Google Summer of Code (GSoC) is a global program focused on bringing student developers into open source software development. Students are sponsored by Google to work with a mentoring open source organization on a 3-month programming project during the summer.
In February we were thrilled to announce that the Dart team would be a mentoring organization in GSoC 2020. We ended up mentoring 5 projects, picked from more than 170 applications from students around the world. Today we’re excited to share our results, as described by the students who worked on the projects.
By Prerak Mann
package:ffigen is an FFI generator that greatly reduces the effort of using
dart:ffi by generating Dart bindings from C header files (
To understand the need for this tool, consider LibClang (the C interface to Clang). LibClang’s API is about 8,000 lines of code (LOC). If you were to write Dart bindings for LibClang by hand, you’d need almost 4,500 LOC. With
package:ffigen, all you need to do is pass in a small YAML configuration file that’s less than 20 LOC, and then you can generate the bindings.
#open-source #flutter #google-summer-of-code #dartlang
Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker.
The Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies.
Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO.
Attacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local computer.
“Customers who have configured their systems in accordance with Citrix recommendations [i.e., to have this interface separated from the network and protected by a firewall] have significantly reduced their risk from attacks to the management interface,” according to the vendor.
Threat actors could also mount attacks on Virtual IPs (VIPs). VIPs, among other things, are used to provide users with a unique IP address for communicating with network resources for applications that do not allow multiple connections or users from the same IP address.
The VIP attacks include denial of service against either the Gateway or Authentication virtual servers by an unauthenticated user; or remote port scanning of the internal network by an authenticated Citrix Gateway user.
“Attackers can only discern whether a TLS connection is possible with the port and cannot communicate further with the end devices,” according to the critical Citrix advisory. “Customers who have not enabled either the Gateway or Authentication virtual servers are not at risk from attacks that are applicable to those servers. Other virtual servers e.g. load balancing and content switching virtual servers are not affected by these issues.”
A final vulnerability has been found in Citrix Gateway Plug-in for Linux that would allow a local logged-on user of a Linux system with that plug-in installed to elevate their privileges to an administrator account on that computer, the company said.
#vulnerabilities #adc #citrix #code injection #critical advisory #cve-2020-8187 #cve-2020-8190 #cve-2020-8191 #cve-2020-8193 #cve-2020-8194 #cve-2020-8195 #cve-2020-8196 #cve-2020-8197 #cve-2020-8198 #cve-2020-8199 #denial of service #gateway #information disclosure #patches #security advisory #security bugs
The liquid-cooled Tensor Processing Units, built to slot into server racks, can deliver up to 100 petaflops of compute.
The liquid-cooled Tensor Processing Units, built to slot into server racks, can deliver up to 100 petaflops of compute.
As the world is gearing towards more automation and AI, the need for quantum computing has also grown exponentially. Quantum computing lies at the intersection of quantum physics and high-end computer technology, and in more than one way, hold the key to our AI-driven future.
Quantum computing requires state-of-the-art tools to perform high-end computing. This is where TPUs come in handy. TPUs or Tensor Processing Units are custom-built ASICs (Application Specific Integrated Circuits) to execute machine learning tasks efficiently. TPUs are specific hardware developed by Google for neural network machine learning, specially customised to Google’s Machine Learning software, Tensorflow.
The liquid-cooled Tensor Processing units, built to slot into server racks, can deliver up to 100 petaflops of compute. It powers Google products like Google Search, Gmail, Google Photos and Google Cloud AI APIs.
#opinions #alphabet #asics #floq #google #google alphabet #google quantum computing #google tensorflow #google tensorflow quantum #google tpu #google tpus #machine learning #quantum computer #quantum computing #quantum computing programming #quantum leap #sandbox #secret development #tensorflow #tpu #tpus
Google has stomped out several serious code-execution flaws in its Chrome browser. To exploit the flaw, an attacker would merely need to convince a target to visit a specially crafted webpage via phishing or other social-engineering lures.
Overall, Google’s release of Chrome 85.0.4183.121 for Windows, Mac and Linux – which will roll out over the coming days – fixed 10 vulnerabilities. The successful exploitation of the most severe of these could allow an attacker to execute arbitrary code in the context of the browser, according to Google. Google Chrome versions prior to 85.0.4183.121 are affected.
“Depending on the privileges associated with the application, an attacker could view, change or delete data,” according to Google’s Tuesday security advisory. “If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.”
#vulnerabilities #web security #chrome 85.0.4183.121 #chrome browser #chromium #cve-2020-15961 #cve-2020-15962 #cve-2020-15963 #cve-2020-15965 #fix #google #google chrome #google flaw #out of bounds read #security updates #stable channel release
Google’s latest version of its browser, Chrome 86, is now being rolled out with 35 security fixes – including a critical bug – and a feature that checks if users have any compromised passwords.
As of Tuesday, Chrome 86 is being promoted to the stable channel for Windows, Mac and Linux and will roll out over the coming days. The versions of the browser for Android and iOS were also released Tuesday, and will become available on Google Play and the App Store this week.
Included in the newest browser version is a critical flaw (CVE-2020-15967) existing in Chrome’s payments component. The flaw, reported by Man Yue Mo of GitHub Security Lab, is a use-after-free vulnerability. Use after free is a memory-corruption flaw where an attempt is made to access memory after it has been freed. This can cause an array of malicious impacts, from causing a program to crash, to potentially leading to execution of arbitrary code.
Use-after-free bugs have plagued Google Chrome in the past year. In fact, all seven high-severity vulnerabilities fixed by Google in Chrome 86 were use-after-free flaws – ranging from ones affecting Chrome’s printing (CVE-2020-15971), audio (CVE-2020-15972), password manager (CVE-2020-15991) and WebRTC (CVE-2020-15969) components (WebRTC is a protocol for rich-media web communication).
Further details of the bugs are not yet available, as “access to bug details and links may be kept restricted until a majority of users are updated with a fix,” according to Google’s Tuesday post.
The Android and iOS versions of Chrome 86 will also come with a new security feature, which will send a copy of user’s usernames and passwords using a “special form of encryption.” That then lets Google check them against list of passwords known to be compromised.
“Passwords are often the first line of defense for our digital lives,” Abdel Karim Mardini, senior product manager with Chrome, said in a Tuesday post. “Today, we’re improving password security on both Android and iOS devices by telling you if the passwords you’ve asked Chrome to remember have been compromised, and if so, how to fix them.”
At the back end, when Google detects a username and password exposed by a data breach, it stores a strongly hashed and encrypted copy of the data. Then, when Chrome users log into a website, the feature sends a strongly hashed and encrypted version of their username and password to Google – meaning the company never derives usernames or passwords from the encrypted copy, it said.
#vulnerabilities #web security #android #chrome #chrome 86 #compromised password #credential stuffing #cve-2020-15967 #cve-2020-15969 #cve-2020-15971 #cve-2020-15972 #cve-2020-15991 #encryption #google #google payments #https #ios #linux #mac #password check #patches #safety check #security fix #security improvements #windows
Static code analysis refers to the technique of approximating the runtime behavior of a program. In other words, it is the process of predicting the output of a program without actually executing it.
Lately, however, the term “Static Code Analysis” is more commonly used to refer to one of the applications of this technique rather than the technique itself — program comprehension — understanding the program and detecting issues in it (anything from syntax errors to type mismatches, performance hogs likely bugs, security loopholes, etc.). This is the usage we’d be referring to throughout this post.
“The refinement of techniques for the prompt discovery of error serves as well as any other as a hallmark of what we mean by science.”
We cover a lot of ground in this post. The aim is to build an understanding of static code analysis and to equip you with the basic theory, and the right tools so that you can write analyzers on your own.
We start our journey with laying down the essential parts of the pipeline which a compiler follows to understand what a piece of code does. We learn where to tap points in this pipeline to plug in our analyzers and extract meaningful information. In the latter half, we get our feet wet, and write four such static analyzers, completely from scratch, in Python.
Note that although the ideas here are discussed in light of Python, static code analyzers across all programming languages are carved out along similar lines. We chose Python because of the availability of an easy to use
ast module, and wide adoption of the language itself.
Before a computer can finally “understand” and execute a piece of code, it goes through a series of complicated transformations:
As you can see in the diagram (go ahead, zoom it!), the static analyzers feed on the output of these stages. To be able to better understand the static analysis techniques, let’s look at each of these steps in some more detail:
The first thing that a compiler does when trying to understand a piece of code is to break it down into smaller chunks, also known as tokens. Tokens are akin to what words are in a language.
A token might consist of either a single character, like
(, or literals (like integers, strings, e.g.,
Bob, etc.), or reserved keywords of that language (e.g,
def in Python). Characters which do not contribute towards the semantics of a program, like trailing whitespace, comments, etc. are often discarded by the scanner.
Python provides the
tokenize module in its standard library to let you play around with tokens:
code = b"color = input('Enter your favourite color: ')"
for token in tokenize.tokenize(io.BytesIO(code).readline):
TokenInfo(type=62 (ENCODING), string='utf-8')
TokenInfo(type=1 (NAME), string='color')
TokenInfo(type=54 (OP), string='=')
TokenInfo(type=1 (NAME), string='input')
TokenInfo(type=54 (OP), string='(')
TokenInfo(type=3 (STRING), string="'Enter your favourite color: '")
TokenInfo(type=54 (OP), string=')')
TokenInfo(type=4 (NEWLINE), string='')
TokenInfo(type=0 (ENDMARKER), string='')
(Note that for the sake of readability, I’ve omitted a few columns from the result above — metadata like starting index, ending index, a copy of the line on which a token occurs, etc.)
#code quality #code review #static analysis #static code analysis #code analysis #static analysis tools #code review tips #static code analyzer #static code analysis tool #static analyzer