Fear the Cowboy

I attended a session this morning called "PHP Taint Tool: It Ain't a Parser" by Luke Welling. Luke introduced a tool he's working on at OmniTI that is designed to assist in sniffing out where the potential for untrusted input is handled. From the session description:

... You want to see where untrusted input can propagate taint within the application. In complex logic that might mean chasing many possible execution paths. Using an automatic tool to try to follow these paths without running all possible input variations is called static analyis. ... The Taint tool allows the PHP engine to do as much as possible, then cuts in at the last stage to analyze the compiled opcodes and trace possible flow of execution.

The Taint tool presents opcodes in a readable way, making it clear what lines of source got compiled into specific opcodes. It also performs a static analysis on the code, following the opcodes to attempt to trace all possible code branches and mark lines that tainted data can be passed to.

Essentially, the tool uses the parts of the PHP engine to compile PHP code to opcodes, and then tracks where data comes and goes, and highlights the code that handles data that *could* be tainted--that is, input from the user either by POST or GET parameters.  This provides a facility for a developer to identify the lines that they should closely review to ensure that they are not accidentally introducing security holes (like cross-site-scripting opportunities). 

Now, it's not-quite-ready for prime-time, but it's getting close, and the folks over at OmniTI intend to release it as open source when they are ready.  When this gets released, I'll be really excited, as it looks like it could be really good for hunting down security holes.

I also attended Rasmus Lerdorf's (the Yahoo PHP guy) tutorial on "PHP: Architecture, Scalability, and Security" that was really quite good too, and he demonstrated a tool (the name of which I can't remember now...grrr) that they have at Yahoo that he points to a web page, and it starts throwing a large library of strings that may uncover security problems, but it does it from the client side.  Unfortunately, he's not releasing it, not because he doesn't want to let folks find and fix their bugs, but because the release of a such a tool could bring about Internet Armageddon--it would likely find exploitable problems in the vast majority of the Internet. 

Both approaches to finding application holes are useful, and it's clear from both talks that this is still a really large problem that developers need to address.

(I've had a problem with spam comments; I'll be addressing that soon, so if you see comments turned off you can drop me a email: garretts...at...microsoft...dot...com)

Labels: open source, OSCON, PHP

This week I'm at OSCON in Portland, OR. I like what their site says about it:

"OSCON is the crossroads of all things open source, bringing together the best, brightest, and most interesting people to explore what's new, and to champion the cause of open principles and open source adoption across the computing industry."

It really is exactly that. It seems like I've met so many people here, and have had so many great conversations, it's like time slows right down, and the universe is conspiring to squeeze everything it can into just a few days.

I'm having a great time here, and with so much going on, I feel like a kid in a candy store. The biggest trouble I'm having is picking what sessions I want to attend, as there is just so many worth while.  However, given the work I'm currently doing with PHP, I think I'll stick pretty close to the PHP related sessions for the most part.

The last couple of years, Microsoft has had a fair number of people here, and this year is no exception. I keep bumping into people I know... Hey, if you're reading this, and you see me, stop and say hello!

You can recognize me by my picture.

Ever notice how folks who blog sporadically (uh, like me!) always apologize for not blogging for a while, and then re-affirm their dedication to blogging regularly? And often, accompanying their apology, is also a reason. I was going to "Blame it on the Rain" but the very thought of quoting Milli Vanilli makes me shudder.

So, instead, Patty gets to explain it for me.  Well, now that I think about it, it really doesn't explain anything. But I was listening to that song last night, and the lyrics stuck in my head.

..... Aaaaaanyway...

The worst part about not blogging for weeks on end is that I can't just ramble on as if you know what I've been up to for the last last few weeks, but I'll try to catch ya up:

Over the last several weeks, I've been moving my focus from doing "Program Management" tasks to more "Software Developer" tasks. You see, during the last year, I've discovered that I'm a Developer. Deep down, that's what I do best. Focusing in that direction is already paying off, and I'm finding that I'm accomplishing far more than I had before.

So, rather than focus on simply facilitating, I've been actually compiling, debugging, coding... aaaahhh. It's so nice.

And the best part: all the work that I'm doing is dedicated to getting Apache and PHP working much better on the Windows platform. I may just possibly have the absolute best job at Microsoft.

(Don't forget the updated .sig...)

Back in January, I invited the Apache Software Foundation to attend the Windows Server 2008 Application Compatibility Labs, here on our campus in Redmond.  In order to get as many developers as possible to attend, we even paid for flights and accommodations for some members.

The week that Apache was here, was so valuable for both groups--the product groups got to see and understand what some of the issues were that some of the Apache projects have run into, and the Apache folks were able to get their hands on the developers who built the system.

Myself and Bill Rowe had hammered out some details before I actually sent the invitation out. Along with posting it on some of the Apache Mailing Lists, I also posted the invitation on my own blog so that others could see what we're up to. And, as to be expected, there was a wide variety of comments posted--both positive, and ... less positive.

My favorite though, was:

"Microsoft should go to Apache developers and see if Windows Server 2008 works correctly with Apache, not the other way around."

In some ways, that would have been somewhat impractical--when the Apache folks visited us, they had the opportunity to meet with engineers and program managers from many different groups, in addition to getting access to the hardware in the lab and the expertise of the folks who run that.  For us to pick up the 20 or so people from the product groups that they actually met with, and drag them all out to all the locations where Apache developers are--which is pretty much everywhere--would not have been possible.

Still, I felt it would be more than valuable for me to go ApacheCon, so that I had the opportunity to meet with Apache developers where they roam. When Bill was in Redmond, he invited me to the Apache Hackathon--the couple of days at the beginning of the conference that developers could hang out and code.  So, a snappy 10hr flight later, here I am at ApacheCon in Amsterdam.

The Apache Foundation is an interesting community--or rather community of communities.  It's not just one project (the http server is what most people think when they hear Apache), but literally dozens of top level projects, and a whole bunch more in the 'incubator' (where baby projects are cultivated until it is clear that it will have ongoing support and development).  The hackathon is just a large room with tables where folks can come in, sit down open their laptops and start coding. It's actually a lot quieter than I imagined it would be.  Naturally, the folks in communities tend to gravitate together and discuss their projects.

As I'm not really on any project, I've been bouncing around chatting up different groups, getting their perspective of their own little chunk of Apache.  Most of the people I've talked to aren't surprised at all that I'm here--which is definitely a change from conferences a year ago--and are excited to hear about our efforts.

Now, for the funny thing.  I booked my hotel a few weeks back, using the internal travel system here at Microsoft.  The hotel that the conference is at was booked, so I looked for one nearby.  Unfortunately, the tool doesn't let me search for hotels near another hotel, and I didn't know what else was close that I could search near (and my inability to read Dutch didn't help), so I used the tool to show me where the hotels were, I'd switch to http://local.live.com and see how close it was, and if it was close, I'd switch to the other tool to check out the availability, and there was not much available. ... I guess I was distracted while I was doing it, and I ended up booking a hotel right next to the airport, which is in no way close to the conference, and so I spent the night in that hotel--and called the wonderful travel support folks who found me a hotel where I needed to be, and I moved there the next morning. Lesson learned: next time I travel to the Netherlands, I'm asking Hank to find me a hotel.

Howdy ya'll,

I was recently in Boston, and managed to spend a couple of days at Drupalcon, where Port25 was a silver level sponsor for the event.  The herd was over 800 attendees--all focused on Drupal.  Needless to say, I was duly impressed.

What's Drupal?

Drupal, written in PHP, is an open source content management platform. It's equipped with a powerful blend of features, and supports a variety of websites ranging from personal weblogs to large community-driven portals.  Drupal has been rapidly displacing a large number of other PHP based content management systems, and has an active community along with broad vendor support.

Over the last year or so, Microsoft has been working hard to improve PHP's support on Windows.  With the hard work from the SQL Server team, who recently published a new CTP of the native SQL Server PHP driver, the FastCGI work that the IIS team has done, and of course Zend, who we've been coordinating with--PHP is rapidly getting the support and attention it deserves.

So... Drupalcon?

Ah Yes. From the humble beginnings in 2004, where 10 people attended the first Drupalcon, it's grown into a massive bi-annual event (one in North America, and one in Europe) with over 800 attendees, plus sponsors. I was truly stunned at the sheer size of the event--I would have assumed a much larger affair.

Kieran Lal hosted a session early on Monday morning, in which he told how to get the most out of Drupalcon--and really, it was applicable to any conference, and I really enjoyed it. Between that session and the first keynote, I hung out, and got to know a bunch of folks. 

Who are the people in your neighborhood?

Drupalcon was really quite special--of all the conferences I've been to, Drupalcon was home to the most friendly folk I've ever seen.  Everybody was really fun to talk to, and they all were excited to hear about Microsoft's effort in making PHP run great on Windows.

I spent about 45 minutes talking to Larry Garfield about expanding support for databases in Drupal.  Larry has done a tremendous amount of work for Drupal 7 on database abstraction--it's going to be pretty cool, trust me.

I managed a few minutes of Kieran Lal's time, which was quite amazing, as he seemed to be doing a million things at once during the conference, and barely had a spare moment to catch his breath.  We talked about the future of Drupal, and how Microsoft could get involved, and I think we're both pretty excited about the future. 

Dries Buytaert gave his traditional "State of Drupal" presentation (video can be found here), which contained a couple real eye openers:

Drupal 6 had over 100,000 downloads in the first month of release, that's 2x over Drupal 5. Wow. That's pretty amazing.

Drupal 7 (and beyond) appears to have one of the most well thought out plans in place--I can't recall another open source project that has such a detailed road map.

Aside from the jet-lag and the shortness of the trip, I enjoyed the conference immensely.  We've been playing with Drupal in our lab over the last several months, and it's clear that the time has been well spent--Drupal is not only an emerging phenomenon, but the future looks even brighter.  I reckon you'll be seeing many more posts from me in the future about it.

Day two moseyed late into the night...well for me anyway--cowboys wake with the sun.

Day three turned out to be a day full of surprises for me--most of the sessions were significantly more interesting than I would have guessed.

We started the day with a presentation by Bill McKinley on Windows Logo Certification (for which there is a great little quickie primer here). I highly recommend checking this out--the logo certification program provides some tools to assist with certification validation, and even if you have no interest in certification, running the tool will give you a rundown of potential issues that your customers will face.

After a break for more testing, Rob Mensching and Peter Marcu dropped by to give the team a thorough examination of WiX (the open source Windows Installer XML toolset). Again, very cool stuff. Admittedly, there seems to be a somewhat steep learning curve, but it integrates nicely into build scripts, and has all the flexibility you'd ever need.

After lunch, we did some testing, with a quick little jaunt to the Microsoft Company Store, where the attendees took advantage of Microsoft Employee pricing on some software and hardware.

We rounded out the day with a session on Windows Error Reporting -- you know when an app crashes, and you can send anonymous debug info to Microsoft? The information ends up in the WER system, where developers can register to get crash and hang information for their software and drivers. I knew that the information was collected, but previously, I had no idea how easy it is for app developers to get their hands on the data. I strongly recommend that you check it out.

While Wednesday was the last day for most of the attendees, a few stayed through Thursday, and I'll post a wrap-up on that tomorrow.

Day two turned out to be quite a busy day!

First thing in the morning, we started off testing some Apache applications on Windows Server 2008, both the 64 and 32 bit versions.  Right away, a few things were uncovered, primarily around UAC, data redirection (where Windows redirects writes to the file system and registry to safe locations for low-rights processes) and an odd issue with an event mutex that we're tracking down.

After getting a little testing done, we had a great in-depth presentation of IIS by Senior Program Manager Thomas Deml.  Like the Core Networking presentation the day before, it was really informative, and the Apache folks took the opportunity to really drill down into the architecture of IIS. Why would they? Like I mentioned before, a number of Apache Projects (like Tomcat) support IIS in one way or another, and could benefit from tighter integration with IIS.

After lunch, Peter-Michael Osera and Li Shao spent a couple of hours addressing some of the C++ and toolset questions the Apache team brought.  They really did an admirable job answering the questions that they could, and the ones that they didn't have answers to, they are following up via email over the next couple of days.

After that, some more time for testing rounded out the rest of the day.

For supper, Sam Ramji, took the team out to Ruths' Chris Steakhouse for a fantastic meal, and we had a great evening talking about nearly everything under the sun.