Archive for May 2007
OpenSource Community connecting with Test Cases
I was reading Perspectives on Free and Open Source Software. I am not an expert in this field, but I feel that it is an important field in the OS community to become more close in structure and communication aspects to scientific research groups located in the universities. I think that it is important to be build a fast connection between the whole community in order to improve code quality. I share the opinion of Alan Cox that the most popular project are secure but not as much popular ones aren’t (“High-quality only applies to some projects–those with good code review and those with good authors” Cox says).
In order to provide and to not change the freedom of choice of OS developers, OS community have to provide other way of enabling security issues in not popular open source projects different then creating on-line rating lists of the most popular projects in order to concentrate the view of the developers. Something different is needed. Code of its own is going to be compromised if it is not enough secure, but we can draw very specific requirements in form of testing object (text cases) for every specific object of group of objects.
This way of centralizing the community is better in my opinion. I find it more useful to centralize the community over testing cases then over source code. Things that people want is to use working source and provide computations on inputed data, why they have to read code in order to prove is it secure, useful for the purpose(or reading documentation for this purpose) or not. Testing lists of cases could be very easily enlarged in order to provide the old features and adding new ones.
So the community have to be grouped around testing cases… Starting project first means writing test cases. This is the best way of making easily connection between a colorful range of developers with different level of programming skills. This is a (here I render an account to the fastness, usability and closest connection to the process of programming) mathematical model of a program/project very close to writing source code for the project/program.
Adding new capabilities to an existing project, defining and starting new project, changing project… this all can be presented in testing cases. I believe that it is important to work on this topic.
Testing cases are a good (in my opinion) documentation form of a system.
If it is possible for the developer to take a piece of code and synchronize it by checking for test cases equivalence/compatibility. If it is possible to allow testing cases to go deep in the side effects of the system and capturing the best critical system behavior and this kinds of abilities to be standardized and provided automatic test capability checks between the expected software behavior and the behavior of the software. Imagine if we can search by typing strict requirements (test cases) and finding the code that fits in our wishes.
Note: I wrote strict requirements. It is not an engagement the require to be strict test case. It is possible to use if statements in order to describe the groups of satisfying behaviors of the searching code and to not describe parts of the test case that are not related to the private searching purpose. In other words we have to search in test cases for full equivalence with the provided test case or test case contained in the test cases of the OS projects.
Providing testing as the main way of communicating between OS developers will give us the ability to automate some of the work and enforcing developers write more secure code (Alan Cox’s opinion on the lowest security of OS code).
JSON vulnerabilities
Visit this links in order to find interesting stuff about Gmail contact list unauthorized viewing through JSON and JavaScript. It is important to take a mark of this vulnerability in order to not make the same mistake.
Private Blog of Jeremiah Grossman
Ajaxian Archived post
According to me the best technique protecting JSON data is to add at the beginning of the file (or JSON data response): “while(1);” as Gmail now does. Actually this tries to prevent anyone of understanding is the data is sent and of course prevents people of accessing the content. In order to provide security you have to not enable hackers to see your data and even are you responding on something.
Virtual Memory is not needed when you run Open Source programs
This is an idea that i want to work on. Imagine we can check the references in programs in order to not run them in a virtual memory jail and let them run free. I think that this is possible with an Open Source program (and with a program written entirely in Java, but i will not speak much about this at this time). I think that it is possible to be done, here i drew some of the main ideas:
I believe that there is a way to ensure that the source that we execute from compiled file is not accessing others program memory. So try to think about this, can we make the source code of a program executeable, too. It will be easier to execute sources by only running them instead compiling and building.
I think that in the kernel should be an algorithm to check the source code and to say to the Virtual Memory Manager to not capsulate this program in a VM. I am not very deep with the linux kernel but i hope i will go as far as it have to to be sure that this is able to be done.
Feel free to comment this publication about found mistakes (errors), warnings and everything in this topic.
