Be aware of CVE-2014-6271

CVE-2014-6271, a security vulnerability regarding remote code execution through bash, was disclosed on 9/24/2014. This vulnerability may potentially cause many breaches, due to its low difficulty of being exploited, and the wide use of bash in many CGI and SSH environments. Please see the following links for the detail and the patch information.


P.S., GNU should really work hard on the software security…

Expanding your knowledge of sciences with fun

Every young kid has a dream of future. When I was a kid, I once hoped to become a scientist, which was not a computer scientist like what I am pursuing now, but a scientist that solves puzzles of the nature. From the starring sky to the mysterious atoms, all things were so fascinating to the younger version of me.

Apparently the later part of the story did not go as it was planned originally. I somehow realized that computers were more fascinating, and they could bring me a better career path, compared to becoming a scientists in nature sciences. In other words, I became realistic as most people around expected. However, those dreams had never gone. They were concealed deeply in my heart, and waiting for a fire to let them be shining again.

After years of search for the fire, I have read many scientific books, and watched various scientific TV shows. Here are the top two items that I would like to recommend to all of you who are¬†seeking for answers of the nature in a casual way ūüôā

A Short History of Nearly Everything“, a book written by Bill Bryson. Actually I do not remember when I first started reading this book, but I do know that I have read it for many many times. It does include nearly everything: from tiny things like atoms, to large things like the earth and other planets; from old mysteries¬†like the origin of life, to the nearer ones like the evolution of humans.¬†The use of¬†many history stories and metaphors can clearly¬†explain scientific facts and concepts in an easy-to-understand way.

Cosmos: A Spacetime Odyssey“, a TV show presented by Fox and National Geographic Channel.¬†You will be exploring the universe and the histories of many other things with Neil deGrasse Tyson, an American astrophysicist. This TV show is actually very similar to the Bill’s book in many aspects. They both refer to some history stories to explain why and how people finally found answers, such as the public-health concern on leaded gas. And they use similar metaphors, such as imagining an¬†atom as a church to demonstrate the sparse space between electrons and the centron. That is the correct way to explain complex concepts to the general public.


The Empire State Building


I’ve never been to the top of the Empire State Building, but passed by it several times. Every time the building reminded me of the Daleks, a fictional extraterrestrial race in Doctor Who. In the story, the Empire State Building was actually built under the supervision of the Daleks, who later used the building as sort of energy amplifier to evolve their race to be “more human”. Maybe later I should go into the building and learn its real history. ūüôā

The adorable side of Python

Personally I would¬†not consider¬†Python as my first preference to build a complex system. The most important reason is the lack of type checking, so it¬†likely causes some inter-component problems¬†not to manifest until the system is actually running. In addition, if you make some syntactic mistakes such as mistyping variable names, then good luck… You definitely¬†know how annoying it is to debug those problems.

On the other hand, if there is a system written in Python, and you need to do some deep analysis on it, you will probably appreciate those developers who decided to use Python in the first place.

Recently I have been doing some analysis for OpenStack, which is a very popular open-source cloud system, and yes, it is written in Python. So why does Python become so adorable when you analyze a complex system? My answer is Decorators.

Python Decorators really make tasks of instrumentation and interception way easier than in other programming languages. Now I can just insert a simple annotation to some target places in the OpenStack source code via sed, and do a lot of amazing stuff without changing the original source code too much. For instance, it is quite easy to extract communication flows among OpenStack components by decorating communication modules.

The idea of Decorators sourced from the aspect-oriented programming (AOP), and with the dynamism of Python, it becomes easier to implement. Traditionally, if you want to implement Decorators in C# or Java, you will be facing a quite heavy task – which involves writing a bunch of proxy classes, interfaces, and everything else you need to implement the classic factory pattern and the decorator pattern. These patterns are pretty elegant, but too heavy for most scenarios. In contrast, with the ability of meta-programming provided by Python, you can directly modify classes and functions at runtime, and do the magic behind those simple annotations without defining additional classes and interfaces.

There are multiple ways to implement Decorators in Python. Let’s use the following simple and classic example to show some typical implementations.

class Dummy(object):
    def __init__(self, name='World'):
        self.name = name
    def hello(self):
        print "Hello %s!" % self.name

There are two Decorators here: @class_dec for the class Dummy, and @func_dec for the function hello. Let’s start from implementing¬†@func_dec.

We can do @func_dec in either a class or a function, depending on personal favorites:

""" Implement @func_dec using a class. """
class func_dec(object):
    def __init__(self, fn):
        self.fn = fn
    def __call__(self, inst):
        # Do whatever you want before and after the real function call.
    def __get__(self, inst, insttype):
        def function(*args, **kwargs):
            self.fn(inst, *args, **kwargs)
        return function

Some people may prefer the above implementation simply because it looks more understandable in an object-oriented fashion. The decoration is mostly done by overriding __call__ and __get__. However, the complexity here is about the “self” object, which is actually referred to different objects in the contexts of Dummy and func_dec. That is why we need¬†__get__¬†to ensure the method hello¬†receives the correct object.

If you feel dizzy on the above implementation, just try understand the one below, which is purely functional, nice and simple.

""" Implement @func_dec using a function. """
def func_dec(fn):
    def function(self):
        """ Do whatever you want. """
    return function

To implement @class_func, a nice solution would be the one below:

""" Implement @class_dec using class inheritance. """
def class_dec(cls):
    class NewClass(cls):
        def hook(self):
            """ Do whatever you want. """
            self.name = "Lester"
        def hello(self):
            super(NewClass, self).hello()
    return NewClass

Looks interesting, right? Actually there could be more ways to implement Decorators. In future posts, I plan to demonstrate some solutions on instrumenting OpenStack.

Migrated to Microsoft Azure

Thanks to the data accident happened last night with my previous hosting provider, I finally decided to embrace Microsoft Azure as my new hosting provider. I thought the price of Azure Websites would be way more expensive than traditional hosting services, but it turned out that was not true, especially when you were looking for a reliable hosting service with a responsive management console. In fact, although there are so many items that Microsoft Azure can charge you (see http://azure.microsoft.com/en-us/pricing/overview/), hosting a website with Azure Websites is likely of the same price as traditional hosting services, as long as you are not misled by the “Unlimited Everything” claim made by those services – resources cost money, and if you do need “unlimited” storage, those hosting services will no doubt kill your website and throw you an email saying that you are consuming too many resources blah blah blah.

For those who are also interested in knowing/learning/using Azure, here is a keynote presented by Brad Calder on ASPLOS 2014: http://www.cs.utah.edu/asplos14/keynote1.html, talking about some interesting stuff inside Azure. Brad Calder is currently leading the development of Azure Storage at Microsoft.