Posts Tagged ‘intel’

Show 17 – Intel AppUp Show At CES 2012

Posted by admin on February 11th, 2012

Bob Duffy & Gunjan Rawal host this extra-long episode of the AppUp show and cover some of the cool technologies, demos and announcements from Intel while at CES 2012. In this on location episode you will get a CES keynote wrap-up, overview of Ultrabooks, a sneak peak at the new Intel powered smartphone, reaction and insight from tech bloggers, and a demo of the Ultrabook optimized MixMan Spin Control app, now available on the Intel AppUp center. So enjoy this 25 minute AppUp slice of CES 2012 read more

Posted in Software Tools Tags: , , , , , , , , , , Comments Off
Read More »

Intel Tool Helps SW Developers Develop More Secure Applications

Posted by admin on February 11th, 2012

There has been a steady occurrence of security breaches at prestigious companies over the last weeks, months and years.  These breaches are becoming far too frequent and, as the folks at Amazon and Zappos know, expensive. A wide variety of ways exist for addressing these kinds of security challenges and Intel offers technologies to assist in the battle.  For probably the most sane and scalable way of addressing security issues, at least for enterprise applications, I would recommend that you jump over to Blake Dournaee’s (Intel) blogs  “Using a Service Gateway to Protect against the OWASP Top 10 ” and ” How about a Security Layer?” .  The idea of a Security Layer on a Service Gateway is truly the most comprehensive way to tackle these kinds security issues.  Never-the-less, some enterprise shops may be unwilling to re-architect their legacy systems using the security layer approach and some developers are targeting client applications.  What tools and techniques can these developers use to mitigate security bugs?  For those developers I offer the following:  I had a chat with Julian Horn, who is Intel’s architect on the compiler team for the Static Security Analysis (SSA) tool.  SSA comes as part of the Intel compiler (C/C++/Fortran) and is available for Linux* and Windows*.  SSA identifies various coding errors such as memory and resource leaks, pointer and array errors, incorrect use of OpenMP* directives, and incorrect use of Cilk Plus language features.  SSA also identifies security errors such as buffer overflows and boundary violations, use of uninitialized variables and objects, incorrect usage of pointers and dynamically allocated memory, dangerous use of unchecked input, arithmetic overflow and divide by zero, and misuse of string, memory, and formatting library routines. I was curious what kind of security flaws that SSA could find. Specifically, I wanted to know if it could help developers to mitigate any of the most dangerous software errors as identified by the Common Weakness Enumeration (CWE) community sponsored by Mitre. After an email exchange with Julian, and pouring over the descriptions of the top twenty-five security bugs as reported by CWE, I determined that the Intel SSA could help to mitigate at least two of the top five errors listed.  Coming in at error number two is “OS Command Injection”, and at number three was “Classic Buffer Overflow”. How can SSA mitigate these errors? Identification and Mitigation of CWE Top Error #2 (OS Command Injection) OS Command Injection is an error type that really should be checked on both server and client side applications.  The essence of this error, or potential attack, is that, sometimes, your application is a bridge linking an outsider to the internals of your operating system. If your application simply passes un-trusted inputs to be fed into a command string that you pass to a system call, then your application can inadvertently wreak all kinds of havoc on the system. The recommended mitigation step is to validate all inputs to your application . A simple minded BAD example, in “C”, might be issuing a system call to delete a file that a user types in.           // user inputs a filename to be deleted           scanf (“%s”, str);                        // buffer overflow           sprintf (cmd, “del %s”, str);   // another buffer overflow           system(cmd);                             // OS command injection, due to not validating the input What happens if the user types into the input *.* rather than a normal filename?  Since the input has not been validated and was passed right to the OS , then clearly deletions unintended by the developer would occur.  Analyzing your code for un-validated input is known as taint analysis – tainted input means un-validated input .  CWE recommends doing a taint analysis to identify where in your code you are not validating input, and then take steps to remove the taint. Intel’s Static Security Analysis tool uses a taint analysis algorithm to detect whether or not an unknown input has been compared against another value.  There are various rules under which taintedness is propagated from one variable to another.  One rule is that when a value is compared against another value this removes the taint.  If an untested value is used in a “dangerous” context, then you get an error reported by SSA. The logic here is that a comparison is considered sufficient to sanitize the value.  The example below demonstrates the idea of tainted variable, x.  When x is used blindly with no comparisons done on it to check it validity, SSA flags this value as tainted:           x = input;           a[x] = 0;   // SSA identifies use of tainted value x The example below uses a comparison operator to check the input value x, so it is considered untainted now by SSA:           x = input;           ok = (x < 10);     // comparison un-taints the value x           if (ok) a[x] = 0; This “good” example might still have some issues with it, the checking is not extensive, but at least the developer went to some effort to validate the input. The key take away here is to use tools to find un-validated inputs and then add the necessary validation around each of these inputs. Identification and Mitigation of CWE Top Error #3 (Classic Buffer Overflow) Michael Howard & David LeBlanc, in their book Writing Secure Code , 2nd edition, identify the buffer overflow (AKA buffer overrun) as public enemy number one.  The Common Weakness Enumeration list is kinder, listing this issue as the number three most dangerous error.  It is well known that certain “C” functions are unsafe because they are vulnerable to buffer overflow attacks. These functions should be replaced with safe counterparts : strcpy , strncpy , strcat , and gets , among others.  The buffer overflow terminology comes from the idea that if you continue to pour water into a finite sized container, the container will eventually overflow. In computer terms, the analogy means that copying too much text into a finite sized array , will cause the extra text in the buffer to spill over into areas of memory that the developer did not intend.  These areas of memory get corrupted with the excess text and malicious coders use this to exploit your application and potentially run malicious code within the confines of your application’s process. I found the following buffer overflow example insightful, though I didn’t want to copy it here in its entirety and will simply link to it instead.  It demonstrates how an overflow attack can occur and is found on an MSDN blog by Robert Horvick . Other strains of buffer overflow can occur in some types of formatted input.  The biggest issue here is when the “%s” input format is used. This format specifier is generally regarded as unsafe. In the Intel Parallel Studio XE evaluation guide on Static Security Analysis (SSA) , there is a nice example of SSA detecting a buffer overflow in a fscanf function. In this case, SSA indicates that it found an “unsafe format specifier , ” which is essentially a condition that can lead to buffer overflow.  The code snippet from this guide is as follows:           // example that would allow buffer overflow             char data[255];           fscanf(dfile, “%s”, data);           if (strcmp(data, string) != 0) {                 fprintf(stderr, “parse: Expected %s, got %s n”, string, data);           } The call to fscanf uses an input descriptor string with a “%s” format specifier. This reads input characters up to the next newline and stores the data in the array “data”. There is no guarantee that the number of characters read will not overflow the bounds of the array, so this statement could corrupt memory.  SSA reported this as an error and the developer should follow up by making code changes using an alternative format specifier such as the “%255s”  to limit the number of characters read in.  The corrected code should be something like this:           // example that corrects the undesired  buffer overflow  condition           char data[255];           fscanf(dfile, “%255s”, data);           if (strcmp(data, string) != 0) {                 fprintf(stderr, “parse: Expected %s, got %s n”, string, data); For similar tips on how to protect your code through defensive programming, read this article by McGraw & Viega, Make your software behave: Preventing buffer overflows . The key take away here, in addition to validating all  inputs, is to find unsafe “C” functions and format specifiers, and replace them with safe alternatives . What should a developer do? The security bugs discussed above are two of the most dangerous and prevalent according to CWE.  These bugs affect client applications that are run on laptops, desktops, ultrabooks, as well as enterprise applications on web servers, application servers, database servers and more.  Developers are urged to find these kinds of bugs using tools such as Intel Static Security Analysis , and then make it a practice to validate all inputs and to replace unsafe functions ( strcpy , strncpy , strcat , and gets , among others)  with safe counterparts .  To learn more about steps you can take as a developer to reduce your exposure to security attacks go to the Department of Homeland Security’s Build Security In  website or visit the Common Weakness Evaluation site. Oh, and did I mention that enterprise developers  should  jump over to Blake Dournaee’s (Intel) blogs  “Using a Service Gateway to Protect against the OWASP Top 10 ” and ” How about a Security Layer?”  to learn an even better way to secure your systems? For more complete information about compiler optimizations, see our Optimization Notice .

Posted in Software Tools Tags: , , , , , , , , Comments Off
Read More »

Myths about static analysis. The fourth myth – programmers want to add their own rules into a static analyzer.

Posted by admin on February 11th, 2012

While communicating with people on forums, I noticed there are a few lasting misconceptions concerning the static analysis methodology. I decided to write a series of brief articles where I want to show you the real state of things. The fourth myth is: “A static analyzer must enable users to add user-made rules. Programmers want to add their own rules.” No, they don’t. They actually want to solve some tasks of searching for particular language constructs. It is not the same thing as creating diagnostic rules. I have always answered that implementation of own rules is not the thing programmers actually want. And I never saw any other alternative than implementing diagnostic rules by the analyzer’s developers at the request of programmers ( an article on the subject ). I have had a fruitful conversation with Dmitry Petunin recently. He is the director of an Intel department of compiler testing and software verification tool development. He enlarged my understanding of this subject and voiced the idea I had been pondering over but failed to give the final formulation of. Dmitry confirmed my belief that programmers wouldn’t write diagnostic rules. The reason is very simple – it is very hard. Some static analysis tools enable users to extend the rule set. But it is done rather as a pure formality or for convenience of the tool’s developers themselves. You need to know the subject very deeply to be able to develop new diagnostic rules. If an enthusiast without skill starts creating them, they will be of little use. My understanding of the issue was over at this point. Dmitry, being more skilled than I, helped me learn more. In brief, this is how the situation looks. Indeed, programmers want to be able to search for some particular patterns/errors in their code. They really need it. For example, someone needs to find all the explicit conversions of the int type to float. This task cannot be solved by such tools as grep, since it is unknown what type the FOO() function will return in a “float(P-> FOO())” -like construct. At this moment the programmer comes to the idea that he/she can implement search of such constructs by adding his/her own check into the static analyzer. This is where the key point lies. The programmer does not need to create his/her analysis rules. He/she needs to solve a particular issue. What he/she wants is a very small task from the viewpoint of static analysis mechanisms. It is like using a car to light cigarettes with its cigarette lighter. That’s why both Dmitry and I don’t support the idea of providing users with API to handle the analyzer. It is an extremely difficult task from the viewpoint of development. Besides, people will hardly use more than 1% of it. So, it’s irrational. It is easier and cheaper for a developer to implement users’ wishes than create a complex API for add-ons or a special language of rule description. The readers may say: “then make only 1% of the functionality in API available, and everyone will be happy”. Yes, right. But look where the emphasis has moved: from developing own rules we have come to the idea that we just need a tool similar to grep but possessing some additional information about program code. There is no such a tool yet. If you want to solve some task, write to me, and we will try to implement it in the PVS-Studio analyzer. For example, we have recently implemented several requests on searching for explicit type conversions: V2003 , V2004 , V2005 . It is much easier for us to implement such wishes than create and maintain an open interface. It’s also easier for users themselves. By the way, such a tool might appear some time later within the scope of Intel C++. Dmitry Petunin said they had discussed a probability of creating a grep-like tool possessing knowledge about code structure and variable types. But it was discussed just in theory. I don’t know whether or not they really intend to create this tool.

Posted in Software Tools Tags: , , , , , , , , , , , , , , Comments Off
Read More »

Jeff’s Notebook: Best Known Methods for using Intel® AMT with client virtualization

Posted by admin on February 11th, 2012

Virtualization of PC’s is being used more and more in many companies to help them to maximize their PC resources for a variety of application uses.  Some businesses are using virtualization with client PCs with Intel®vPro™  technology and Intel® Active Management Technology (Intel® AMT). Yet, there are some key differences you have to consider when using Intel Active Management Technology features on a virtualized client.  Whether you are an IT manager or even, a software consultant working with a major business client, it is important to know the differences and any other Best Known Methods to allow adjustments to the IT processes for managing virtualized clients with Intel Active Management Technology.  A recent white paper on the vPro Developer Community website describes the expected behavior and these Best Known Methods for IT managers.   Read the white paper to learn more.

Posted in Software Tools Tags: , , , , , , , , , , Comments Off
Read More »

Intel Aids Search for Lost DaVinci Masterpiece

Posted by admin on January 18th, 2012

In the Palazzo Vecchio in Florence, Italy, a feverish search occurs seemingly in slow motion. In order to make progress in the search, a team of researchers from the University of California/San Diego has been inventing a brand new field of work called art forensics. Armed with innovative new portable sensing devices and Intel technology, they are searching for a lost masterpiece by Leonardo da Vinci called The Battle of Anghiari . This impressive painting, considered by some to be da Vinci’s greatest artistic accomplishment, was lost more than 450 years ago.   Lost: The Masterpiece of the Renaissance The great mural was painted by da Vinci in 1505 to commemorate a battle in 1440. His artistic rival, Michaelangelo, was commissioned to paint a mural on the opposite side of the hall. (Imagine these two artists  in the same room, not just two of their masterpieces in the same room!). Michaelangelo did not finish his project.  He had sketched his painting out, but had just begun the painting when he was invited back to Rome to build the tomb of Pope Julius II. A rival artist, Bartolommeo Bandinelli, destroyed Michaelangelo’s sketch in a fit of jealousy in 1512. Peter Paul Rubens's copy of The Battle of Anghiari (from Wikipedia). Da Vinci did not finish his painting either, but he got much further than Michaelangelo. His painting depicted the power, fury, and intense emotions of four horsemen engaged in battle. Always experimenting with new techniques, da Vinci tried to apply oil colors to the wall. The result was less than satisfactory. The paint dripped and only the lower part of the painting could be dried quickly enough to achieve the desired result. Da Vinci subsequently abandoned the project.  Nevertheless, da Vinci’s painting was considered the masterpiece of the Renaissance. Numerous copies of The Battle of Anghiari were made over the course of the next 50 years and others praised the work in commentaries and diaries. Many sketches by da Vinci (“cartoons”) that served as studies for the mural still exist. An engraving made in 1553 by Lorenzo Zacchia was used in 1603 by Peter Paul Rubens as the basis for a copy of the central section of the mural. Rubens’ second-hand copy  of da Vinci’s painting is in the Louvre.  Eventually, the hall was enlarged and remodeled by Giorgio Vasari and Vasari painted six new murals over the east and west walls of the hall. It is assumed that the famous, unfinished works of da Vinci and Michaelangelo were lost during this process, as they were not seen again. Seek and Ye Shall Find Scaffolding covers a wall in the Hall of Five Hundred in the Palazzo Vecchio where a team of researchers are searching for a lost painting by Leonardo da Vinci Some people, included UCSD’s Maurizio Seracini, believe that the da Vinci masterpiece might still exist. Vasari, who painted the murals that now adorn the hall, had high praise for the da Vinci fresco, so Seracini thinks it is unlikely that Vasari destroyed the mural during the hall’s renovation. A clue to this effect is in the Vasari mural, 12 meters above the ground. The only text on the entire painting is on a green flag held by a Florentine soldier. The text says “Cerca trova”—”He who seeks, finds.” Seracini has taken this advice to heart. An initial non-destructive 3D survey of the hall used surface penetrating radar and thermographic cameras to create a three-dimensional model of the space. This process led to the discovery of a wall built by Vasari in front of the east wall where The Battle of Anghiari was located. A gap of a couple of centimeters was discovered between the two walls, supporting the theory that the lost masterpiece is still intact and located behind Vasari’s mural. Of course, Vasari’s mural is a more-than-400 year-old masterpiece too, so there is understandable reticence by the involved government and cultural agencies to do anything that would cause irreversible damage. This is where the UCSD researchers and Intel technology come into play. 21st Century Technology Aids Search As part of its Visual Computing Academic Program, Intel’s University Program Office supplied 50 quad-core Intel Core i7 Extreme 3.33 GHz processors to Falko Kuester of UCSD. The parallel processing performance of these powerful processors has allowed UCSD to tackle a series of unique and transformative visual computing projects. Kuester’s team is currently using these CPUs to “Create (Compute) a Future for the Past” as part of its cultural heritage diagnostics research and its field sites in Italy and Jordan. Multiple nodes loaded with Intel CPUs are on-site in Palazzo Vecchio driving UCSD’s visual analytics/visual computing environment. Small holes drilled through the Vasari mural to the back wall have revealed fragments of pigment on the far wall that might be part of the da Vinci mural. The UCSD team is therefore developing new non-invasive sensing and analysis techniques to try to “peer through” the front wall and visualize the surface of the back wall. Maurizio Seracini, Falko Kuester, and the other members of the UCSD cultural heritage diagnostics research team on site in Florence, Italy The National Geographic Society is also sponsoring the search and is documenting the entire process. Our UCSD colleagues indicate that National Geographic will air a documentary on the project on January 15 (but I don’t yet see this program on the guide for the National Geographic channel). The search for a lost da Vinci masterpiece…it is a riddle wrapped in an enigma shrouded in mystery. Intel technology is at the heart of the search. And the results will of the search will soon be revealed in a National Geographic TV special. Further information Home page for UCSD’s cultural heritage diagnostics effort National Geographic’s blog for The Battle of Anghiari Project CBS 60 Minutes 2008 story on Maurizio Seracini’s search Wired magazine’s 2007 interview with Seracini

Posted in Software Tools Tags: , , , , , , , , , , , , , Comments Off
Read More »

AES-NI in Laymen’s Terms

Posted by admin on January 18th, 2012

What is AES-NI – first answer AES-NI are a set of six new instructions introduced by Intel when we introduced the new 2010 Intel® Core™ processor family code named Westmere. AES-NI stands for Advanced Encryption Standard – New Instructions. These instructions implement hardware accelerated versions of certain compute intensive steps used in the AES (RijnDael) algorithm. Okay – so what is the Advanced Encryption Standard (AES)? AES is a standard that defines how to encrypt plain text using an encryption key. It is implemented with the RijnDael (pronounced Rhine Dahl) algorithm. One cool thing about AES is that even though this algorithm is completely open for examination, it is possible to encrypt a plain text message with it that is very, very difficult to break. This is possible because the algorithm takes the plain text message you want to encyrpt, and merges it in a certain way with a secret key. As long as the key is kept private, the encrypted message has proven to be safe from being broken, at least to this point in time. So the algorithm is completley known, but as long as the key is protected, messages encoded with it are virtually safe from eves dropping. So who cares? So what kind of software developers might use AES? and who might benefit from the new AES-NI? There may be more than you think at first: developers who write code that that use secure socket layer (SSL), database engines, whole disk encryption applications, files compression applications, VoIP, instant messaging, email, virtualization software, electronic payment systems, virtual private networks, and list goes on. To learn more about who might use AES see this wiki article on AES instruction set or this article on AES-NI analysis on Tom’s Hardware . So how does AES (Rijndael) work? To understand how the AES (Rijndael) algorithm works I highly recommend that you look at Jeff Moser’s “A Stick Figure Guide to the Advanced Encryption Standard (AES) – A play in 4 acts” . This creative, stick figure, cartoon approach is the best method I have seen for communicating how AES works – five stars Mr. Moser! My stick figure image below is an icon tribute to the excellent efforts of Mr. Moser in laying bare the essense of AES. Thanks Mr. Moser! What is AES-NI – second answer Now consider that the six AES-NI from Intel provide two instructions to accelerate encrypting a round, two instructions for decryping a round, and two more instructions to accelerate the generation of round keys. In summary, the six new instructions provide a faster way to crunch through the Rijndael algorithm (AES). Curious to know more? Read more about it in my friend, Jeff Rott’s, blog. Jeff wrote an excellent blog on Intel® Advanced Encryption Standard Instructions (AES-NI) , in which he introduces the six instructions, describes the benefits, and introduces ways to actually implement these in your code (plus references). So how can you implement AES-NI in your code? As long as you are using one of the following compilers (or later) you can get direct access to the instructions: AES-NI are supported by version 11 of the Intel C/C++ compiler, and also by Microsoft* Visual Studio* 2008 Service Pack 1 and by gcc version 4.4. You can implement it the hard way using MASM or inline assembly. Or you can make it easier on yourself and use compiler intrinsics (just be sure to include wmmintrin.h or intrin.h). See Martyn Corden’s Post here on Compiling with AES-NI . Another approach is to use a library such as OpenSSL or Intel’s IPP to implement AES-NI – Jeff has references ;-) If you really want to dig in and see the reference and code snippets read Intel’s Shay Gueron’s in-depth whitepaper called “Intel® Advanced Encryption Standard (AES) Instructions Set”. See Shay’s abstract and whitepaper link here . Finally – if you want a complete understanding of AES, much more than you will find in a Wiki article or blog, then check out the following book. ” The Design of Rijndae l” is the definitive book on the subject, written by the Rijndael creators.

Posted in Software Tools Tags: , , , , , , , Comments Off
Read More »

Intel at CES 2012 – the skinny, with a little fat

Posted by admin on January 18th, 2012
Posted in Software Tools Tags: , , , , , , , , , , Comments Off
Read More »

Jeff’s Notebook: Intel® vPro™ Developer Community – A resource for developing PC manageability & security software

Posted by admin on January 18th, 2012

Well, 2012 is here and with the New Year, you’ll be seeing some new topic areas for my blogs.  This year, I’m going to be exploring the additional areas of PC manageability and security software.  This is an area that continues to gain attention by IT managers and software developers that are trying to address the needs of efficiently managing PC’s, addressing malware/viruses and the security of data on PC’s.  Intel has been addressing these concerns for some years with its Intel vPro technology that has been built into various Intel processor-based desktops and laptops.  So, if you are a software developer of IT manageability and security software and you want to learn more about vPro technology and how to enable your software to take advantage of it, recently a new community has been launched to provide you with the information that you may want.  This is the Intel vPro Developer Community .  Check out this new community and discover more about Intel vPro technology.

Posted in Software Tools Tags: , , , , , , , , , , , Comments Off
Read More »

Show 13 – From Netbooks to Ultrabooks: Apps that Scale Well

Posted by admin on December 26th, 2011

The Intel AppUp show for developers “Show 13″: in this segment of AppUp RoundUp, Host Bob Duffy showcases four applications that scale up well from Netbooks to Ultrabooks– Shufflr, Ancient Frog, Fandango, and Pinball HD. And, in the TweetCap segment, Host Rhonda Peters shares the buzz on HTML5 and posts regarding developers being business savvy when developing apps.

Posted in Software Tools Tags: , , , , , , , , Comments Off
Read More »

Taking a look at Intel Anti Theft & Identity Protection Technologies

Posted by admin on December 26th, 2011

I wanted to start a new blog introducing myself in a new role at Intel. As part of my new role I will be explaining Intel’s Security, Manageability, and Virtualization features to a broad base of ISV’s through our scale enabling team and associated platform communities. In my new role, I have been learning about many of Intel’s security technologies and am excited about bringing these technologies to light in my blogs, and Intel Software Network TV. To see why I am excited, and a little daunted with my new tasks, take a look at a couple of clips of Mooly Eden at Intel’s recent Intel Developer Conference. These technologies are amazing ,…but there is so much ground that they span! The first clip showcases Intel’s Anti Theft technologies (starting at 31:10 mark and ending at 34:57). Here Mooly invited McAfee co president, Todd Gebhart, to the stage to discuss McAfee’s Anti Theft which allows a user to lock their laptop or even wipe their data by issuing a poison pill in the event that their laptop is stolen. Then Mooly introduced a new technology called Intel Identity Protection Technology (IPT) . To showcase this technology, Mooly had a hacker, garbed in a ninja costume, attempt to use a key logger and frame grabbing software to attempt to hack, demo presenter, Mark’s bank transaction. In this amazing clip, the hacker successfully grabs the username and password to Mark’s bank account, using a nefarious keylogger. BUT – the hacker cannot capture or generate a third authentication token which has been set up between Mark & his bank. The hacker is thwarted from any mischievous activity by IPT. Using this IPT technology, a random layout pin pad is generated and displayed to Mark, which allows Mark to send an additional credential to the bank in order to authenticate the transaction. Mark’s bank account is safe! See this part of the clip at 35:08 to 38:44 . If you want to learn even more, see Intel’s Ned Smith’s IPT foils at 2011 Kerberos conference. I plan to be interviewing experts from various corners of Intel to help describe these technologies in more detail. We will also be working to bring API’s to light with Software Developer Guides, tech briefs, and whitepapers, videos and more. I also hope to keep one eye on new developments in the security space in the rest of industry to help articulate security, virtualization and manageability trends that I see developing.

Posted in Software Tools Tags: , , , , , , , , , , , , , Comments Off
Read More »
Page 5 of 47« First...34567...102030...Last »