
but my segmented memory idea is not efficient anyway!
. it's an array of 256 ptrs to
data arrays of some small size like 4k,
the bits are divided so that the high 8bits
will address the ptr,
then the lower bits will address into the data array .
. perhaps this is a bit too low level to commit to;
instead,
you program to a higher interface,
and then let a mem module of the translator
try out various strategies for mixing ideas about
segmented mem with other ideas like
copy to allow array growth .
. either way, the lang' I'm mapping to is c,
and that requires me to explain
just how I avoid alloc'block bounds errors .
. modular arithmetic does seem the way to go;
eg, if the platform allows
unsigned rollovers of only certain ranges,
then that range is the size my
alloc'd blocks need to be .
023:
. another cool way is to give every process a 16bit range
from which all its blocks come from,
and then that process can
completely scramble its own space
but at least there will be interprocess modularity .
2009-12-16
safe pointers
7.6:
. pointers all include the id of the scope they are part of,
so that when asking a type-mgt to make an assignment to that pointer,
it can tell whether the scopes differ,
-- looking esp'ly for when a local
is being assigned to an external --
and, then things can be arranged to guard against dangling pointers .
. this needs to include the idea of monads
where each external has a local proxy,
and then it's the responsibility of the run-time system
-- not the type-mgt --
to worry about dangling pointers .
8.9: adda/pointer/types of addressing:
. pointers are addresses;
here is a catalog of addressing types or dimensions:
. persistent pointers can target the name, location, or contents:
{ url -- name of path and file
, filename -- any object or location having that name
, file obj -- the particular object regardless of changes in filename or location
}
. non-persistent addresses -- specific to a time or space domain:
( these are pointers that are indexes or offsets of a private [or local] heap,
ie, a heap used only by a particular
process, type, type.class, or object .
)
. pointer ownership:
clients can refer to obj's by pointers
and servers can use private pointers to structure their obj's .
Subscribe to:
Posts (Atom)
