March 2011 Archives

Cloud computing is an evolution not a revolution

bridgwatera | No Comments
| More

OK so the cloud is a revolution right? This is the most revolutionary computing delivery model to ever hit the planet and some of the most recent developments are truly astounding. Rackspace has launched a UK cloud data centre to address European compliance issues, Salesforce.com is leading a successful charge on the market -- and the Amazon Elastic Beanstalk is the most creatively branded piece of technology since the 'Game and Watch' edition of Donkey Kong.

Well, not quite.

Service director at analyst house Quocirca Clive Longbottom points out that cloud computing is not necessarily a "new" technology per se. Essentially it is an evolution of the old application service provider (ASP) model, but this time with standardisation and an improved business model -- and this is what has made it work so well this time.

"Applications towards the end of the 1990s were still pretty proprietary, which had driven the rise of enterprise application integration (EAI), and this made the provision of services from within a hosted environment very much a one-to-one affair - just a hosted application, rather than a hosted service," says Longbottom.

"The applications were also caught in a licensing trap: the majority of applications required the user to own the licence, and so a mismatch was created where the hardware, the operating system and the application server were owned and run by the service provider, whereas the application licenses were owned by the user, but the application was managed by the service provider. The cost model just didn't stack up and over 90% of ASPs went to the wall when the .com and telecoms bubbles burst in early 2000."

So what has changed?

"Open source means that many cloud solutions aren't hobbled by licensing issues, and even commercial vendors are moving towards true service provider licenses, where the service provider owns the licenses and can decide how to charge these on. The majority have moved to either a straightforward subscription model, or plumped for a transaction-based one," added Longbottom.

You can read Clive Longbottom's full piece here entitled, "Cloud - something old, something new, something borrowed, something blue."

Donkey.jpg

How can web developers be "excellent"?

bridgwatera | No Comments
| More

On the one hand, there's that thing where technology vendors break down a subject and detail its component parts in eloquent and modular easy-to-digest fragments. On the other hand, there's what sometimes gets called the OLA: the Obligatory List Article.

The latter is the less creative almost verbatim information "dump", where a company has tried to take a set of PowerPoint bullet points and present it as a Top Ten or such like.

So with those heeding words in mind, software-based application traffic management
Zeus Technology has been plying its wares this month in the shape of advice for web developers who want to be (in their words) "excellent" in their work.

Web traffic.png

"Delivering an excellent online experience to customers and employees is absolutely crucial for today's web developer. But with users demanding more interactive and dynamic web services putting pressure on IT and developers, maintaining an always online and available service can be a challenge," says Zeus.

Among the top ten web development tips from Zeus, CWDN found the following extracted highlights:

One of the major drivers for repeat visitors is the allure of new and engaging content. Social networking sites, for example, are so popular because of regular content updates.

Tip: Ensure that automation and web traffic management solutions are in sync so that when content is updated, the website can cope with high levels of visitors responding to it.

A report from IMRG estimated that up to 18% of online purchases last Christmas were made from a mobile device. The introduction of tablets also means analysts are predicting a sharp increasing in online browsing and purchasing from mobile devices.

Tip: Developers need to look carefully at how they can adapt their sites to automatically identify, which devices customers are using to deliver optimised content appropriately. Mobile traffic should be treated in the same way as web traffic, with visitors managed and prioritised appropriately.

Security is a top concern for Internet shoppers. Ensuring online availability and fast speeds is critical but not exposing your site to misuse by criminals or denial of service attacks, and ensuring customers feel confident making payments, is just as important.

Tip: Web traffic management solutions not only maintain performance levels when a business experiences peaks in customer visits online. They also stop bots that slow usual web performance by disguising themselves as multiple visitors to a website.

Memory leaks, system tweaks & C++ operator heaps

bridgwatera | No Comments
| More

This is a guest post by Alex Guryeva, a test consultant with SQS Software Quality Systems.

 

Imagine that you are a company director and you're a bit of an entrepreneur. One week you get the call you've been waiting for and you receive the venture capital funding that you need to get your business moving. Unfortunately though, after the specified period of time, you are unable to return the money to the bank for one reason or another. In this case, we can define our 'leak' as the loss, experienced by the bank, of the resources that were allocated (i.e. the money).

 

In computing terms, a memory leak occurs when a computer program consumes memory resources but is unable to release that memory back to the operating system.

 

Memory leak bugs usually kill your system slowly and painfully. After a fresh boot, which is a part of the development or testing process, everything looks ok and the system appears to work fine -- and because of this it's hard to notice memory leaks during unit-tests or lab tests.  

 

Depending on the total amount of RAM and the extent of the memory leak, the system will continue to run and perform well for a certain amount of time (hours, days or even weeks) and during this time, the amount of free memory is steadily decreasing.

 

A memory leak is a common error when using languages that have no built-in automatic garbage collection such as C and C++ (you can think of garbage collection as kind of automated debt recovery system). To prevent memory leaks you need to be conscientious with your use of the "new" and "delete" C++ operators. The C++ operator "new" allocates heap memory. The "delete" operator frees heap memory. For every "new," you should use a "delete" so that you free the same memory that you allocated.

 

Example A: Delete it before reallocating

 

char *string;

string = new char[20]; // first allocation

string = new char[30]; // second allocation

delete [] string;

 

In this example we should have a delete [] statement right after the first allocation and then try to reallocate using a different size parameter. If we don't, the second allocation will assign a new address to the string pointer while the previous one will be lost. This makes it impossible to free the memory allocated for the first dynamic variable further on in the code, resulting in a memory leak.

 

Example B: Watch the pointer assignments

 

char* str1 = new char [30];

char* str2 = new char [40];


strcpy(str1, "Memory leak");


str2 = str1;     // Now the 40 bytes are impossible to free


delete [] str2; // This deletes the 30 bytes


delete [] str1; // Possible access violation

 

Every dynamic variable (allocated memory on the heap) needs to be associated with a pointer. When a dynamic variable becomes disassociated from its pointer(s), it becomes impossible to erase and this results in a memory leak.

 

Also, memory may leak despite the presence of a garbage collector. Garbage collection in the Java programming language simplifies memory management and eliminates most common memory problems. However, contrary to popular belief, garbage collection cannot take care of all memory problems. Difficult to detect Java memory leaks include leaks that result from design and implementation errors (for example, a reference to an object kept beyond its useful life). This kind of leak is also described as a logical memory leak.

 

Tips & Warnings:

 

     Make sure all memory allocations are coupled with memory free

     Cover all "if-else", "switch-case" and other conditional flows, including erroneous flows, to make sure that the coupling still remains

     Make sure that a pointer that holds an address to dynamically allocated memory is not erased or overrun by another value. If this happens, you will not be able to free the resource

     Consider using debugging tools for C/C++ to detect unreachable memory, for example IBM Rational Purify, BoundsChecker, Valgrind, Insure++

     Consider using memory-profiling tools such as OptimizeIt, JProbe, or JInsight

 

It's BlackBerry developer season, get ready to make crumble

bridgwatera | No Comments
| More

The BlackBerry Messenger (BBM) instant messaging app is something of an understated success story if you believe RIM's figures. The company claims to have an active user base of over 35 million and also states that over 1.5 million new users join the BBM community each month.

So what is RIM doing to foster further growth and engage with developers in this space?

bbm_logo.jpg

In an effort to ignite programmer interest and activity, the company recently opened up availability of the APIs to the BlackBerry Messenger (BBM) platform -- the concept being that applications such as social gaming, collaboration tools and 'networks within networks' can now have BBM functionality built into them. This means that the developer "could" benefit from exactly the same kind of viral growth as BBM itself has.

In practice, this proposition means that developers can use a variety of APIs to give their apps read access to BBM contact lists, user profiles and groups. It also means that while users are playing with their apps to chat, they can also share files such as pictures, voice notes, videos and music.

If I have a criticism to make here, it is that the BlackBerry developer zone is so user-focused that RIM hammers home the user messages before it gets on to the technology.

But once they get stuck into what developers can actually accomplish, there are a variety of functions to cover including the options to:


  • create custom areas within the user's profile for promoting recent application activity or storing trophies and achievements;

  • initiate application-to-application background communication through BBM for sending and receiving application instructions, such as moves in a game or any other application state changes;

  • initiate file transfers;

  • the ability to share applications virally with friends in a contact list.

According to the company's website, "While this current beta is for Java developers only, BlackBerry WebWorks developers will soon be able to get in on the action as well. In the next beta drop - slated for April 2011 - the BBM Social Platform is intended to include full support for the BlackBerry WebWorks platform, ensuring that BlackBerry WebWorks apps have access to all the same APIs and features that Java developers do."

Rise of the robots, AVG fights Android malware on tablets

bridgwatera | No Comments
| More

Having just installed Ubuntu on my netbook machine I have been impressed with some of the auto-security controls that I am finding in place inside this open source operating system.

Looking at open source as a whole, we're not really being hit with the mountain of anti-virus news that we find related to Windows devices are we? But today, as we know, Android is the fastest growing operating system in the world. So logically it is only to be expected that we'll start to hear about anti virus products being produced for this market.

Android tablet.jpg

AVG's ANTIVIRUSFree for Android is said to scan apps, settings, data and media files in real time for viruses and other malware. If the tablet gets lost or stolen, it can be remotely traced and wiped to protect privacy. The backup feature also protects contacts, call logs, bookmarks, messages and installed applications to an SD card. The 'app locker' can password protect any app on a tablet to prevent children using certain applications or data.

"A mobile device is more personal than your computer at home, as it goes next to your wallet and your house keys and contains relevant data, your contacts, your family photos and memories," said Omri Sigelman, VP marketing and products, AVG mobile solutions. "AVG Mobilation for Android tablet protects you from the threats that target precious data in mobile devices. It can even help you to locate your device on Google Maps and remotely wipe it if it should get stolen lost or stolen."

Does Windows Azure cloud have a chicken-and-egg problem?

bridgwatera | No Comments
| More

Adopting a somewhat negative approach to PR and media communications this week are comments from JNBridge CTO Wayne Citrin who has commented on the challenge of taking software products to the cloud.

Not central software services such as core apps, Platform-as-a-Service fundamentals, or even infrastructural cloud elements such as storage, database functions and networking connectors. Those we've all discussed to the nth degree right?

But what about components in the cloud - can we augment the cloud with components as a service?

cloud.jpg

Citrin lays out his argument thus, "If you ask most people how software vendors can move into the cloud, they will say that the vendor should take their traditional products, put them in the cloud and offer them as services. But what about other software vendors who create components that other developers incorporate in their own programs? In most cases, offering the component as a service doesn't make sense."

"The main challenge to running components in cloud-based programs has to do with essential issues like licensing and billing. Windows Azure has absolutely no provision for third-party licensing and billing. It's a chicken-and-egg problem. If Microsoft is serious about its software partners producing for Azure (and not just end-user customers creating custom applications), Microsoft will have to jump-start the market by offering its own billing mechanism," he added.

Citrin's argument rests on the suggestion that one would think that barriers to cloud entry wouldn't be there and cloud providers would do all they could to encourage software vendors to help settle this new frontier. JNBridge says that without a robust partner community for both Azure and Amazon Web Services, cloud adoption will be that much slower for everyone.

No surprise then that the company's vision for cloud interoperability is any object, on any platform, in any language anywhere, and at any time should be able to be accessed through the cloud.

Is the software supply chain just ALM by another name?

bridgwatera | No Comments
| More

Following on from my blog yesterday which described the many layers of the software application development ecosphere as a patchwork quilt of sorts - I'd like to clarify the theory with regard to a couple of issues.

If this many layered argument for software holds true - and the mixture of embedded, hosted, third party, outsourced and other software all make up a huge complex interwoven network... then how should refer to the process of gathering all this software if it comes in at different times from different sources?

It's called the Software Supply Chain, of course!

But hang on; managing and integrating a mixture of software sources across the length and breadth of a product cycle is just called Application Lifecycle Management isn't it?

Lifecycle.png

For a clarification, Computer Weekly Developer Network spoke to David Hurwitz, SVP of worldwide marketing at Serena Software.

"Software supply is different from ALM, because ALM should cover the business demand for software alongside how it is created," said Hurwitz. "Whereas software supply can cover internal or external development work that is then used to meet a need, ALM covers the initial business request for functionality, manages how the software to meet that need is developed, and then how this product is pushed out to the wider organisation. This is a much more orchestrated approach than the supply chain side."

.. and you know what? I think that's pretty accurate.

Knitting patterns for the software patchwork quilt

bridgwatera | No Comments
| More

I was speaking with software integrity specialist Coverity this week. So what is software integrity you ask? Well it's pretty much what it sounds like i.e. the process of examining the software stack from the top to the core to ensure that code, components & plug-ins are sitting as they should be - in the shape, form and function that they should be.

Top to bottom you say - how do you mean?

BOTTOM: Well I mean to describe the 'bottom' as the core kernel-level code that governs the infrastructural framework of the application stack and overall solution.

TOP: Pass through middleware and GUI layers and you're somewhere around the top of the application stack and you might just find web services bouncing around here too.

The problem is that all of these code blocks form a sort of patchwork quilt -- there is embedded software, there's hosted third party software, there's Agile development blocks for front end services, there's more slowly developed iterative blocks and there are additional elements to weave in between the patches (literally) at every layer.

Logically then, this is the picture that a software integrity company wants to paint to justify the existence of its product and insist that every patch must be the right size and shape.

patch.jpg

Coverity chief scientist and co-founder says that as we now move to a more mobile world, that strength of the materials and plans that we use build our patchwork quilts will be of the upmost importance.

"As with the Windows operating system before it, mobile OSs like Android and IOS are only as good as their underlying code." Chou notes that shared and reused code is a common source of security vulnerabilities - and most mobile devices are running oodles of it.

So don't build a software system without a plan, don't built a software system without some thought to integrity as a determining factor - and don't stitch a patchwork quilt without some high quality needle and thread.

Not unless you want to lie awake sleepless at night that is.

IBM Software portal goes "all social media and that"

bridgwatera | No Comments
| More

IBM has refreshed its software portal with a significant shake up in an attempt to rid itself of its image for being an old-style traditional IT company. Bringing in direct links to a blog, a community website, a Twitter feed, a LinkedIn networking group and the YouTube IBM Software channel -- the company's web designers have clearly been busy.

Not too busy though, as of this morning March 15 2011 the site is still advertising the Pulse 2011 "premier service management event", with the tantalising headline:
"Optimising the world's infrastructure. Join us in Las Vegas. February 27 - March 2."

Pulse.png

Still, it's not a bad effort. Companies such as Microsoft, Oracle and IBM have such vast swathes of information on their sites that it does become a struggle sometimes when you set off looking for something in particular.

A new direct "Software Product Finder" must be good news. The number of websites I review on a daily basis looking for product info or hidden "About Us" tabs is a rant you don't want me to set off on I promise.

There are also direct links to IBM developerWorks and pages for ISVs, so-called "software early" programs as well as software subscription and support and IBM systems software pages. All of which appear to somewhat apologetically list the tab (US) to denote their over-the-pond status.

There's also embedded video and a more dynamic feel throughout. Whatever next? Will IBM finally convince us that Notes is easy to use? Nah - don't push it right?

Adobe's incubation station for "adventurous" developers

bridgwatera | No Comments
| More

Love its products, or detest its very being for its pricing strategy and product version release strategy, Adobe is good at talking about its experimental edge. Perhaps most closely rivaled by IBM's alphaWorks, Adobe's Labs division has a good supporting website and the company ends its annual MAX developer conference with session called "sneak peeks" featuring some of this work.

Inside Labs right now you can find the Adobe AIR and Adobe Flash Player Incubator section. This is essentially an area where Adobe will preview emerging technologies within the Flash platform to what it calls "adventurous developers willing to experiment" with features that are in early development stages.

Flasgplayer.png

As well as a download option for the incubator (and its library of builds) itself, there is a bug and issue management section here -- and a chat/discussion forum too.

Adobe's caveat for all this interesting but potentially unstable technology is as follows, "The AIR and Flash Player Incubator builds are for developers that are interested in testing and providing early feedback on features that are under development or experimental. Incubator builds are early builds of Flash Player or AIR and may not be as stable as a final release."

It continues, "However, the current released features should still work as expected. AIR applications should be for developer testing only and Flash Player builds are not recommended for use in your default, daily-use browser. Features and functionalities in Incubator builds may or may not be supported in a future release of the runtimes."

Molehill 3D APIs and Cubic Bezier Curves will be the first two new features available in the first Incubator builds. Molehill 3D APIs for Flash Player and AIR is a new set of low-level, GPU-accelerated 3D APIs designed to enable advanced 3D experience -- and Cubic Bezier Curves is a drawing API for developers to create cubic Beziers without requiring custom ActionScript code.

Bezier curve.png

Google's Developer Competition For I/O Tickets

bridgwatera | No Comments
| More

The Google I/O developer conference appears to be one of the most popular and over-subscribed events on the software industry calendar. The suggestion has been made that this year's event sold out in less than an hour.

For those disheartened software application developers who just can't live without a trip to San Francisco this May to scrum down with the search Giant, there is still hope.

Google is running the 'Last Call for Google I/O' competition is a series of 10 developer challenges that will provide tickets to 100 winners.

Coders have just 20 hours to complete each challenge and coding will centre on Android, Chrome, App Engine, YouTube APIs, Google Maps, Developer Tools and Google Apps

GoogleIO.png

Google's vice-president of engineering Vic Gundotra has said, "Here's how it works. We will announce a new challenge on the contest site on select dates at either 9am or 4pm PDT, that will last for 24 hours each. There will be 10 days of challenges with 10 winners on each day."

The challenge spans the following developer products:

• March 16 - Android, 9:00 am
• March 17 - Chrome, 9:00 am
• March 18 - App Engine, 9:00 am
• March 21 - YouTube APIs, 9:00 am
• March 22 - Game Developers, 9:00 am
• March 23 - Google Maps / Geo, 4:00 pm
• March 24 - Commerce, 9:00 am
• March 25 - Developer Tools / GWT, 9:00 am
• March 28 - Accessibility, 4:00 pm
• March 29 - Google Apps / Enterprise, 4:00 pm

Android Apps get health check assessment

bridgwatera | No Comments
| More

Gosh hasn't Android been taking a bit of a bashing recently? Flaws in the kernel, unsubstantiated code usage, application defects and imperfections -- you name it, it's been somebody's beef recently.

But this should not be a surprise surely? With popularity comes exposure and with exposure comes public scrutiny -- and Android has been nothing but popular of late has it?

Would vendors take this reality and jump on the opportunity to provide a mobile application assessment program? Software analysis company Cast has used the AnDevCon developers' conference being held this week in San Francisco to announce plans for a mobile application assessment program that uses Cloud technology to validate a developer's ability to create structurally sound application software for mobile devices.

The first rollout of the program, due out in Q2 of this year, is expected to begin with developers of applications for the Android line of devices.

red cross.png

"From issues with Android OSs to third-party mobile applications, we've seen it all too frequently in practice - poorly constructed business and consumer applications wind up leading to significant issues with mobile devices and the business networks to which they're connected," said Lev Lesokhin, Cast vice president of worldwide marketing.

"Because so much of business today is conducted on mobile devices that access enterprise networks, an independent third-party assessment program is needed to ensure that applications being accessed via mobile are safe, structurally sound and efficient. The same holds true for consumer apps, such as games and ads."

The company says it plans to offer the program as a portal through which software developers will be able examine thousands of lines of code at a time within seconds without having to upload source code to the cloud. The portal will automatically analyse and measure the code and provide feedback on software size and health, based on industry norms, standards and best practices.

Adobe's Wallaby skips Flash onto iPad & iPhone

bridgwatera | No Comments
| More

Adobe's Labs department appears to have been truly 'experimental' recently. The division is going public this week with Wallaby, a prototype Flash-to-HTML5 conversion tool.

Adobe describes Wallaby as an AIR application built for both designers and developers who are focused on the need to convert Adobe Flash Professional (FLA) files into HTML5. Using a drag and drop process (i.e. no doubt aligned for the designer's need rather than the developer), the company wants to be able to expand the distribution of creative content across platforms, including iOS devices like the iPad and iPhone.

labs.png

According to the Adobe Labs website, Wallaby will convert the artwork and animation contained in Adobe Flash Professional files into HTML. "This allows you to reuse and extend the reach of your content to devices that do not support the Flash runtimes," it says.

Adobe first demoed Wallaby at its MAX developer and user event last October. The company is inviting developers to download the tool, try out the code it generates and provide feedback on how they are using it. Residing on its Labs area as it does, the technology will no doubt experience further refinements before it its wider release.

"With more than 3 million Flash developers in the creative community, Adobe continues to look for new ways to help them build on their existing skills and to make their content available to the widest possible audiences. User response to the Wallaby technology preview will enable Adobe to better understand what types of innovations are needed in our long-term investments in both Flash and HTML5 technology," says the company.

wallaby.jpg

Technology webinar best practice - discuss

bridgwatera | No Comments
| More

I'd just like to check on something - we've all logged in to a webinar before now right? WebEx is a clever piece of software and it does a great job (IMHO) of segmenting participants, hosts and moderators so that we can all speak, watch the inevitable PowerPoint deck and use in the in-webinar chat function.

So earlier this month I got to sit on the other side of the fence and play host in a live webinar meeting for the first time. The subject was software integrity and the presence and analysis of defects inside the Android kernel. I'll mention the company I did this with at the end of this blog to avoid a direct plug.

WebEx.png

Webinar revelation number #1 - people are shy
It's quite interesting to notice that even highly technical developers with knowledge that far outstrips my meager technical prowess don't like to speak up and ask questions. They typically do this because a) English is not their first language and they would prefer their question to be read out (and interpreted slightly if needed), b) they are shy, or c) the host has offered to read questions out if people don't want to speak up.

Webinar revelation number #2 - there's always more questions than time
Technology evangelists, COOs, co-founders and marketing men all like to speak about their products, it's what they do best after all. I would not necessarily advocate cutting a PowerPoint deck short if it is in full flow and is going to run over by five minutes -- just make sure you have booked additional time on your conference call in case you need it, plus people are always late dialing in.

Webinar revelation number #3 - Multi-media, multi-lingual, multi-skilled
In this multi-media world, it's all to easy to forget that we are living in a multi-lingual world with individuals who will be multi-skilled but at many different levels. So speak steadily (rather than slowly), speak clearly and speak succinctly without rambling.

The webinar I was involved with was related to Coverity, a company that describes itself as a specialist in static source code analysis using software quality products to find critical software defects in system architecture & source code. You can read more about the company on its website or here at this Computer Weekly story link.

Sybase 2011 enterprise mobility guide gets on the road

bridgwatera | No Comments
| More

With Sybase's TechWave user conference and exhibition now fully back on the cards, you can look forward to flying into Las Vegas on September the 11th this year if you're planning to attend. So if you have been following the company in recent years you'll know that it has aligned itself to the mobile industry in every which way but loose.

Attempting to provide some kind of 'compendium' of resources for IT professionals in the data mobility field, the company's new Enterprise Mobility Guide 2011 is a 130-page book featuring strategic advice, actionable tips and background on mobile device management and app development.

Sybase Guide.png

The guide covers platforms including as iOS, RIM and Android as well as technologies relating to increasingly popular mobile devices like smartphones and tablets.

Content contributors to the guide include Accenture, Google, Motorola, Orange, RIM, Samsung, Verizon, Yankee Group, Enterprise Mobility Forum, as well as Sybase and SAP.

The guide also includes more than 30 market surveys and forecasts from Gartner, Forrester Research, Yankee, Evans Data, Frost & Sullivan, CIO Strategy Forum, Computerworld and Kelton Research.

"With the groundswell of smartphone and tablet penetration crossing into the enterprise, consumer demand is driving IT to quickly implement mobility solutions across the entire enterprise," said Dr. Raj Nathan, executive vice president and chief marketing officer, Sybase. "Sybase is a longstanding player and pioneer in the enterprise mobility space with deep expertise and best practices developed alongside a strong partner and customer ecosystem. We recognise that this 'how-to' education from industry leaders is an important first step in helping customers meet market demand, serving as the impetus for creating the Enterprise Mobility Guide."

Stack overflow and the bursting holiday suitcase

bridgwatera | No Comments
| More

The following content is a provided by guest blogger to Computer Weekly Alex Guryeva, independent provider of software testing and quality management services at SQS (Software Quality Systems).

Imagine, returning from a long holiday with a suitcase overflowing with clothes, souvenirs and other essentials. Sometimes, there simply isn't enough room in your suitcase for everything! In programming, like your suitcase, the call stack contains a limited amount of memory (volume of the suitcase), which is determined at the start of program. In essence, before starting on a journey, you select a suitcase that you expect will comfortably hold all your belongings, even after some shopping.

When a program attempts to use more space than is available on the call stack, the stack is said to overflow, typically resulting in a program crash. Stack overflow is like a suitcase bursting open.

The most common causes of stack overflows are infinite recursion and very large stack variables. The examples below illustrate how the overflows are linked to the concept of the stack memory region.

Example A:
Encountering StackOverflowException in C# programming language and .NET Framework

The program text below defines a method that causes an infinite recursion at runtime.

The recursive method calls itself at the end of each invocation. Although an optimising compiler could turn this method into a tail recursive call, the current program does not achieve this. Therefore, each method call frame (activation record) is kept on the stack memory.

After nearly 80,000 invocations, the stack memory space is exhausted and the program terminates. Usually, the StackOverflowExeception is caused by an infinite or uncontrolled recursion.

((( Program that generates StackOverflowException (C#) )))

using System;

class Program
{
     static void Recursive(int value)
     {
          // Write call number and call this method again.
          // ... The stack will overflow eventually.
          Console.WriteLine(value);
          Recursive(++value);    

     }

     static void Main()
     {
          // Begin the infinite recursion.
          Recursive(0);
      }
}

((( Output - final numbers )))
...
79845
79846
79847
79848
79849
79850
79851

Process is terminated due to StackOverflowException.

The message "Process is terminated" is displayed at this point and no recovery is possible.

Example B:

Stack overflows are the most common form of buffer overflows. For example, stack overflows occur when variable size data is copied into fixed length buffers located on the program stack without any bounds checking. In other words, a stack overflow condition is a buffer overflow condition, where the buffer being overwritten is allocated on the stack (a local variable or, rarely, a parameter to a function could be used as a buffer).

When reviewing code for stack overflows, it is advisable to search for calls to insecure library functions like gets(), strcpy(), strcat() etc. which do not validate the length of source strings and blindly copy data into fixed size buffers.

void log_create(int severity, char *inpt) {

char b[1024];

if (severity == 1)
{
strcat(b,"Error occurred on");
strcat(b,":");
strcat(b,inpt);

FILE *fd = fopen ("logfile.log", "a");
fprintf(fd, "%s", b);
fclose(fd);

. . . . . .
}

From above, the line strcat(b,inpt) will result in a stack overflow if input exceeds 1024 bytes. Not only does this demonstrate an insecure usage of strcat, it also shows how important it is to examine the length of strings referenced by a character pointer that are passed as an argument to a function. In this case the length of string referenced by char *inpt.

Summary

The Stack Overflow reduces the effective stack size of a given program and its vulnerabilities often allow an attacker to directly take control of the instruction pointer and, therefore, alter the execution of the program and execute arbitrary code. Apart from manually reviewing code for stack overflows, static code analysis tools can be very helpful in identifying this kind of issue.

References:

1. Sam Allen: 'C# Stack Overflow (StackOverflowException)' http://dotnetperls.com/stack-overflow

2. Aleph One: "Smashing the Stack for Fun and Profit" - http://www.phrack.org/issues.html?issue=49&id=14#article

3. OWASP 'Testing for Stack Overflow' http://www.owasp.org/index.php/Testing_for_Stack_Overflow


Subscribe to blog feed

About this Archive

This page is an archive of entries from March 2011 listed from newest to oldest.

February 2011 is the previous archive.

April 2011 is the next archive.

Find recent content on the main index or look in the archives to find all content.