• BinScope and MiniFuzz

    Following on from seeing Michael Howard at TechEd last week, here’s a couple of new tools to help with analysing your applications for security issues.

    BinScope is a verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations”

    MiniFuzz is a basic testing tool designed to help detect code flaws that may expose security vulnerabilities in file-handling code. This tool creates multiple random variations of file content and feeds it to the application to exercise the code in an attempt to expose unexpected and potentially insecure application behaviours”

  • Tech-Ed 2009 – Friday


    • Talking to Virtual PC Guy (Ben Armstrong) about his home HyperV machine that also runs Windows Home Server
    • Watch Pete Calvert compete in one of the crazy competitions in the Mobile Smackdown

    2008 R2 Virtualisation with Ben Armstrong

    • Live migration – 1-1.5 seconds
      • Copies config, then up to 5 passes copying memory, then finally state (CPU etc)
    • Cluster shared volumes – allows direct access to NTFS
    • Intel i7 – Hyperthreading is ok (not bad and may be good)
    • VMQ – networking optimisation (feature of NIC)
    • VM Memory Management
      • Uses shadow page tables to emulate page tables for each VM (avoids software emulation)
      • For i7, AMD gen3 Quad
      • Huge positive impact for 75
      • Solves performance issue with 3D video support
    • Deferred procedure calls (used by device drivers) now run on local core instead of core 0.
    • Power efficiency
      • Core parking (really processor parking)
    • Timer coalescing
      • align Windows timer ticks
      • Allows processor to deep sleep/save power
    • Native VHD
      • Don’t need to use passthru for performance anymore
    • VHD Boot
      • WIM2VHD (Codeplex)
      • Create VHD through Disk Management

    .NET 4 Parallel Extensions with Corneliu Tusnea

    • Need to watch out for locking
    • Parallel extensions now part of .NET Framework
    • Parallel.For/Parallel.ForEach
    • New concurrent collections
    • Automatically allocate work to to each core
    • Task, Task<>
    • PLinq
      • Need to partition data to cores
      • Depends on underlying type – eg. List or IEnumerable
      • AsParallel()
      • AsSequential() – to revert to single core
    • Debugging
      • Parallel tasks window

    Big Algorithms in F# with Joel Pobar

    • Functional Programming avoids state and mutable data
    • Increase modularity and composability
    • F# interactive
    • Search
    • Recommendation engine (Netflix)
      • Nearest Neighbour algorithm

    Mobile Smackdown

    This was bizarre and quite crazy in a mostly good way. Because I’d won a token from the WCF talk, I got get a front-row (well second to front) seat and got a pile of goodies on my seat.

    The basic rule of the smackdown was that anytime a demo failed assorted pieces of “swag” would be thrown into the audience.. Hence the audience were keen to see things fail!

    Quite a few new Windows Mobile phones, headsets, mice and other nice prizes were given way.

    I was also pleased to see that this year, no cat food was involved in any of the competitions (unlike the session from last year)

    Final thoughts

    So did I get my money’s worth? Yes, I think so. I felt I learned or was exposed to new things in almost every session I attended. It was also great to catch up with lots of friends and familiar faces.

    While the Gold Coast isn’t the most convenient venue to get to from Adelaide, I do think the convention centre does an excellent job looking after and catering for everyone. No complaints about the food!

    The HP Mini 2140 netbook is really nice. I think it was quite innovative to allow all delegates to be able to participate in the conference in an online fashion. Wireless network access at the convention centre worked pretty well considering how many concurrent users it had to cope with. Depending on which way the wind blew, I could sometime connect even when I returned to my motel room (which was just across the road). I’ve given my netbook to Narelle and I think she’s pretty impressed already.

    Maybe I missed them in the crowd, but I wonder if the days of UniSA sending >10 delegates are over as I didn’t bump into any old colleagues this year. It did feel different not having Gary, Dat, Mark around or bumping into familiar faces from IT.

    Finally I do especially appreciate the sacrifice my family made (both in my time away from home and financially) to allow me to attend.

  • Tech-Ed 2009 – Thursday

    I woke up Thursday morning feeling pretty good, until I sneezed.

    Unfortunately the sneeze triggered another back spasm, so by the time I got over to the conference centre, I was not feeling super-comfortable. I felt a little better as the day progressed but it meant I did end up having to stand for most of the sessions to avoid aggravating things even more.


    • Discovering Michael Howard also has a “Mr Happy” T-shirt – just like the one I was wearing during his session.
    • Mitch has great clip-art in his presentations
    • Winning a token to the Mobile Smackdown by answering a question in the WCF talk (don’t call WCF proxies in a ‘using’ block as the Close() method can raise exceptions)

    Software Development Pitfalls with Mitch Denny

    • Reality – software development is hard
    • 68% of projects still fail (2004)
    • Failure #1 - “Customers must understand all requirements”
    • Failure #2 - “Fixed price solutions”
    • Define the vision
    • Roles
    • SketchFlow
    • “It’s about value, not frameworks”
    • Minimise waste
    • Villan #1 – Scope Creep
    • Villan #2 – Big “A” architect (doesn’t have Visual Studio installed)
      • Planning Poker
      • Keep team stable
      • Pick team members for how they relate to the rest of the team
      • Resourcing not just about people
    • Villan #3 - “Pony-tail network admins”
      • Developers are different
      • Need a good PC
      • Developers’ Bill of Rights
      • Rent servers by the hour

    What’s new in .NET 4 and VS 2010 with Adam Cogan

    Visual Studio 2010

    • Add references improved performance (kind of)
    • Multi-line editing
    • Code navigation
    • Call hierarchy
    • SharePoint support


    • Optional parameters
    • Named parameters


    • Less requirements for line continuation character “_”


    • SEO (Routing), RedirectPermanent
    • Live data-binding – two-way binding
    • MVC
    • Query extensions
    • Deployment

    SDL with Michael Howard

    SDL Goals:

    • Reduce vulnerabilities
    • Reduce severity of missed vulnerabilities

    • Identify primary security/privacy contact
    • Security training
    • Track security bugs
    1. Strong signing and ACPTA
    2. Secure Crypto
      1. configurable algorithms (use a factory class)
      2. Use standard libraries
      3. Use appropriate algorithms
    3. Firewall
    4. Threat models
    5. Support UAC
    6. Granular feature control
    7. Grant minimal privileges (drop privileges on service startup)
    8. Use minimum code gen suite (eg. latest compiler)
    9. Use /GS
    10. Use Safe Exception Handling
    11. MIDL
    12. Use ASLR
    13. Use DEP
    14. Defect heap corruption
    15. No writable PE segments
    16. Don’t use banned APIs
    17. Encode long-lived pointers
    18. Use FxCop
    19. Use /analyze
    20. Use SAL
    21. Use /W4
    22. Native code XML Parsers
    23. XSS
    24. Safe tags without attributes
    25. Use ViewStateUserKey
    26. Don’t use JavaScript eval()
    27. Safe redirects
    28. SQL execute only
    29. Use parameterised queries
    30. Use stored procedures
    31. Don’t depend on NTLM
    32. Don’t swallow all exceptions (rethrowing is ok though)
    33. Safe error messages
    34. Fuzz testing
    35. Application Verifier
    36. Device drivers

    Security for Developers with Michael Howard

    • How do I sell security to management?
      • Sell privacy and reliability
    • #1 skill developer should have
      • All data is evil unless proven otherwise
    • #1 skill testers should have
      • fuzz testing
      • !exploitable (WinDBG)
    • #1 skill designers/architects should have
      • threat modelling
    • What does the bad guy control?
    • The Turkish “I” problem
    • Why should I not use RC4
    • Don’t use ECB mode

    WCF Scaling with Chris Hewitt

    • Instance management (PerCall)
    • Service throttling 3.5/4.0
    • Threading IIS6/7
    • Cache the channel factory and channel
    • Proxies can explode
      • Use proxy wrapper
    • Don’t really need wrapper for basicHttp binding as there are no sessions
    • Large data – stream mode
    • Binary encoding – even over HTTP
    • PerSession with durable services
    • SSL load balancing behaviour
    • “Dublin” – WAS extensions

    Thursday night a whole stack of coaches drove all 2,500 delegates to Dreamworld. I’m not big on rides, but it was nice to have a look around, grab some tea, and catch up with Nigel, then bump into Jason and a couple of the guys from GraysOnline (Australia’s biggest online retailer, which I’d never heard of until a few months ago).