Tuesday, December 30, 2008

International Internet censorship

I've just read that the government of UK is contacting the government of US to create an international Internet censorship system. I was really happy when I read it first. I read the whole article after that and I wasn't happy at all.
They want to create a classification system for all the sites and make the ISPs to force the classification and remove 'improper' sites and pages.

I was happy because I think there should be a strong control over the pages kids can access. There should be strong control over pages that contain illegal content. But these should be categorized by an independent judge considering laws, not a group of people with morale influences.

Let's take the most recent case with Facebook.com. They don't allow images about moms breastfeeding their babies. It's OK from their point of view and they own the web application. On the other hand there is no law against such images and there are laws in many states of the US that moms can breast-feed babies in public places. It's their choice. Imagine that some group of people in an 'Internet Censorship Board' would take the same step.

I would be happy with a system that would build up as follows:

  • Sites should rate themselves (or by something like the Certificate Authorities)
  • Intentional misratings should be punished somehow (by the law, blacklisting or something like that if it's needed)
  • There should be applications built into the browsers or standalone versions that can filter content by these ratings

If you look at popular sites dealing with sexuality they usually mark themselves somehow. A standard is missing and I think it should be an open standard.

Thursday, December 25, 2008

Silverlight authentication

Illustration: security If you need to access server resources from Silverlight (e.g uploading statistics, reading data from database), the easiest solution is to invoke an XML Web Service. I've seen many examples of Silverlight authentication for Web Services. Many of them are illustrated and well-written. The main problem is the security: they create the illusion of security. So if you want to create a secure authentication method, you can use the following solution to achieve a good level of security.

Log in user (either using ASP.NET or using Silverlight through an XML  Web Service).

  1: public bool Authenticate(string Username, string Password)
  2: {
  3:     if (FormsAuthentication.Authenticate(Username, Password))
  4:     {
  5:         FormsAuthentication.SetAuthCookie(Username, false);
  6:         return true;
  7:     }
  8:     return false;
  9: }

Now you can check if the user is authenticated.

  1: if (HttpContext.Current.User.Identity.IsAuthenticated)  
  2: {  
  3:     DoWork();
  4:     return true;  
  5: }  
  6: else  
  7: {  
  8:     DoNothingUserNotAuthenticated();
  9:     return false;  
 10: }  

Now there are two main security threats:

  • Login is insecure
  • HttpContext function is insecure

Login is insecure

You have to implement login functionality securely to make you application secure. So use SSL to prevent eavesdropping  and tempering login data.

HttpContext is insecure

ASP.NET Forms authentication uses cookies to identify users (by default). You have to encrypt the authentication ticket using the server key and decrypt that whenever you read that. Don't persist the cookie if you don't have to.

Security

The solution above can be secure. You can log on to the site. A security ticket is created with the user credentials, encrypted and stored on the user's machine. This cookie is accessible whenever user have to prove his identity, so you can access it even in an XML Web Service or through HttpContext.

Direct authentication pattern (I think) is not a solution for Silverlight Web Services, because password goes as plain text to the service every time it is invoked, or severe performance degradation occurs.

Tuesday, December 16, 2008

Visual Studio 2010

.NET Logo Microsoft has announced Visual Studio 2010 (VS). The list of changes that sounds interesting to me:

  • The user interface will be implemented in Windows Presentation Foundation (WPF)
  • Managed addins will be supported
  • Multiple new windows
  • Built-in Test Driven Development (TDD) support
  • Built-in ASP.NET Model-View-Control (MVC) support
  • JQuery will be part of VS
  • Built-in Silverlight 2 support
  • Native Windows 7 support (means C++, MFC)
  • Multiple new UML-like diagrams (Team System (VSTS): use case, activity, sequence)
  • New Architecture Explorer (VSTS)
  • New Architecture Layer Diagram (VSTS)
  • Built-in support for Windows Azure cloud computing environment
  • Built-in support for Parallel development (Parallel Extensions, native, managed)

I can see two main possible problems with VS 2010. The first is WPF UI, the second are managed addons. Both means significant performance degradation. One of the main goals of Windows 7 is significantly improved performance. All the performance we can save on Windows 7 will be lost on WPF. VS 2008 is one of the fastest IDEs on the market, but it's becoming more and more slower. I doubt its performance will be as good as current VS 2008 performance.

On the other hand, I can hardly wait for built-in Silverlight 2, JQuery, Parallel Extension and MVC support. These will be great changes.

Link: Visual Studio 2010 Overview
Link: Visual Studio 2010 Product Overview (PDF)
Link: Visual Studio 2010 CTP Download

Saturday, December 13, 2008

Model checking with SAL

SAL stands for Symbolic Analysis Laboratory. A document from SRI International defines it the following way:

The Symbolic Analysis Laboratory (SAL) is a set of tools for the specification, exploration, and verification
of state-transition systems. SAL includes symbolic model-checking tools based on solvers and
decision procedures for linear arithmetic, uninterpreted functions, and propositional logic, among others.
This enables the analysis of a variety of infinite-state systems. In particular, SAL can be used to model
and verify timed systems, which combine real-valued and discrete state variables.

Firstly SAL defines a context. You can define data types and modules in that. Modules encapsulate variables and transitions. Transitions manipulate variables. 

The main goal is to define modules that implement the functionality of the model. When you have defined the model in SAL, you have to define theorems to prove them. It is usually implemented in Linear Temporal Logic (LTL).  There are four basic LTL expressions:

  • Fp - p will be valid in a future state
  • Gp - p globally valid
  • Xp - p will be valid in the next state
  • p U q - p will be valid in every single state until p becomes valid

Context

ContextName : CONTEXT =
BEGIN
  ...
END

The ContextName and the filename must be the same.

Module

ModuleName : module =
BEGIN
  variables
  initialization
  TRANSITION expressions
  ...
END;

You can execute modules synchronously by chaining them:

main : MODULE = 
        module1 || module2 || ... ||  moduleN;

Decisions in transitions can be defined easily with brackets:

TRANSITION
[
  condition1 -->
    expression1;
    expression2;
[]
  condition2 --> expression
[]
  ELSE -->
]

If condition is true, branch will be executed and transition processing stops. The final ELSE --> is needed to prevent deadlocks.

An example for a module (it's inside a context):

Phases : type = {p1, p2,p3};

Phase : MODULE =
BEGIN
  INPUT tick : BOOLEAN
  OUTPUT WorkPhase : Phases

  INITIALIZATION tick = false;
  INITIALIZATION WorkPhase = p1;

  TRANSITION
  [
    tick = true AND WorkPhase = p1 --> WorkPhase' = p2;
  []
    tick = true AND WorkPhase = p2 --> WorkPhase' = p3;
  []
    tick = true AND WorkPhase = p3 --> WorkPhase' = p1;
  []
    ELSE -->
  ]
END;

The VariableName' = NewValue is the value setting syntax.

The theorem can be expressed like this:

TheoremName : THEOREM ModuleName |- LTLExpressions

An example for theorem:
Gas : THEOREM main |- G(GasCount > 0 => F(GasPrice =2));

Friday, December 5, 2008

OpenGL solid cone without glut

The following function draws a solid sphere in OpenGL without glut.

  1: void solidCone(GLdouble base, GLdouble height, GLint slices, GLint stacks)
  2: {
  3:   glBegin(GL_LINE_LOOP);
  4:   GLUquadricObj* quadric = gluNewQuadric();
  5:   gluQuadricDrawStyle(quadric, GLU_FILL);
  6: 
  7:   gluCylinder(quadric, base, 0, height, slices, stacks);
  8: 
  9:   gluDeleteQuadric(quadric);
 10:   glEnd();
 11: }
It creates a line loop at line 3. It crates a quadratic object after that (line 4) and sets drawing mode to fill the gaps (line 4, 5).  It calls the gluCylinder() function (line 7). The base radius will be the cone radius. The top radius will be 0 to achieve a cone shape. Finally it deletes the quadratic object (line 9). The result is same as calling glutSolidCone() with the same arguments.

OpenGL solid sphere without glut

The following function draws a solid sphere in OpenGL without glut.

  1: void solidSphere(GLdouble radius, GLint slices, GLint stacks)
  2: {
  3:   glBegin(GL_LINE_LOOP);
  4:   GLUquadricObj* quadric = gluNewQuadric();
  5: 
  6:   gluQuadricDrawStyle(quadric, GLU_FILL);
  7:   gluSphere(quadric, radius, slices, stacks);
  8: 
  9:   gluDeleteQuadric(quadric);
 10:   glEnd();
 11: 
 12: }
It creates a line loop at line 3. It crates a quadratic object after that (line 4) and sets drawing mode to fill the gaps (line 4).  It draws a sphere using the previously created quadratic object passing the parameters to the function (line 7). Finally it deletes the quadratic object (line 9). The result is same as calling glutSolidSphere() with the same arguments.

Wednesday, December 3, 2008

FormsAuthenticationTicket UserData disappears

I'm building an ASP.NET site and I had to implement the authentication/authorization subsystem. This is a standard code that is recommended by MSDN and several tutorials on the Web:

  1: if (loginResult == LoginResult.Successful)
  2: {
  3:   if(Request.QueryString["ReturnUrl"] != null)
  4:   {
  5:     Security.CreateAuthCookie ( this, txtUserName.Text );
  6:     FormsAuthentication.RedirectFromLoginPage ( txtUserName.Text, chkRememberMe.Checked );
  7:   }
  8:   else
  9:   {
 10:     Security.CreateAuthCookie ( this, txtUserName.Text );
 11:   }
 12: }

If username and password is correct, user can log in. If there is a return URL (this means he tries to access secured content), we have to create an authentication cookie and redirect user to that URL.  Security class and LoginResult enumerations are own implementations.

The code above will not work correctly if you are using own FormsAuthenticationTicket. Internet Explorer seems to work fine, but Firefox keeps showing the Login page. It seems there is a bug in the Framework and the UserData property (where we store e.g. roles) of the ticket will be empty (sometimes). The solution for the problem is changing line 6:

Response.Redirect( FormsAuthentication.GetRedirectUrl( this.txtUserName.Text.Trim(), false ));

Article Building Secure ASP.NET Applications: Authentication, Authorization, and Secure Communication on MSDN is correct, use that for implementing own Forms authentication.