Author Archives: Jeanne Boyarsky

[2022 javaone] inside java

Posted on by
Reply

For more see the table of contents

Julia Liuson – Microsoft

  • 2 million JVMs in prod across MS
  • LinkedIn uses Kafka
  • MS Bing uses JVMs for indexing
  • FedEx uses Java for tracking dashboard includng global deliver prediction platform. lots of events. Queues, predictions, etc
  • Contribute patches to Open JDK

Mark Heckler – Microsoft

  • GitHub Codespaces – opens in VS Code in cloud based container. Open from where you would get the URL to clone. Can customize with plugins
  • Also copilot, advanced Security – application insights load tesing
  • Co pilot can write comments from code, not just code from comments
  • Push protections – tells you if commit credentials

Chad Arimura

  • In last 5 years: JDK 10-19, lots of new features
  • Helpful null pointers were winner of feature face off on twitter
  • Predictable rock solid releases
  • OpenJDK brains, release cycle heartbeat

Project Amber – Gavin Bierman

  • Improve developer produuctivity
  • var, switch expressions, text blocks, reocrds, pattern matching, sealed classes
  • Records aren’t just about less typing. Expresses intent
  • Record pattern is a structural pattern. if (o instanceof Pair(Object a, Object b) – tests structure of data
  • Record patterns are a good place for var
  • Nested record patters Outer(Inner(var x), var y)
  • Compiler deals with nulls for you

ZGC – Michael Vidstedt

  • Scalable up to terrabytes
  • Low latency – less than one millisecond pauses
  • Auto-tuning; sipler config
  • Prod ready since Java 15
  • Does more work concurrently with running app
  • Tiny pause for internal state change in benchmark
  • For real app on Oracle cloud, very significant decrease
  • Weak generational hypothesis – most objects are short lived. Better performance optiimizing for this

Platform Security – Sean Mullan

  • Includes APIs an implementations for secure apps
  • Stronger security algorithms
  • Java flight recorder and Java mission control
  • Can see X509 certs in cacerts
  • X509 validation – can drill down and see details
  • Events added to Java 12 and backported. Adding more events in Java 20

Project Loom – Ron Pressler and Tomas Langer

  • Virtual threads
  • JEP 425 preview in Java 19 – virtual threads –
  • JEP 428 incubator in Java 19 – structured concurrency
  • Blocking is now cheap and encourage
  • Every sequential task gets own thread. Never pool virtual threads

Loom and ZGC – Denys Makogon

  • Remote video from Ukraine
  • Did experiment with Formula 1 racing

My take

The Microsoft keynote was a lot more about MS than yesterday’s SonarQube keynote was about Sonar. Not inherently good or bad, but an interesting different. Julia introduced Mark as ”Mike Heckler” caling him ”Mike” twice. There was a little snickering in the JUG Leader/Java Champions section up front. It was an innocent mistake but humorous. And I assume folks will be calling him MIke to tease him later. I didn’t know copilot could write commnets, that’s cool!

There was a tiny bit of repetition from yesterday’s keyote. Not a ton, but I didn’t blog on the duplicate slides. I love that Duke is driving a recycling truck rather than a garbage truck. The demos were great to see as well.

[2022 javaone] Blisful linear algebra with project panama

Posted on by
Reply

Speaker: Paul Sandoz

For more see the table of contents

There was a lot of code/data so linking to the deck

BLIS

  • Superset of Basic Linear Algebra Subprograms
  • C library
  • On github

Panama

  • FFM (Foreign Function and Memory) API and tooling
  • Preview in Java 19
  • Call native libraries/process native data without brittleness/danger of JNDI
  • MemorySegment – contiguous region of memory – replaces ByteBuffer without size limits and memory management constraints
  • SegmentAllocator – malloc like for producing segments
  • MemorySession – manages deallocation of segments

Example

  • C and Java versions have same structure
  • Can do some logic in Java and use lambdas

MSET

  • Multivariate state estimation technique
  • Machine learning
  • MSET2 – proprietary enhancement to MSET
  • Design matrix – matrix of sensors and observations

My take

While I don’t think I’d ever need to use this, it is cool to see. I don’t miss C!

[2022 javaone] deserializaion exploits – why should i care?

Posted on by
Reply

Speaker: Brian Vermeer

For more see the table of contents

Star Trek

  • Everything in Star Trek could be real. And some tech surpassed
  • Teleportation would be awesome
  • Already have, but for data

Serialization

  • Turn object into data stream.
  • Send to another system or save on disk

Deseriaization

  • Basic serialization is easy. Just implement Serializable
  • On deserialization, skips constructor and sets fields directly
  • No hash/checksum. Can change in a hex editor.
  • Man in the middle attack can change data
  • If error reading, get a class cast exception

Libraries

  • Anything in classpath could be in memory. Such as library code that will run code for you
  • HashMap provides custom implementation for read object
  • ysoserial – gadgets for unsafe deserialization.
  • examples of issues with frequent issues: jackson, ehcache
  • patching to latest helps fix known things

log4j

  • 17K packages affected
  • 800K attacks in first 72 hours
  • 57% have has transitive dependencies
  • JNDI looks up and retrieves object
  • If own LDAP server can return any object
  • Then logger calls
  • So passng in the JNDI lookup string can have app do anything
  • Showed getting an interactive shell to docker container (which is root)

records

  • Does call constructor on serialization
  • Opt in – need to implement serializable
  • Still call read object

How to improve when writing custom serialization code

  • ValidatingObjectInputStream – call accept() with expected type before reading
  • ObjectInputFilter.Config.createFilter – allow specific type and deny everything else
  • Setting filter on streams overrides global one.
  • JEP-415 – OjectInputFilter.Config.setSeriialFilterFactory – let’s you merge the global and local ones
  • See blog post

JSON and Jackson

  • ObjectMapper has default typing off unless set it to enabled
  • With enabled can inject a malicious gadget

YAML

  • Deserialization product, but can read
  • Can create variables (same problem from XML – billion laughs attack). Reference as *myVarName. Keeps expanding until run out of heap

XML

  • Doc type references to read other files and reference has &var;
  • On by default on XML Parsers
  • Need to explicitly turn it off

Lessons

  • Do not deserialize data from unkown soures
  • Prevent custom serialization
  • Use filters if still need to do so
  • Understand settings for JSON/XML/YAML
  • Check for insuecre defaults
  • Update insecure libraries

Other notes

  • Gadget chain – string of side effects

My take

Good intro to serialization. Sad there is no try with resources in the initial write and read examples. The examples were great. Good mix of slides and demos. I’m surprised I’ve gotten this far without seeing a live log4j demo.