Category Archives: System

Application Development, System, Under our observation

hiccup, web server load balancing solution  3rd May 2022

Leave a comment

Preface: Online banking cannot lack of load balancing solution today. However in terms of life cycle of operation system and software libaries , Java language development platform and on-demand custom fuctions. Does it bother the load balancing functions? The most challenging parts is the layer 7 load balancing. Perhaps you can do the healt check on appliation functions. However, it is difficult to garantee the non stop function on application side (availability).

Background: The load-balancing algorithms supported are round-robin, weighted least request, random, ring-hash and more. An additional function includes client non interrupt services using application & service availability (health-checks performance).

My focus: Online banking platform (Hong Kong)
Error 500: java.lang.RuntimeException: no EntityContext found in existing session
Date: Around 8:15 am 5/3/2022

Fundamentally, Web server load balancing function in correct way make no downtime. Therefore when you connected to web server had problem. The load balancing function will keep persistence (SSL Sticky) then redirect your connection to the web server which is available.
My experience operating in online banking system in today morning (3rd May, 2022) hints the technical information to me.
I encountered error my web services. (Reminded – it successful logged on and doing operations). However an error 500 display on my screen. Thereafter. even I close the browser, make new established connection to Banking system. It still redirect my new connection to e-banking1.hangseng.com. But in round robin setup architecture, I can connect to e-banking2.hangseng.com by chance.

Observation: Perhaps, load balancer capable web application health check function. But for online banking system, it do a health check on web server front page. On java server page. For example: The EntityContext interface contains the getEjbObject and getPrimaryKey methods that a bean can use to find out about the object it is associated with. The client communicates with the bean via the EJBObject. If one of the java service had error occur. May be the load balancer health check function not know what’s happening.

Whether there is concerns on vulnerable Java SE Embedded versions. So,  apply tight protection and causes this technical problem occurs. Or there is an software configuration problem in web application itself?

Science, System

Does SpaceX use C language? 23rd Sep, 2021

Leave a comment

Preface: SpaceX was founded in 2002 by Elon Musk with the goal of reducing space transportation costs to enable the colonization of Mars.

Background: Exploring Mars helps scientists understand major changes in climate that can fundamentally change the planet. It also allows us to look for biological features that might reveal whether there was abundant life on Mars in the past?

SpaceX engineers shared the programming languages they code in are: “C & C++ for flight software, HTML, JavaScript & CSS for displays
and python for testing,” adding that they “use HTML, JavaScript & CSS. We use Web Components heavily.”

Common programming weaknesses: Many memory manipulation functions in C and C++ do not perform bounds checking and can easily overwrite the allocated bounds of the buffers they operate upon.

  • Mistaken assumptions about the size
  • By design, forming a piece of data is the root cause of most buffer overflows.

Ref: In a classic buffer overflow exploit, the attacker sends data to a program, which it stores in an undersized stack buffer. The result is that information on the call stack is overwritten, including the function’s return pointer. The data sets the value of the return pointer so that when the function returns, it transfers control to malicious code contained in the attacker’s data.

Reality factor: There are many additional programming functions make the situation complex that a programmer cannot accurately predict its behavior.

My view point: Human beings want to explore the universe to meet their needs, and find a way to develop our living space free from the limitations of the earth. In fact, the speed of the rocket is the limit. If you think about it, it will take nine months to reach Mars. But we know that Mars is not suitable for human habitation. Why don’t we take time to improve the air pollution on the planet. In addition, if we can adjust the global greenhouse effect. Therefore, our new life is coming.

Science, System

Who makes supercomputers faster and faster (CPU, fibre interconnect, parallel processing or virtual machine)? 29th June, 2021.

1 Comment

Preface: In Japanese mythology, the Namazu (鯰) or Ōnamazu (大鯰) is a giant underground catfish who causes earthquakes. This giant not caused disaster, he is the fastest supercomputer in the world. His name is FUGAKU.

Background: Riken and Fujitsu started developing the system in 2014, working closely with ARM to design the A64FX processor. Each of these ships has 48 CPU cores based on the ARM architecture version 8.2A, making it the first such chip in the world. Furthermore, more than 94.2% of supercomputers are based on Linux. In addition, supercomputers can run Windows operating systems.

Do you think today’s supercomputers only rely on a few sets of multi-core processors and standalone operating systems?

When using two virtual machines, VMware found that the overall benchmark results using an 8 TB data set were almost as fast as native hardware, while when using 4 virtual machines, the virtualization method was actually 2% faster. If the system architecture is constructed by many virtual machines. In order to achieve parallel computing to improve efficiency. The supercomputer also apply similar concept.

Base on design goals. HPC workload manager focuses on running distributed memory jobs and supporting high throughput scenarios, and Kubernetes is mainly used to orchestrate containerized microservice applications. If the system architecture is constructed by many virtual machines. Realize parallel computing to improve efficiency. So when the above concepts are implemented on a supercomputer, the processing power will be improved.

The fastest supercomputer this month is FUGAKU. But who can guarantee that FUGAKU will always be number one?

System, Virus & Malware

intel new processor embedded anti malware feature – 15th june 2020

Leave a comment

Preface: Starting with Oracle 11g release 1 (11.1), there is a just-in-time (JIT) compiler for Oracle JVM environment. A JIT compiler for Oracle JVM enables much faster execution because, it manages the invalidation, recompilation, and storage of code without an external mechanism.

Background: A way to prevent attack code execution by stack and heap. It marking stack and heap as non-executable. However some apps need executable heap (For instance JIT compiler), so it does not defend against `Return Oriented Programming’ exploits.

What is ROP exploit technique: Returnoriented programming (ROP) is a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable space protection and code signing.

New Intel processor implement new preventive architecture: New Tiger Lake processors provides two new key capabilities to help guard against control-flow hijacking malware: Shadow Stack (SS) and Indirect Branch Tracking (IBT). For more details, please see follow link – https://software.intel.com/sites/default/files/managed/4d/2a/control-flow-enforcement-technology-preview.pdf

System

2019 – The security protection of Docker, where are they?

Preface: Sysadmin may unintentionally expose a Docker registry service without enforcing proper access control, said Palo Alto Networks.

Background: Easy to deploy, one of the goal of container-based technology. Docker storing image in a managed collection, with standardized methods of identifying, committing, and pulling individual images. With this feature it is equivalent as a image Repositories. It makes Docker so useful is how easy it is to pull ready-to-use images from a Docker’s Central Registry. Meanwhile you can’t share your repository with other because it contains proprietary code or confidential information.

Technical details: Docker-Registry is a simple Python app. Your Registry can develop as a Private Registries. Besides, in some environments, sysadmin can setup the Registry SRV on port 443 and make it accessible on internet (Registry-dot-com). Such services are popular on AWS S3 or Azure.

Key areas of concern: Compromised Containers, mis-configuration & access control.

What we can do? Perhaps we can reference to NIST SP 800-190 application container security guide. URL display as below: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

System, Under our observation

How we focus design weakness?

Preface: Flaws that require root access are not considered security issues in existing policy. If we are not using cloud computing concept. It is acceptable. But we need cloud system!

Security focus: Turkish information security specialist found a design weakness in Windows kernel design. According to the vendor’s Bug Bounty program rules, flaws that require root access are not considered security issues and are not classified as vulnerabilities. However our the whole IT world in the trend of cloud technology. It is hard to guarantee similar type of vulnerability will be impact the public cloud farm. Perhaps it might have possibility to do a re-engineering become as a Surveillance tool.

Defect details: An PoC tool proof that it can hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler. My intention is going to urge Microsoft should be consider this technical issue. Perhaps it may become a zero-day. So I do not display related url.Should you have interested of this topic, not difficult to do a search. You will find the details.

Reference:

The ntoskrnl.exe kernel service, which is responsible for handling exceptions, system call procedures, and thread scheduling in Windows.

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel.

Fundamental design concept – related to this matter:

  1. RSPx is loaded in whenever an interrupt causes the CPU to change PL to x. The TSS in long mode also holds the Interrupt Stack Table, which is a table of 7 known good stack pointers that can be used for handling interrupts.
  2. BKPT #0x3 ; Breakpoint with immediate value set to 0x3 (debugger can ; extract the immediate value by locating it using the PC- (program counter))
  3. x86_64 also has a feature which is not available on i386, the ability to automatically switch to a new stack for designated events such as double fault or NMI, which makes it easier to handle these unusual events on x86_64. This feature is called the Interrupt Stack Table (IST). There can be up to 7 IST entries per CPU. The IST code is an index into the Task State Segment (TSS). The IST entries in the TSS point to dedicated stacks; each stack can be a different size.

This topic is under our observation.

Application Development, System

He is a bird – Taiwan supercomputer (Nov 2018)

Preface: There are many reasons for wanting to combine the two parallel programming approaches of MPI and CUDA. A common reason is to enable solving problems with a data size too large to fit into the memory of a single GPU, or that would require an unreasonably long compute time on a single node. The message passing interface (MPI) architecture successful exchanging messages between multiple computers running a parallel program across distributed memory. Thereby single system can group together form a big power.

Synopsis:
The open source refers to any program whose source code is made available for public use. Open MPI is a Message Passing Interface library project combining technologies and resources from several other projects. Meanwhile it is a potential power driving the technology world in this century. It is hard to imagine that Xeon processor type computer machine will go to supercomputers world. With assist of QuantaGrid D52G-4U GPU. The dream come true now. Tesla V100 can deliver up to 896 tensor Tflops to training deep learning model with 8 NVIDIA Tesla V100 (dual-width 10.5″). Taiwania 2 supercomputer take the role to handle big data , AI and scientific research functions.

Ref: https://www.taiwannews.com.tw/en/news/3575187

Application Development, System

Supercomputer – You focus the speed of CPU, but my design goal is efficiency (Nov 2018)

Preface:

The art of driving a car in a race comes from the ability to maximize the performance of the car. Everything you do on a track takes skill when you are reaching the limits of performance. This concept also suitable on computer design.

Japan supercomputer rating:

Fujitsu ranks supercomputers seventh in the world.

Cores: 391,680

Memory: 417,792 GB

Processor: Xeon Gold 6148 20C 2.4GHz

Historical background:

The traditional supercomputer architecture contains HIGH SPEED VECTOR PROCESSORS, crossbar switch, LPARs architecture. Since CPU speed is most important element on calculation. Meanwhile LPARs design can let system allocate the function feature and requirements.
Remark: Logical partitions (LPARs) are, in practice, equivalent to separate mainframes.

Synopsis:

But the military, scientific and public safety requirements of the world in today more demanding. The traditional Supercomputer LPARs design still have space for improvement. And therefore Linux high performance cluster and docker infrastructure become a key components. It boostup the system efficiency. Even though Fujitsu ranks supercomputers seventh in the world. But it maximum the efficiency.

System

Supercomputer – Who’s running fastest in the world? Nov 2018

Preface:

When executing a process by switching it between various CPU cores is that, when switching a process to a new CPU core, the “L1” cache of the new core has to be updated and the previous core’s “L1” cache might requires to be deleted etc. Whereby in a somewhat unnecessary cache activity that ultimately downgrade the performance. But the traditional mainframe vector processor and crossbar switch did not have above technical limitation.

What technologies have changed the world? The success of the PCR clusters was followed by the purchase of the Multiprogrammatic Capability Resource (MCR) cluster in July, 2002 from Linux NetworX. The PCR cluster debuted as the Top 500 Supercomputers list in November, 2002.

Who’s running fastest in the world?

1. Summit – IBM Power System AC922, IBM POWER9 22C 3.07GHz, NVIDIA Volta GV100, Dual-rail Mellanox EDR Infiniband , IBM DOE/SC/Oak Ridge National Laboratory
United States
Cores – 2,397,824, Rmax (TFlop/s)143,500.0
….

3. Sunway TaihuLight – Sunway MPP, Sunway SW26010 260C 1.45GHz, Sunway , NRCPC National Supercomputing Center in Wuxi China
Cores – 10,649,600 Rmax (TFlop/s) 93,014.6

Who knows who is the winner tomorrow?

System

AWS S3 Misconfigurations how to Avoid?

Preface:
AWS cloud business keep running strong in the market. Amazon S3 or Amazon Simple Storage Service is a “simple storage service” offered by Amazon Web Services (AWS) that provides object storage through a web service interface.

Synopsis:
S3 buckets can be configured with public access. But S3 looks like a burden for AWS reputation. Since the access permission is similar do it yourself service type.
So, AWS customer must be confirm the access permission themselves in order to cope with their business function access permission policy.
However if customer apply the services with mistaken permission setup. It will be jeopardizing AWS company reputation as well.

Former records:
Alteryx S3 leak leaves 123m American households exposed1 – Dec 19, 2017
Open AWS S3 bucket exposes private info on thousands of Fedex customers2 – Feb 15, 2018
Sensitive medical records on AWS bucket found to be publicly accessible3 – Jan 22, 2018
Domain Name Registrar was exposed Online (31,000 GoDaddy servers) – Aug 2018

How to avoid?
Hints can find in the following document (Identifying Public Buckets Using Bucket Permissions Check).

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-bucket-permissions.html