• Checking the Roslyn Source Code

      PVS-Studio vs Roslyn

      Once in a while we go back to the projects that we have previously checked using PVS-Studio, which results in their descriptions in various articles. Two reasons make these comebacks exciting for us. Firstly, the opportunity to assess the progress of our analyzer. Secondly, monitoring the feedback of the project's authors to our article and the report of errors, which we usually provide them with. Of course, errors can be corrected without our participation. However, it is always nice when our efforts help to make a project better. Roslyn was no exception. The previous article about this project check dates back to December 23, 2015. It's quite a long time, in the view of the progress that our analyzer has made since that time. Since the C# core of the PVS-Studio analyzer is based on Roslyn, it gives us additional interest in this project. As a result, we're as keen as mustard about the code quality of this project. Now let's test it once again and find out some new and interesting issues (but let's hope that nothing significant) that PVS-Studio will be able to find.
      Read more →
    • Web application firewalls

      Web application firewall


      Web application firewalls (WAFs) are a type of intrusion detection and prevention system and might be either a hardware or software solution. It is specifically designed to inspect HTTP(s) and analyse the GET and POST requests using the appalling detection logic explained below. Web application firewall software is generally available as a web server plugin.

      WAF has become extremely popular and various companies offer a variety of solutions in different price categories, from small businesses to large corporations. Modern WAF is popular because it has a wide range of covered tasks, so web application developers can rely on it for various security issues, but with the assumption that this solution cannot guarantee absolute protection. A basic WAF workflow is shown below.



      Its main function is the detection and blocking of queries in which, according to WAF analysis, there are some anomalies, or an attacking vector is traced. Such an analysis should not make it difficult for legitimate users to interact with a web application, but, at the same time, it must accurately and timely detect any attempted attack. In order to implement this functionality, WAF developers usually use regular expressions, tokens, behavioural analysis, reputation analysis and machine learning, and, often, all these technologies are used together.



      In addition, WAF can also provide other functionality: protection from DDoS, blocking of IP-addresses of attackers, tracking of suspicious IP-addresses, adding an HTTP-only flag to the cookie, or adding the functionality of CSRF-tokens. Each WAF is individual and has a unique internal arrangement, but there are some typical methods used for analysis.
      Read more →
    • Disposable pattern (Disposable Design Principle) pt.2


        SafeHandle / CriticalHandle / SafeBuffer / derived types


        I feel I’m going to open the Pandora’s box for you. Let’s talk about special types: SafeHandle, CriticalHandle and their derived types.


        This is the last thing about the pattern of a type that gives access to an unmanaged resource. But first, let’s list everything we usually get from unmanaged world:


        The first and obvious thing is handles. This may be an meaningless word for a .NET developer, but it is a very important component of the operating system world. A handle is a 32- or 64-bit number by nature. It designates an opened session of interaction with an operating system. For example, when you open a file you get a handle from the WinApi function. Then you can work with it and do Seek, Read or Write operations. Or, you may open a socket for network access. Again an operating system will pass you a handle. In .NET handles are stored as IntPtr type;


        This chapter was translated from Russian jointly by author and by professional translators. You can help us with translation from Russian or English into any other language, primarily into Chinese or German.

        Also, if you want thank us, the best way you can do that is to give us a star on github or to fork repository github/sidristij/dotnetbook.
        Read more →
      • Memoization Forget-Me-Bomb


          Have you heard about memoization? It's a super simple thing, by the way,– just memoize which result you have got from a first function call, and use it instead of calling it the second time - don't call real stuff without reason, don't waste your time.


          Skipping some intensive operations is a very common optimization technique. Every time you might not do something — don’t do it. Try to use cache — memcache, file cache, local cache — any cache! A must-have for backend systems and a crucial part of any backend system of past and present.

          Got the idea? Forget it!
        • How to write the home address right?

            How Tax Service, OpenStreetMap, and InterSystems IRIS
            could help developers get clean addresses


            image
            Pieter Brueghel the Younger, Paying the Tax (The Tax Collector), 1640

            In my previous article, we just skimmed the surface of objects. Let's continue our reconnaissance. Today's topic is a tough one. It's not quite BIG DATA, but it's still the data not easy to work with: we're talking about fairly large amounts of data. It won't all fit into RAM at once, and some of it won't even fit on the drive (not due to lack of space, but because there's a lot of junk). The name of our subject is FIAS DB: the Federal Information Address System database — the databases of addresses in Russia. The archive is 5.5 GB. And it's a compressed XML file. After extraction, it will be a full 53 GB (set aside 110 GB for extraction). And when you start to parse and convert it, that 110 GB won't be enough. There won't be enough RAM either.
            Read more →
          • Physical unclonable functions: protection for electronics against illegal copying

            • Translation

            Source: The online counterfeit economy: consumer electronics, a report made by CSC in 2017

            Over the past 10 years, the number of fake goods in the world has doubled. This data has been published in the latest Year-End Intellectual Property Rights Review by the US Department of Homeland Security in 2016 (the most current year tracked). A lot of the counterfeiting comes from China (56%), Hong Kong (36%) and Singapore (2%). The manufacturers of original goods suffer serious losses, some of which occur on the electronics market.

            Many modern products contain electronic components: clothes, shoes, watches, jewellery, cars.
            Last year, direct losses from the illegal copying of consumer electronics and electronic components in the composition of other goods were about $0.5 trillion.

            How to solve this problem?
            Read more →
          • External Interrupts in the x86 system. Part 1. Interrupt controller evolution

            • Tutorial
            This article is about the interrupt delivery process from external devices in the x86 system. It tries to answer questions such as:

            • What is PIC and what is it for?
            • What is APIC and what is it for? What is the purpose of LAPIC and I/O APIC?
            • What are the differences between APIC, xAPIC, and x2APIC?
            • What is MSI? What are the differences between MSI and MSI-X?
            • What is the role of the $PIR, MPtable, and ACPI tables?

            If you want to know the answer for one of these questions, or if you simply want to know about interrupt controller evolution, please, welcome.
            Read more →
          • Exploiting signed bootloaders to circumvent UEFI Secure Boot

              Русская версия этой статьи.
              Modern PC motherboards' firmware follow UEFI specification since 2010. In 2013, a new technology called Secure Boot appeared, intended to prevent bootkits from being installed and run. Secure Boot prevents the execution of unsigned or untrusted program code (.efi programs and operating system boot loaders, additional hardware firmware like video card and network adapter OPROMs).
              Secure Boot can be disabled on any retail motherboard, but a mandatory requirement for changing its state is physical presence of the user at the computer. It is necessary to enter UEFI settings when the computer boots, and only then it's possible to change Secure Boot settings.

              Most motherboards include only Microsoft keys as trusted, which forces bootable software vendors to ask Microsoft to sign their bootloaders. This process include code audit procedure and justification for the need to sign their file with globally trusted key if they want the disk or USB flash to work in Secure Boot mode without adding their key on each computer manually.
              Linux distributions, hypervisors, antivirus boot disks, computer recovery software authors all have to sign their bootloaders in Microsoft.

              I wanted to make a bootable USB flash drive with various computer recovery software that would boot without disabling Secure Boot. Let's see how this can be achieved.
              Read more →
            • New feature in Git 3: closures

              • Translation

              Git is a popular version control system. In Git, an atomic change of one or several files is called a commit, and several consecutive commits are combined into a branch. Branches are used to implement new ideas (features).



              It happens that the idea is a dead end and the developer has turned the wrong way, so he needs to roll back to the original version. He should forget about the new branch, switch to the main dev or master branch and continue working. In this case, the "scion" will hang forever, as well as the desire to remove it. But how to remove the part of the history? This branch shows the efforts of the hard-working programmer, even if in vain. So it will be easier to report to the boss, because an unsuccessful result is also a result!


              I hasten to rejoice that Git developers are going to introduce a new command to close such "homeless" branches in the third version. The current version is 2.21.0.


              How to use this command, what benefits does it give and what do IT companies think? The article answers these and other questions.

              Read more →
            • Dependency Injection in Flutter

              • Tutorial

              We’re currently experimenting with Flutter while developing our side project for step challenges with colleagues. This side project should also be considered as a playground, where we can check if we can use Flutter in more serious projects. That’s why we want to use some approaches there that can look like an over-engineering for such a small project.


              So one of the first questions was what can we use for dependency injection. A quick search in the internet revealed 2 libraries with positive reviews: get_it and kiwi. As get_it turned out to be a Service Locator (and I’m not a fan of this pattern), I was going to play with kiwi, which looked more promising, but then I’ve found another one library: inject.dart. It is heavily inspired by Dagger library, and as we use the latest one in our other Android projects, I’ve decided to dig into it.

              Read more →
            • How to quickly prepare for a job interview with questions on algorithms and technologies

                Greetings to all readers of Habr! My name is Yuriy, I have been teaching high technologies, Oracle, Microsoft and others for more than 20 years, as well as creating, developing and supporting loaded information systems for various business customers. Today I would like to tell you about the current direction: interviews on data processing technologies. The Russian variant of this post you can find here.

                It doesn't really make sense for an employer to ask the applicant about traditional programming technologies. That is why I'm going to tell you how to prepare for an interview in only one narrow area related to information processing languages, namely, the processing of long integers(long arithmetic) and the identification of information properties of real world objects, which are described in long integers.
                Read more →
              • Windows Virtual Desktop now in public preview on Azure

                  We recently shared the public preview of the Windows Virtual Desktop service on Azure. Now customers can access the only service that delivers simplified management, multi-session Windows 10, optimizations for Office 365 ProPlus, and support for Windows Server Remote Desktop Services (RDS) desktops and apps. With Windows Virtual Desktop, you can deploy and scale your Windows desktops and apps on Azure in minutes, while enjoying built-in security and compliance.


                  Image of women on her desktop in the workplace

                  Read more →
                • PVS-Studio for Java hits the road. Next stop is Elasticsearch

                    Picture 1

                    The PVS-Studio team has been keeping the blog about the checks of open-source projects by the same-name static code analyzer for many years. To date, more than 300 projects have been checked, the base of errors contains more than 12000 cases. Initially the analyzer was implemented for checking C and C++ code, support of C# was added later. Therefore, from all checked projects the majority (> 80%) accounts for C and C++. Quite recently Java was added to the list of supported languages, which means that there is now a whole new open world for PVS-Studio, so it's time to complement the base with errors from Java projects.

                    The Java world is vast and varied, so one doesn't even know where to look first when choosing a project to test the new analyzer. Ultimately, the choice fell on the full-text search and analytical engine Elasticsearch. It is quite a successful project, and it's even especially pleasant to find errors in significant projects. So, what defects did PVS-Studio for Java manage to detect? Further talk will be right about the results of the check.
                    Read more →
                  • How the CSS markup fragment broke the C++ compiler

                      Picture 1

                      Static analysis methodology involves various technologies. One of them is preprocessing files right before analyzing them. Preprocessed files are created by the compiler that runs in a special working mode. Unfortunately, our long-standing experience of developing a static analyzer shows that this mode is not great for testing. In this note, I'll give the example of a fresh bug in the C++ compiler from Microsoft.
                      Read more →
                    • 6 Essential Python Libraries for Python Programming

                      • Tutorial
                      Python is a high-level, general-purpose programming language that has become one of the leading names in the programming community. It ranges in the ability from developing simplistic applications to carrying out complex, mathematical calculations with an equal level of ease.

                      Being one of the leading programming languages means that there is no scarcity of great frameworks and libraries available to toy with. A programming language library is simply a set of modules and functions that eases some specific operations using the programming language.

                      So, here are 6 essential Python libraries for Python programming that every Python developer or aspirant must know about:
                      Read more →