CoreCLR Security

by Miguel de Icaza

An important component of Silverlight is a simplified security system for protecting what can be done and what can not be done by user code.

.NET 1.x and 2.x have a system called the "Code Access Security" (CAS) which Mono has never completely implemented since it there are very few applications that actually took advantage of it (Update: On the comments someone points out that CAS is fundamental for any uses of ClickOnce deployment; Mono has no support for ClickOnce deployment either). This is probably due to its complexity, which leads to people not trying it out in the first place.

With Silverlight it becomes very important to ensure that we can execute code in a secure fashion and without allowing malicious code to get access to any resources on the system. Code that is downloaded and executed inside Silverlight/Moonlight needs to be sandboxed.

This new security system is described in a few blog entries from Shawn Farkas:

Today Mark posted his first implementation of this new security system for Mono for use in Moonlight:

Here's a preliminary patch for CoreCLR security, including a small patch for System.Security. It should do pretty much everything with the exception of catching method calls via reflection (I'm not sure how this is handles in Silverlight yet, and Silverlight on my Windows machine doesn't like me anymore - grr). I've included a small C# test program which tries out all the different ways (of which I'm aware) to call a method. That'll become a regression test eventually.

If mono is called with "--security=core-clr" then security attributes are only honored in system assemblies (those in $(PREFIX)/lib/mono/2.1) - other assemblies are always security transparent. To do better testing there's also an option "--security=core-clr-test" which honors security attributes in all assemblies.

Comments are welcome.

In addition to the new CoreCLR security system, the needs of Silverlight have finally pushed us to implement the code verifier in Mono. This is currently under development by Rodrigo.

CoreCLR is very similar to the design that Jim Pubrick has prototyped for SecondLife. Hopefully Jim can switch to the CoreCLR security system. Some of the needs for sandboxing that folks like SecondLife have (execution of untrusted code) can be found in our MonoSandbox page.

This is a great summary of how the security system works, from Shawn Farkas:

Over the last week we took a look at the new Silverlight security model. When you're writing a Silverlight application though, there's a lot of information there that you may not want to wade through to get yourself unblocked.  Here's a quick cheat sheet highlighting the important points that you'll need to know when working with the Silverlight security model:

  • All applications written for Silverlight are security transparent.  This means that they cannot: [details]
    • Contain unverifiable code
    • Call native code directly
  • Silverlight applications can access public methods exposed by platform assemblies which are either: [details]
    • Security transparent (neither the defining type nor the method has any security attributes)
    • Security safe critical (the method has a SecuritySafeCriticalAttribute)
  • Silverlight applications may contain types which derive from: [details]
    • Other types defined in the application
    • Unsealed, public, security transparent types and interfaces defined by the platform
  • Silverlight applications may contain types which override virtual methods and implements interface methods which are: [details]
    • Defined in the application itself
    • Defined by the platform and are transparent or safe critical

Posted on 08 Aug 2007


Silverlight Chess in Mono

by Miguel de Icaza

Early this morning Jackson got the Silverlight Chess program working on Mono's Moonlight:

This demo did not work for a while as it requires that the x:Name declarations from controls created dynamically be merged with the container namescope.

Between Chris and Jackson the javascript bridge is complete enough that a few hours later (after fixing a double free) it is now possible to have the Mono VM play against the browser Javascript in Firefox/Linux as well:

Although the original plans were to only support Silverlight 1.1 because we thought that they would be very different runtime, it turns out that by supporting 1.1 we can also support 1.0.

Various 1.0 demos are working with our implementation as well. The limitations currently are more with our overall support than in a 1.0 vs 1.1 difference.

Speed

Testing the Chess on Windows vs MacOS on relatively similar hardware seems to give an edge to Windows (as I do not have any two identical machines to compare, it just feels like the Windows box is performing about twice as fast).

Am interested in finding out from folks that have similar hardware if there is any significant performance difference in the CoreCLR implementations between OSX and Windows.

The second screenshot is Mono running on a ThinkPad T60P (T2600@2.16GHz) am curious if someone with Windows with the same machine can report on the .NET vs Javascript nodes/sec.

Posted on 06 Aug 2007


Mozilla JIT Choices

by Miguel de Icaza

I was reading a comparison between Adobe's Tamarin JIT and Sun's HotSpot and there was some discussion started by Chris:

Maybe, I'm missing something, but I really don't see why Mozilla doesn't build on the Java platform rather than Tamarin. Investing effort in writing a full ECMAScript 3 or 4 translator to JVM byte-code seems like an easier and faster way to get much better results than Tamarin.

To which one of Brendan Eich's replies was:

We don't depend on closed source in-process code, period. I've also mentioned the license requirements, not that it mattered due to the lateness of Java's open source transition (GPL alone is not ok).

I ran the same program that was posted there on Mono, and extrapolating the values (my machine is faster than Chris, but am using Java HotSpot 1.6):

  • Tamarin: 58 second
  • Rhino JS engine: 31.944 seconds;
  • Mono: 10 seconds;
  • HotSpot: 2.23 seconds

Someone on the thread pointed out that using type annotations might bring Tamarin to 11 seconds. Update: , but Chris was not able to replicate that behavior..

It is clear that Mono's floating point performance is far from ideal. Currently Mono on x86-32 platforms is still using the x87 "stack" style of floating point operations as opposed to the more efficient XMM style of code generation that we used on x86-64. We should look into this.

Update: Mike ran the tests on x86-64 where Mono has a different floating point implementation and the results are promising, instead of being 4 times slower than Java in this test Mono is only 2 times slower.

That being said, for Mozilla purposes, it seems that using Mono as their JIT instead of Tamarin would be a better choice:

  • Mono can be shrunk down to 5 megs by picking files (uncompressed) and even more if you are willing to ifdef stuff.
  • Mono's VM is licensed under the LGPL.
  • Mono runs IronPython, IronRuby and the DLR out of the box, no need to modify either one of them.
  • Mono already supports more platforms than Tamarin (and I believe we support more than Sun's JVM).

Planning-wise its probably too late to use Mono on Mozilla, which is a shame.

It might still be interesting to prototype using Mono + Rhyno as a Javascript engine or completing the DLR-based Javascript and see how fast it can get.

This could probably be prototyped on WebKit/Gtk easily.

Posted on 06 Aug 2007


ZeroGravity: Winning

by Miguel de Icaza

There is some kind of bug in Mono's implementation of Silverlight that is causing ZeroGravity to claim that I have won:

But at least Aaron's favorite music is playing in the background.

In other news, Chris just got Silverpad Pad working with the refreshed version of Silverlight:

And Silverlight Airlines from the 1.1 Refresh:

Posted on 04 Aug 2007


Progress on C# 3.0

by Miguel de Icaza

Marek Safar reports on the progress on the C# 3.0 compiler front:

This week:

  • Finished 3.0 type inference.

    Next Week:

  • Review and finish the implementation of collection initializers and anonymous types. They are the only remaining bits to have all LINQ components ready for the integration.
  • Pretty much all the C# 3.0 features are now completed. As Marek points out there are a couple of areas that still need some work (collection initializers and anonymous types), but we are in good shape to complete the LINQ support in Mono's C# compiler.

    JB Evain has also been busy creating a new profile of our compiler for developing Silverlight applications. The new command is smcs and it differs from gmcs in the following ways:

    • It enables -langversion:linq by default (so C# 3.0 is the default in the Silverlight profile).
    • Generates assemblies that reference the 2.1.0.0 mscorlib (as opposed to 2.0 that gmcs does).
    • It references by default all the Silverlight assemblies. With mcs and gmcs we only reference System and System.XML by default. We felt that in the case of Silverlight we could reference all the libraries needed by default.

    The majority of our C# 3.0 support will be available in Mono 1.2.5. The recent developments (type inference) did not make it into the release, so folks will have to wait for 1.2.6.

    Posted on 04 Aug 2007


    Mono Summit 07

    by Miguel de Icaza

    Last year we had a pretty fun meeting in Boston, but there were a few problems: the event was too short, and renting the hotel was too expensive and we also announced it with very little time ahead.

    We want to do another Mono Summit and we would like to do this event in Spain if possible. The reason is that it is relatively easy to reach Spain and for the European Mono developers (the majority of the Mono team is European) it would be cheaper to fly there than to fly to the US. Spain is also a bit cheaper than other destinations.

    I would like to find a University that could host us for a week of talks, meetings and conferences of the Mono community.

    We would need space for about 120-150 people: maybe some conference rooms for a couple of talks, otherwise classrooms and a place to hack, discuss and some internet connection would be all that we need. This would be sometime in October.

    My preference would be for Madrid or Barcelona as they both are well connected by international air travel.

    Anyone out there interested in hosting us?

    Posted on 03 Aug 2007


    Strawman Central

    by Miguel de Icaza

    As I was reading this morning Twenty-Five Ways To Suppress Truth: The Rules of Disinformation I was pointed to about Groklaw's latest attempt to defy gravity.

    As it is becoming common in some circles, some folks like to be purer than the virgin Mary. Groklaw has been for a while expanding into new levels of fundamentalism. The ends justify the means and all that:

    That, to me, wasn't the news, since a Microsoft license was submitted once before, although I gather not by the company. But what I'm noticing is reactions. ComputerWorld collected some truly astonishing responses, and if you follow their links, it gets worse. First, though, the reaction that matters, from Michael Tiemann:
    Michael Tiemann, president of the non-profit Open Source Initiative, said that provisions in three out of five of Microsoft's shared-source licenses that restrict source code to running only on the Windows operating system would contravene a fundamental tenet of open-source licenses as laid out by the OSI. By those rules, code must be free for anyone to view, use, modify as they see fit.

    "I am certain that if they say Windows-only machines, that would not fly because that would restrict the field of use," said Tiemann in an interview late Friday.

    Why would this need to be said? What nerve Microsoft has to even dream of trying for such a restriction. A license that restricts use to only the Windows operating system. Why would OSI even consider that? Have we lost our minds?

    Groklaw: Another Smooth Move from Microsoft: Watch out, Ruby. Watch out OSI.

    Really?

    4. Use a straw man. Find or create a seeming element of your opponent's argument which you can easily knock down to make yourself look good and the opponent to look bad. Either make up an issue you may safely imply exists based on your interpretation of the opponent/opponent arguments/situation, or select the weakest aspect of the weakest charges. Amplify their significance and destroy them in a way which appears to debunk all the charges, real and fabricated alike, while actually avoiding discussion of the real issues.

    The Rules of Disinformation

    Microsoft has a number of licenses under the "Shared Source" umbrella. Most of them are completely useless from an open source standpoint. Michael Tiemann correctly points that out and they would fail the test.

    The only license that can be submitted for OSI approval is the Microsoft Permissive License (Ms-PL) and possibly the Microsoft Community License (Ms-CL). The former is an Apache-like license, the latter is a GPL-like license. Am personally only interested in the first as that is what IronPython, IronRuby, the Dynamic Language Runtime and the ASP.NET client library are licensed under.

    Groklaw goes on to rally up the troops over *other* licenses that are not even under discussion. You would think that this was so obvious that it did not need pointing out, but I guess it needs pointing out.

    Later Groklaw seems confused: how a company can have software open sourced but not embrace it as an open source?

    And does Microsoft want to be an Open Source company? Puh-lease. They may want you to think that, but Steve Ballmer just told the world that it can't embrace that model:
    "Open source has been the issue that surrounds us. Could a commercial model like Microsoft compete with open source? And we've worked very hard on making the value of a commercial company surpass what the open-source community can deliver, because frankly, it's not a business model we can embrace. It's inconsistent with shareholder value."
    Does it get any clearer? And if they have no intention of adopting that business model, the right question is: why are they proposing open source licenses?

    There is no contradiction here. It is only contradictory if you live in a binary world world of black and white. Or if you find images like this to be magic:

    You can open source pieces of software, contribute to open source projects and still not embrace open source as your business model. It is easy to prove this by way of existing examples. Consider IBM and Google: they use open source software, they contribute to open source projects and they fund open source development, but yet their business model is not an open source model.

    An ugly trend is the adoption of the absolutist mindsets. "You are with us or you are against us". Well, for one, am not with Groklaw and am not with Microsoft. My goal is to make open source succeed as a platform and use open source for all of my server and desktop activities. I see no problem in taking open source contribution from companies that have not embraced open source as their business model as long as the code is open source. So I will happily consume open source code produced by Google, IBM and even Microsoft.

    Groklaw asks:

    By the way, guys, check those license submissions carefully. Do they exclude the GPL? Do they exclude sublicensing or allow it only if the sublicensee contacts Microsoft to get permission? How about if a licensee sells the company?

    Well, you would think they would have read the license, but it is easier to get on a rage binge than actually reading the licenses. There is no exclusion for the GPL or Copy-left licenses, the only problem is that the GPL is incompatible with pretty much anything, so chances are these will be incompatible altough am no lawyer and I do not know for sure; They do not exclude sublicensing and you do not need permission from Microsoft, nor do you need to contact them if you sell the company.

    The rage binge continues:

    In that connection, I suggest you look very, very carefully at the IronRuby initiative. The first rule with Microsoft proposals has to be: look for the devilish part. It won't be obvious. Here's the license for it, Microsoft's Permissive Licence, one of the shared source licenses. Is it Open Source?

    The MsPL seems to satisfy both the open source definition and the Debian Free Software Guidelines.

    Groklaw questions IronRuby motives and in the best conspiracy theory tone ponders:

    Is that the only question we should be asking? Here's another. Is IronRuby Ruby? [...] Ruby with a Microsoft twist.

    Obviously they do not know much about IronPython and IronRuby and the trouble they went to in IronPython to remain compatible with CPython. The troubles they went into to be compatible have been explained numerous times, but they are also available on Jim's Zen of the DLR slide deck. I removed the OpenXML remarks as they were just more pandering.

    The article continues by mixing half-facts and speculation as it is now a tradition over there:

    In Ruby's case, my understanding is that it started as Ruby.NET under the MIT license.

    It has different goals, IronRuby is layered on top of the DLR. They got permission to reuse the parser and tokenizer from Ruby.NET which had done all the leg-work of figuring it out (since Ruby does not have a formal language specification).

    The half facts continue:

    Microsoft has added some WPF functions to it. WPF stands for Windows Presentation Foundation. Some would tell you that WPF threatens an open web, the W3c standards, and basically anything involved with the open Internet. I don't know, not being a programmer, but that's what I hear.

    I will agree that you do not know what you are talking about. IronRuby can call any CLI methods and classes just like Ruby.NET and IronPython can (or, gasp, CPython extensions can do so as well) . WPF being just a collection of .NET classes they can be invoked by IronRuby.

    Being able to call CLI code is why I can write IronRuby applications that use Gtk# today on Linux without any changes to IronRuby, there is no magic needed:

    IronRuby Alpha running on Linux/x86 with Mono, calling Gtk#.

    LOOKOUT! ITS SPIDER PIG! MICROSOFT'S SECRET PLOT TO OVERTAKE THE INTERNETS BY ADDING GTK# SUPPORT TO IRONRUBY!

    Oh wait. Does that means that libraries are an evil plot as well? Tune in next week at the same bat-time on the same bat-channel for an answer.

    Then, Groklaw tries a little of guilt by association, always a fine choice in the most reputable sophistry circles:

    For me, it's enough of a warning that Miguel likes the MPL as he did the patent deal and all things Microsoft. He says the license is "by all intents and purposes an open source license". Whose intents? And whose purposes? Remember Lily Tomlin's old joke? If love is the answer, can you rephrase the question? And if this is "by all intents and purposes an open source license" then maybe it's time to look at that definition again.

    Facts and legal terms mean nothing. If Miguel likes it, it must be bad. I hope Groklaw gets nominated for "Best use of Fallacies to Advance a Political Cause" award next year.

    So if the license were to fit the open source definition then "it's time to look at the definition again". Why? Well, because Groklaw said so. Not because "they know" as we already know that they barely researched the subject.

    Now am off to get some more work done on Moonlight, which will serve two purposes: allow Linux users to access Silverlight content and produce an ulcer on Groklaw's posters.

    Disclaimers

    And as usual to avoid the usual round trip in the comments:

    • I speak for myself, I do not speak for Novell;
    • This blog entry does not represents the views of my employer.
    • I do not like Microsoft's overall business model, I do not like the pricing, I do not like lock-in into proprietary standards, do not like their patent threats, nor do I endorse FUD (theirs or anyone else's).
    • Liking MsPL does not mean "endorsing Microsoft" wholeheartedly.
    • I have been asking for collaboration between Microsoft and the open source community for years, and advocating it with their employees and representatives at every turn in the past. Most recently, before I even knew about the Microsoft/Novell agreement am on the record calling for such a thing.

    I think that we have reached a sorry state when our community has to resort to half-truths pandering with fear, uncertainty and doubt. The very actions that people criticize Microsoft for. We can do better than that.

    Posted on 31 Jul 2007


    Support the Troops: Conditional Blogger Style

    by Miguel de Icaza

    Last week or so an article that described some ugly scenes in Iraq was published, the article was written by an American soldier in Iraq under a pseudonym.

    Since the picture painted was not very rosy, war supporters set out to discredit the article and its author. The author eventually had to come out and now the war supporters are launching a campaign to punish him.

    Blogger Jon Swift has collected the twisted logic and hillarious conclusions in a phenomenal post.

    You could not ask for a better radiography of cognitive dissonance.

    On the Topic of Serving in Iraq, oh, and the anti-Christ.

    Continuing with the previous topic, Max Blumenthal from the Nation has a great video: Generation Chickenhawk: The Unauthorized College Republican National Convention Tour:

    Max goes on to ask College Republicans why they have not enlisted to serve in Iraq, the answers are pure gold.

    If you liked that video, check also his new "Rapture Ready" video as it contradicts the common notion that the antichrist is Rosemary's baby:

    Posted on 28 Jul 2007


    Microsoft and Open Source

    by Miguel de Icaza

    These are good news, as reported on the O'Reilly Radar by Tim:

    In his keynote at OSCON, Microsoft General Manager of Platform Strategy Bill Hilf announced that Microsoft is submitting its shared source licenses to the Open Source Initiative. This is a huge, long-awaited move. It will be earthshaking for both Microsoft and for the open source community if the licenses are in fact certified as open source licenses. Microsoft has been releasing a lot of software as shared source (nearly 650 projects, according to Bill). If this is suddenly certified as true open source software, it will be a lot harder to draw a bright line between Microsoft and the open source community.

    Bill also announced that Microsoft has created a new top level link at microsoft.com, microsoft.com/opensource to bring together in one place all Microsoft's open source efforts. Bill sees this as the culmination of a long process of making open source a legitimate part of Microsoft's strategy. Open source has survived Microsoft's process of "software darwinism" and is becoming an ever more important part of its thinking.

    Bill understands open source.

    As I said last year on Microsoft's Port25, in my opinion, part of the reaction that Microsoft had towards Linux and open source had its roots in the way it was portrayed as a Microsoft killer. Anything that is portrayed as a killer of something will be less than welcome. Or like they say out there, you attract more bees with honey than with vinegar.

    Open sourcing software is a great step for Microsoft. I hope that they continue on this path of openness, and I hope that they will have a good experience with external collaborations with the software projects that they are opening up to external contributors.

    In the last year Microsoft moved away from merely opening up source code under open source terms to actually creating communities that would co-develop components with them. This is the case with their AjaxToolkit for ASP.NET AJAX (Mono-plug: soon in a Linux server near you).

    With IronRuby and its class libraries they will be taking new steps again. These will be the the first projects in which the software is not only open source, but where they will taking contributions back into it.

    Update: In the comments to the piece, Tim has some interesting things to say, and I agree with them:

    Ultimately, I believe this is significant because I believe that Microsoft realizes that they are on the losing side of history. Year by year, they have come closer to recognizing that the old models are dead, and that new ones need to be explored.

    This doesn't mean that all their software will be open source. But I don't see people abusing Chris DiBona about Google's open source program because all of Google's software isn't open source either. And IBM gets lots of love for eclipse and other open source moves without being castigated for all the things they (still) do on the other side of the ledger.

    You guys seem like the Shiites and Sunni in Iraq. No, the other side isn't to be trusted. But the consequence of not trusting, and escalating hostilities, is far worse than exploring what trust is offered, and building on it.

    If you care about Microsoft becoming more free and open, support the people at Microsoft who are trying to bring them along.

    This other piece is right on track:

    Demonizing the other side (in business or in war) is an easy way of actually ignoring the actual facts, after all its easy to say that the devil is bad:

    Dalibor -- my reference to "you guys" was specifically to all the people saying Microsoft is innately bad. All I can say is that if you believe that, you've never spent much time with folks at Microsoft. It's easy to demonize someone you don't know. Harder when you actually talk with them. There are some people there (including the top leadership) that I don't trust, but there are a lot of people trying to make positive change. Help them, don't hate them.

    As to the "losing side of history", my thinking is shaped profoundly by my study of the history of the IBM PC, which broke IBM's old stranglehold on the industry via proprietary hardware. That change didn't make IBM go away, but they had to change to survive, and now everyone thinks they are a good guy.

    I predict a very similar outcome for Microsoft. Free and open source software have changed the world, but not in the way we expected. It doesn't mean that "free" triumphs, just that the locus of proprietary value capture and protection changes from software to something else, just as it previously changed from hardware to software.

    I've written about these ideas at length in The Open Source Paradigm Shift and What is Web 2.0, and events since I wrote those pieces have only confirmed my view.

    I completely agree that Microsoft is participating where they find it useful ... but so is IBM, and Sun, and Google, and Oracle, and even Red Hat, Canonical, MySQL and other "open source" companies. It's never just black and white.

    I could not agree more.

    Posted on 27 Jul 2007


    Getting Your Priorities Right

    by Miguel de Icaza

    Republican candidates have been busy crying wolf in the past set of presidential debates. They have gotten their share of softball question on the issue ("if a bomb is about to go off and kill a million people and you had a chance to stop it, would you?") but they barely discuss anything that actually matters.

    From St Pete for Peace Fact Sheets there is this interesting chart on the real threats to America:

    Click on the previous link for the sources.

    More fact sheets here.

    Posted on 27 Jul 2007


    « Newer entries | Older entries »