strugee.net

Posts from 2017

Show only posts from January February November December March April May June August October

New programming language part I: Handlers

So my latest project at the Recurse Center is a new programming language, as yet unnamed. Basically this was inspired by my security design presentation in which I laid out a couple ways you can improve programs' security designs, like process separation. And it occurred to me: why is this so difficult? Something should be doing this for me. Enter... whatever the hell I end up calling my language.

One of the most important building blocks of the language is something that I'm currently calling a "Handler". A Handler is basically a segregated piece of application code that handles some task or problem domain. For example, a Handler for outgoing DNS requests (syntax subject to change, obviously):

Handler DNS {
    function getAddressFromHostname(hostname) {
        // Very much pseudocode - all function calls here are example OS calls

        sendDnsQuery(hostname);
        while (!haveDnsResult()) {
            sleep(1);
        }
        
        return getDnsResult();
    }
}

This Handler has one simple method, getAddressFromHostname(). It sends a DNS query, blocks until it has a result, and then returns the result.

What's cool about this Handler is that it will be run in its own process - in other words, each Handler is automatically transformed into a privilege-separated process. However, getAddressFromHostname() can still be called from other, high-level Handlers! The language will do all the data marshalling for you, so from a language perspective it looks like a regular function call even though in practice it's going cross-process.

Now, let's improve our Handler a little bit. It's pretty unfortunate that we can only make one DNS request at a time (since it's blocking), so let's use an event loop.

Handler DNS is eventLoop {
    function getAddressFromHostname(hostname) {
        // Still pseudocode

        return sendDnsQuery(hostname, function(address) {
            return address;
        });
    }
}

We specified that the DNS Handler is an event loop, so the language automatically set up a Node-style event loop - we never actually called anything to enter an event loop, it just sort of happened as a construct of the language. Note also the nice async-aware return syntax - the result of sendDnsQuery() is returned to getAddressFromHostname()'s caller, and the result of sendDnsQuery() is specified by the return value of the anonymous function callback.

We can improve correctness even more by specifying that the Handler is not allowed to make syncronous I/O calls at all:

Handler DNS is eventLoop, async {
    // ...
}

Handlers let you pick and choose different elements and design choices for different parts of your application. For example, if you had a Handler responsible for processing data, it might make sense to restrict it to being entirely functional:

Handler incomingData is functional {
    // ...
}

In such a Handler, any functions with side effects wouldn't be callable, enforced at compile-time (possibly parse-time, depending on whether I can make it compiled or not given the type system). Perhaps you want to spawn a new sandbox process for each piece of incoming data (OpenSSH does this, for example, when first receiving authentication data from untrusted users):

// The `ephemeral` keyword will probably be something better, but for now...
Handler incomingData is functional, ephemeral {
    // ...
}

If your application requires root - for example, if you were writing an NTP daemon that needed to call setTimeOfDay() - that's also specified at the Handler level:

Handler incomingData is root {
    // ...
}

This should give you some idea of why Handlers are really interesting, even beyond the process separation concept that underlies them. (It's also worth noting that while I've focused mostly on daemons, this can also be used to securely implement e.g. file.) I'm really excited to get these ideas out there so I'll stop for now, but pretty soon I'll write another blog post talking about the type system.


Surveillance priorities

For several years now I've been really interested in technology policy - things like security, privacy and censorship, and especially how those things relate to both mass surveillance and freedom-respecting software. That's why I follow organizations like Fight for the Future and the EFF, and why I e.g. participated in the movement to stop SOPA and PIPA, the internet censorship bills.

But a week or so ago I had a realization: I'm not interested in surveillance law anymore.

It's clear to me that Congress is completely busted. The 113th Congress came very, very close to being the least productive Congress in modern history. Our current Congress isn't particularly good either, although they are (as far as I know) not as bad as the 113th - but they're still not good enough that I'm confident in their ability to actually, you know, pass laws. Even if we could get Congress to pass laws at all, it's unclear whether we could actually get them to pass laws curtailing mass surveillance. Over and over again we see Congress trying to pass misguided laws that weaken encryption, damage the DNS, and do all sorts of other seriously nasty (and hacky!) things - it just doesn't seem very reasonable to me to assume that they'd change their minds and decide to do (what we think is) the right thing[1].

This is why I'm not interested in surveillance law anymore. I find it to be a waste of time. Instead, I've shifted my focus towards systems that are fundamentally designed to resist surveillance and censorship. That's why I advocate for Signal and why I work on pump.io: because these are both systems designed from the ground up to, among other things, essentially be unaffected by surveillance law. Who cares if Congress passes a law that says they can surveil pump.io users? Congress saying a bunch of words doesn't change the fact that technically speaking, that's quite hard to do. Certainly it's more difficult than surveilling e.g. Facebook.

As Moxie Marlinspike puts it in this talk on PKI's flaws and an alternative system called Convergence:

And, you know, with this legislation that's been coming up recently like COICA and PROTECT IP and this kind of thing, you know - to me the real lesson here isn't whether this passes or not because there's been, you know, some kind of heroic efforts to prevent this legislation from going through. But I think, you know, the thing to take away from this is that they're trying. To pass regulation that messes with this stuff. And maybe one day they'll succeed.

Trying to make Congress do the right thing is, I feel, akin to an endless arms race: they don't seem to be getting the message and it's doubtful that they'll stop in the near- or medium-term future.

A much better solution is this: implement secure-by-default, freedom-respecting, encrypted and/or federated systems, and be done. Forever.

[1]: honestly, I think a big problem with this is that a lot of Congress is old white guys. Emphasis on old. The problem of people in the legal sphere not understanding technology, especially technology relating to security, privacy and encryption, has cropped up before. Consider, for example, the judge who ruled that a Tor user had "no reasonable expectation of privacy" because he literally could not wrap his head around how Tor worked and what the FBI did.


RC week 3

This is week 3 of being at the Recurse Center.

Monday

Arrived ~12:50, departed ~00:10, total time at RC 11h20m. Not Day 8 because Martin Luther King Day was today, so RC was not technically in session.

Lazy day today. Participated in an interesting discussion in the Conversations MUC about Easy XMPP which led to me spending a couple hours working on this onboarding webpage project (live version here). Spent about 5 minutes deploying OCSP Must Staple to nodecompat.com and isthefieldcontrolsystemdown.com and then about 30 discussing exactly what OCSP Must Staple is with Jesse. Also, submitted a talk on Stratic to LinuxFest Northwest.

Truthfully I spent a fair amount of my time in #pump.io on Freenode and in particular, got confirmation that Evan will be able to attend this month's pump.io meeting, which is fantastic. Closed out the evening by finishing my last college app and then spending several hours (i.e. waaay longer than I meant to) looking into parts for building an xkcd-style robot for the space.

Day 8

Arrived ~13:10, departed ~23:00, total time at RC 9h50m.

Truthfully, not really sure where today's time went. The biggest real thing I did was fixing a pretty serious regression in pump.io (introduced during the Express 3.x migration) that caused realtime functionality not to work. Plus I wrote the above text (under "Monday") because I didn't have time the previous night. *sigh*

However, I did spend a lot of the evening starting and then finishing my presentation on webapp security for tomorrow. So that's something.

Day 9

Arrived ~13:40, departed ~21:30, total time at RC 7h50m.

Arrived only just in time for my presentation on webapp security due to a series of unfortunate (mostly subway-related) mishaps. It went really, really well - although we did run for 30 minutes longer than I'd planned, which I was surprised at since last week we only ran a couple minutes over but I had twice as many slides. Covered (mostly SQL) injections, cross-site scripting, password handling, and Cross Site Request Forgery. After that, had an extensive discussion with Deniz and Heather about security and related subjects (email, selfhosting, the law, and how I think about security systems, mostly) before heading out to Walgreen's to buy some Airbourne, since I think I may be on the verge of getting a bit sick. :(

(Heather and Deniz also suggested I use the word "obviously" less, although it seems like other than that people really like my teaching style. So that feels good.)

The rest of the day was pretty boring: did a patch release for pump.io so that the regression fix that landed yesterday would go out to users. Took care of some system administration maintenance, then did some pump.io issue triaging and some minor fixups in the GitHub repository (notably improvements to the wiki homepage and fixing the Releases page, which was kinda borked).

Finally, since I've been doing a bad (read: terrible) job trying Mercurial so far, I've decided to force myself to use it:

$ cd Development
$ rm -rf icalc
$ # Muck around for a bit because I thought the following would work out-of-the-box, but it didn't
$ hg clone git+ssh://github.com:strugee/icalc.git

I'll end up using it tomorrow since I'm committing to work on icalc for the entire day. I've been really bad about working on it.

Day 10

Arrived ~13:10, departed ~17:45, total time at RC 4h35m.

Arrived riiiight as Abstract Salad Factory was starting. Had a delicious salad and came up with an excellent idea for an RC activity[1] before attending Beginner's Club, which was on testing (and also conveniently in the same room). Spent a little time taking care of business (emails, etc.) before digging into Mercurial by looking at the "Migration from Git" wiki page and just reading links. Feel like I'm on a good track there.

Attended Thursday presentations; came up with a really awesome web standards idea during that that I was extremely excited to propose to the standards community. Looked it up while the jobs fair was getting started - turns out it's already a thing. So that was disappointing. Left for home pretty soon after that.

[1]: one weekend where we take over the main space and marathon through all three extended director's cut Lord of the Rings movies

Friday

Arrived ~1:00, departed ~00:50, total time at RC 11h50m. As always, Friday doesn't count as a day because RC is technically not in session.

Spent a lot of time today pairing with Heather on improving the Abstract Salad Factory webapp before devolving into silly shell-related projects like installing thefuck and perusing underhanded, which we actually learned a lot from (because we kept looking up the options and commands the aliases used). Also found out that the version of [sl][] packaged in Debian is weirdly old. Like 10 years old.

In the evening, went to Bottle Share Friday which really ended up being "have lots of food and play a game of Codenames but mostly just talk" Friday. Very fun.

Wrapped up the evening with a little bit of Just Dance followed by some pump.io work and more pairing on the Abstract Salad Factory app, which ended with me and Heather wondering if the version deployed to Heroku didn't actually match the version on GitHub.

Also, signed up for checkins for next week as an accountability tool.

Executive summary

Week started out similar to the past week or two - I wasn't terribly good about sticking to RC stuff. However, I brought it back in the end! So I think I'm back on track.

Total time at RC 45 hours 25 minutes; cumulative time 141 hours 15 minutes.


RC week 2

This is week 2 of being at the Recurse Center.

Day 4

Arrived ~12:30; departed ~23:45; total time at RC 11h15m.

Today is day four because last week only had three days - Monday was off because of New Years.

Spent most of today working on Stratic. Paired with Ajay to fix a really nasty bug in stratic-paginate-indexes caused by some incorrect Vinyl documentation, during which he showed me how Array.prototype.map is a nice taste of functional programming available in JS, as well as Iron Node - I had only previously used the built-in node debug. (Spent hours on this bug at home but solved it in ~30 minutes while pairing.) Spent most of the rest of the day getting pagination to function properly on strugee.net, which was surprisingly hard due to there just being a lot of edge cases to handle. (That, plus the fact that it took a while for me to settle on a design I liked.) Spent some more time polishing or updating other parts of strugee.net.

In the evening, spent some time pairing with Jacqueline, teaching them to set up a cronjob using a DigitalOcean VPS.

Day 5

Arrived ~10:30; departed ~23:00; total time at RC 12h30m.

Worked on Stratic almost non-stop for literally the entirety of today (again). Started and (almost) finished stratic-indexes-to-rss and used the new feeds available on strugee.net to add myself to Blaggregator. Took a quick poll on Zulip asking what the threshold was for there being so many repositories in a project that it warranted its own GitHub repo; instead of getting any replies, talked to Stanley in person who convinced me when he said, "what are the cons?" and I said, "good question! I dunno." Hence, founded the straticjs GitHub org. From there, did a huge push towards a generator-stratic 1.0.0 release. It's very close - the core is done, but there are a lot of additional options that need to be added. I also can't release it before I fix up some TODOs currently in stratic-indexes-to-rss.

Additionally, took about a half hour break midday to give some ideas to Heather, who is teaching a workshop on Git tomorrow, and took another half-hour or so to watch non-technical lighning talks around 17:30(?).

Day 6

Arrived ~11:00; departed ~21:50; total time at RC 10h50m.

Spent a significant portion of the morning thinking about Zulip[1] design before and while filing this long bug proposing some improvements to the way unread counts and notifications work. Also reviewed a couple PRISM Break Pull Requests - I realize now I should've written about this on here (since it was extrmemely exciting to me!) but I'm now a comaintainer of PRISM Break. Thanks, @nylira!

Spent a little time polishing my security presentation for tomorrow. At first I spent a lot of time trying to find a style I liked on my own, but eventually I just threw in the towel and used bespoke-theme-cube which is what I had always previously used (since it's what generator-bespoke generates).

Finally, spent some time working on pump.io. Filed a couple bugs on future improvements, notably one proposing that we add code to automagically manage Let's Encrypt certificates, which I'm very excited about for several reasons. I also implemented HTTP Strict Transport Security which is a huge win for the network's security. The absence of HSTS was also the last remaining issue preventing me from gaining an A+ on SSL Labs for pump.strugee.net since I stopped using a reverse proxy setup, so that feels good.

Overall, I would say that this day was of average or slightly below average productivity. Also, while I got some useful stuff done, none of it was really related to RC (with the exception of the security presentation, thought that didn't take that much time).

[1]: for non-Recursers, Zulip is a really excellent realtime chat tool that RC uses for communication.

Day 7

Arrived ~12:20, departed ~22:30, total time at RC 10h10m.

Fixed a couple minor issues with my security presentation before deploying it to strugee.net in preparation for my presentation. The talk itself went really well; my audience seemed to follow most of what I was presenting and I got some really good questions. As I stated at the beginning of the presentation, security is a huge topic, so really I looked at the list of subtopics and basically just picked one that I thought was interesting. There's a huge amount that I didn't cover so (partly) prompted by Heather, I'm now planning on doing weekly security presentations. Next week's will be on web application security and is already on the RC calendar.

Presented Stratic during the weekly Thursday 5-minute presentations. I got up and said, "I'm super nervous about this talk because it's literally all live demos" and the audience laughed. And sure enough, I'd forgotten to add a dependency, so my gulp serve demonstration failed. That was okay though, because I still got to show the really interesting bits, which is the Unixy design in the gulpfile.

Finally, spent a lot of the evening with Heather working on this sickass "made at Recurse Center" GitHub README badge:

"made at Recurse Center" GitHub-style badge

Whoohoo! \o/

Friday

Arrived ~13:15, departed ~22:20, total time at RC 9h5m. As always, Friday doesn't count as a day because RC is technically not in session.

Had a very nice time walking to RC this morning which took about an hour because I kept stopping to take pictures - that felt really really good; it's been way too long since I've taken any and I missed it far more than I realized. Spent some time having a very nice discussion (both on Zulip and in real life) about different approaches to managing dotfiles in version control. Also spent some time discussing the design of git (particularly history rewriting, which I've previously written about) and resolved that something I should work on at RC is getting experience with Mercurial. In between both of those I spent some time looking into where to put the badge that Heather and I made. Seems like the answer is swag.recurse.com so I started looking at the project setup and plan to send some more PRs in the future.

Throughout the day I also reported a couple minor Zulip issues as well as two Firefox bugs, one of which got marked as a duplicate and one of which is still UNCONFIRMED.

Executive summary

Pretty productive week but could've been better. In particular I didn't do a good job of working on "RC projects" and instead spent too much time on existing personal projects, primarily Stratic and pump.io.

Total time at RC 53 hours 50 minutes; cumulative time 95 hours 50 minutes (first week estimated).


RSS and pagination on strugee.net

RSS and pagination are now enabled on strugee.net's blog, thanks to stratic-indexes-to-rss and stratic-paginate-indexes respectively.

The pagination code is already pretty solid although there's always room for improvement - thanks to Ajay Tungare for pairing with me at the Recurse Center and helping me catch the bug! However, I'm not particularly confident in the RSS code, since RSS is actually somewhat tricky to properly handle. Because of that, I would seriously appreciate it if people tried adding the RSS feeds to their readers and seeing if anything breaks. If so, let me know!

Cheers!


~