Daily Archives: October 19, 2022

[2022 javaone] Blisful linear algebra with project panama

Posted on by
Reply

Speaker: Paul Sandoz

For more see the table of contents

There was a lot of code/data so linking to the deck

BLIS

  • Superset of Basic Linear Algebra Subprograms
  • C library
  • On github

Panama

  • FFM (Foreign Function and Memory) API and tooling
  • Preview in Java 19
  • Call native libraries/process native data without brittleness/danger of JNDI
  • MemorySegment – contiguous region of memory – replaces ByteBuffer without size limits and memory management constraints
  • SegmentAllocator – malloc like for producing segments
  • MemorySession – manages deallocation of segments

Example

  • C and Java versions have same structure
  • Can do some logic in Java and use lambdas

MSET

  • Multivariate state estimation technique
  • Machine learning
  • MSET2 – proprietary enhancement to MSET
  • Design matrix – matrix of sensors and observations

My take

While I don’t think I’d ever need to use this, it is cool to see. I don’t miss C!

[2022 javaone] deserializaion exploits – why should i care?

Posted on by
Reply

Speaker: Brian Vermeer

For more see the table of contents

Star Trek

  • Everything in Star Trek could be real. And some tech surpassed
  • Teleportation would be awesome
  • Already have, but for data

Serialization

  • Turn object into data stream.
  • Send to another system or save on disk

Deseriaization

  • Basic serialization is easy. Just implement Serializable
  • On deserialization, skips constructor and sets fields directly
  • No hash/checksum. Can change in a hex editor.
  • Man in the middle attack can change data
  • If error reading, get a class cast exception

Libraries

  • Anything in classpath could be in memory. Such as library code that will run code for you
  • HashMap provides custom implementation for read object
  • ysoserial – gadgets for unsafe deserialization.
  • examples of issues with frequent issues: jackson, ehcache
  • patching to latest helps fix known things

log4j

  • 17K packages affected
  • 800K attacks in first 72 hours
  • 57% have has transitive dependencies
  • JNDI looks up and retrieves object
  • If own LDAP server can return any object
  • Then logger calls
  • So passng in the JNDI lookup string can have app do anything
  • Showed getting an interactive shell to docker container (which is root)

records

  • Does call constructor on serialization
  • Opt in – need to implement serializable
  • Still call read object

How to improve when writing custom serialization code

  • ValidatingObjectInputStream – call accept() with expected type before reading
  • ObjectInputFilter.Config.createFilter – allow specific type and deny everything else
  • Setting filter on streams overrides global one.
  • JEP-415 – OjectInputFilter.Config.setSeriialFilterFactory – let’s you merge the global and local ones
  • See blog post

JSON and Jackson

  • ObjectMapper has default typing off unless set it to enabled
  • With enabled can inject a malicious gadget

YAML

  • Deserialization product, but can read
  • Can create variables (same problem from XML – billion laughs attack). Reference as *myVarName. Keeps expanding until run out of heap

XML

  • Doc type references to read other files and reference has &var;
  • On by default on XML Parsers
  • Need to explicitly turn it off

Lessons

  • Do not deserialize data from unkown soures
  • Prevent custom serialization
  • Use filters if still need to do so
  • Understand settings for JSON/XML/YAML
  • Check for insuecre defaults
  • Update insecure libraries

Other notes

  • Gadget chain – string of side effects

My take

Good intro to serialization. Sad there is no try with resources in the initial write and read examples. The examples were great. Good mix of slides and demos. I’m surprised I’ve gotten this far without seeing a live log4j demo.

[2022 javaone] fundamentals of diversity and inclusion for technologists

Posted on by
Reply

Speaker: Reza Rahman

For more see the table of contents

General

  • not a lot of social captical on this topic
  • Word cloud type slide with quotes about thngs people say to be dismisive. ex: ”I didn’t ean it that way”, ”Your English is pretty good”, ”You are overreacting”, ”Who are you to criticize us”
  • 67% of tech companies are made up of less than 5% Black employees (includes Nigerians, not just African Americans). Asians exceed population % in tech, but not in leadership
  • Women hold 25% computing roles. 47% of workforce is women. More eadership obs than tech jobs
  • People put blinders on/tune out the bad stuff

Why care

  • Diverse perspectives – solving global scae problems (unless niche), oxymeter and skin color, underwriting stats
  • Broadening reach – want people to want to use your product, spectrum of life experiences
  • Untapped potential – most important when tight labor force, educate more people
  • Greater prosperity – avoid zero sum mindset
  • Ethical imperative – perception about divisiveness in US

Diversity

  • 80s mindset – African Americans and women
  • Encompoasses range of identiies and visibile/invisible differenes – race, etnicity, faith, socioeconomics, etc
  • Helps disarm conversation away from ”us vs them”

Inclusion

  • Intentionally creating an enviornment where diversity prospers and common good prevails
  • Fair, respectful, supportive and empowering
  • Diversity is a fact, inclusion is an act
  • How people feel at work
  • Respected, listed to, accepted, valued, included, welcomed, safe

Discrimination

  • Predjudicial treatment
  • Recognition this is wron
  • Often intentional/conisistent
  • Likely legal protected identies such as race/gender

Unconscious bias

  • Stereotypes/prejudices/preferences
  • Often intententional
  • Advantage one set of people o the detriment of others
  • Hardly anyone lacks unconscious bias – need to recognize this (eg: negative association)

Anti defamation league – pyramid of hate

  • Acts of bias
  • Prejudice
  • Discrimination
  • Bias-motivated violence
  • Genocide

Equality

  • Theoretical construct
  • Being truly equal – particularly with regards to resources and oppotunities
  • Doesn’t happen because of privileges (unearned advantages)

Equity

  • State of fairness
  • Intentional remedy impacts of inequality and injustice
  • Cartoon with slanted apple tree (inequality = one side falls, equality = same later so on side reach, equity = taller ladder, justice = fix tree so no longer slanted)

Covering

  • Deliberately downplaying part of identity to attempt to reduce effects of marginalization

Allyship

  • Informed, intentional and consistent practice to understand, empathize an suppor tothers with the objective of grater fairness, diversity and inclusion
  • Continuum – apety, awareness, active advocate
  • Privately check on someone have questionable interaction
  • Don’t assume someone wants help
  • And so much more – see deck

My take

While it was a small audience (13 people), I’m glad this talk happened. Techies are unlikely to go to a whole event on his topic so one session representated a good opportunity. Reza noted that for some parts, the self selecting audience didn’t need to hear it. While this is true, you never know which part stews in your head and becomes useful later.