Profile

Cover photo
Elliott Hughes
Works at Google
Lives in California, USA
338 followers|102,830 views
AboutPostsPhotosVideos

Stream

Elliott Hughes

Shared publicly  - 
 
I've definitely assumed there are no security implications to wild memcpys before because "obviously" they'll hit an unmapped or protected page.

http://googleprojectzero.blogspot.com/2015/03/taming-wild-copy-parallel-thread.html

In their exploit, rewriting the munmap(2) relocation to point to system(3) is a handy shortcut, but useless on Android since Jelly Bean --- RELRO (Read-Only RELocations) prevent that kind of thing. (The platform is built with full RELRO, and if you have native code in your apps, you should build with it too.)
Posted by Chris Evans, Winner of the occasional race Back in 2002, a very interesting vulnerability was found and fixed in the Apache web server. Relating to a bug in chunked encoding handing, the vulnerability caused a me...
6
Nick Kralevich's profile photo
 
If you're using the NDK to compile, you get full RELRO support by default (https://android.googlesource.com/platform/ndk/+/f74c373729bcd1519debe03cda90ef3fd3366848)
Add a comment...

Elliott Hughes

Shared publicly  - 
 
I thought https://blog.whitehatsec.com/north-koreas-naenara-web-browser-its-weirder-than-we-thought/ was mildly interesting, but "it’s in UTF-8 charcode, and not something that you might expect like BIG5 or ISO-2022-KR or SHIFT_JIS or something" was a weird thing to say. Big5 is for Traditional Chinese and Shift_JIS for Japanese. They can't even encode Korean, as you can see from a quick test:

$ cat y.java
import java.nio.charset.*;
public class y {
 public static void main(String[] args) throws Exception {
  System.err.println(Charset.forName("Big5").newEncoder().canEncode("잘 먹었어요"));
  System.err.println(Charset.forName("Shift_JIS").newEncoder().canEncode("잘 먹었어요"));
  System.err.println(Charset.forName("UTF-8").newEncoder().canEncode("잘 먹었어요"));
 }
}
$ javac y.java && java y
false
false
true
$
Naenara is a North Korean web browser built into Red Star OS. This is a review of Naenara which is build on Firefox.
3
Add a comment...

Elliott Hughes

Shared publicly  - 
 
This made me laugh out loud: "However, with the Nexus 5 on Android’s developer preview, we saw anywhere between 2-10x improvement to Androbench’s storage performance results with no real basis in reality. It seems that this is because the way that the benchmark was written relied upon another function for timing, which has changed with Android 5.0."

The only function I can think that this might be is clock (http://pubs.opengroup.org/onlinepubs/9699919799/functions/clock.html) which we fixed in L to actually return CPU time rather than elapsed time.

So this benchmark, a piece of code whose sole function is to measure time, was written by people who didn't know how to measure time?

Why am I not surprised?

http://www.anandtech.com/show/8725/encryption-and-storage-performance-in-android-50-lollipop
16
1
Björn Lundén (blunden)'s profile photo
Add a comment...

Elliott Hughes

Shared publicly  - 
 
The slides from my short talk about bionic (Android's C library) at the Linux Plumbers Conference 2014 in Duesseldorf:

http://www.linuxplumbersconf.org/2014/ocw//system/presentations/2337/original/06%20-%20bionic%20(Linux%20Plumbers%202014).pdf

Sadly they probably don't make much sense without me jabbering away in front of them.

Given that people still seem to be surprised to hear that anyone's working on Android's C library at all, if I'd seen it in time I'd have included the graph of commits against time from the top of this page:

https://github.com/android/platform_bionic/graphs/contributors

Despite years lying fallow, it's been actively worked on again for the last couple of years. And since development's done in AOSP, you can easily follow along.
4
Dragoș Sbîrlea's profile photoElliott Hughes's profile photo
2 comments
Add a comment...

Elliott Hughes

Shared publicly  - 
 
Four time zones in the US? If only life were that simple!

t520:~$ grep ^US /usr/share/zoneinfo/zone.tab  | wc -l
29

One common confusion (and probably the author's mistake) is the difference between an offset from UTC and a time zone. The latter includes whether or not DST is used, what the relative DST offset is (it's not always an hour), and when the changes occur. If you live in Britain, you probably aren't old enough to remember the last time the rules changed; in the US there was some congressional silliness a few years ago; in most of the middle east the decision isn't even made ahead of time --- it's decided again every year, usually the same week the change will occur, and often the same day!

If you're interested in time zones, Dalvik Explorer (https://play.google.com/store/apps/details?id=org.jessies.dalvikexplorer&hl=en) on Android lets you poke about. Or you can grep and zdump in /usr/share/zoneinfo on any convenient Unix box.

http://qz.com/142199/the-us-needs-to-retire-daylight-savings-and-just-have-two-time-zones-one-hour-apart/
This item has been corrected.  Daylight saving time in the US ends Nov. 3, part of the an annual ritual where Americans (who don't live in Arizona or Hawaii) and residents of 78 other countries including Canada (but not Saskatchewan), most of Europe, Australia and New Zealand turn their clocks back one hour. It's a...
1
1
Chris Reece's profile photoIlya Konstantinov's profile photo
 
Down from "more than 300" though, right?  I'll be honest with you, I used to think DST was a pain in the ass, and then I had kids.  I'm all for scrapping it.
Add a comment...
 
Except English, apparently.

(Why aren't all ads containing "(bizarre|strange|weird) (tip|trick)" just automatically flagged as spam?)
4
Chris Reece's profile photoElliott Hughes's profile photo
2 comments
 
One weird coincidence you won't believe is real: http://xkcd.com/1283/
Add a comment...
Have him in circles
338 people
Nikunj Sakhrelia's profile photo
Phil Wu's profile photo
Michael Wright's profile photo
Michael Giacomelli's profile photo
Taichi Nishimura's profile photo
Mariano Mejia's profile photo
Nevin Chen's profile photo
Arthur Clune's profile photo
Sylvain Galand's profile photo

Elliott Hughes

Shared publicly  - 
The New Horizons spacecraft sent by NASA to study Pluto uses a MIPS-based Mongoose-V chip clocked at a whopping 12 MHz.
1
Add a comment...

Elliott Hughes

Shared publicly  - 
 
China: "No matter how the US society looks at North Korea and Kim Jong Un, Kim is still the leader of the country. The vicious mocking of Kim is only a result of senseless cultural arrogance."

Yeah, there's absolutely nothing wrong. http://www.hrw.org/world-report/2014/country-chapters/north-korea

I guess there's also nothing wrong with Russia, Syria, Iran, Egypt, and -- what's that other repressive regime? -- oh, yeah... China.

(It would be less disgusting if North Korea wasn't also largely China's fault.)
There has been no discernible improvement in human rights in the Democratic People’s Republic of Korea (DPRK or North Korea) since Kim Jong-Un assumed power after his father’s death in 2011. The government continues to impose totalitarian rule. In response to the systematic denial of basic freedoms in the country, the United Nations Human Rights Council unanimously established a commission of inquiry in April 2013 to investigate whether such abus...
2

Elliott Hughes

Shared publicly  - 
 
Despite what the article says, this makes no sense. No software engineer who knows what they're doing actually believes benchmarks make code better. They don't even necessarily help make the real-world cases users actually care about faster, and for decades they've provided a strong incentive to ship worse code.

I'd love to see UL actually improve the world of benchmarking so that it isn't actively in opposition to software quality, but philosophically I don't believe it's even possible. For any benchmark you come up with, an engineer can come up with a change to make them look better on your benchmark, and market pressure will encourage them to do so. The problem is that everyone makes all the safe correct changes very early on, but the benchmark doesn't get retired at that point. It lives on, and engineers start looking for the unsafe incorrect changes that make them look better than the competition.

In the meantime... who's testing your math library and ensuring it gives correct results?

http://www.anandtech.com/show/8699/ul-acquires-futuremark-expanding-into-benchmarking-services
5
1
Eric Wedel's profile photoJesse Wilson's profile photo
 
Good to know the bits will be safe from electrocution..
. . now with that out of my system, agree this isn't an immediately obvious move.  Though as the complexity of safety-critical systems increases and CPUs make further inroads into realms like [semi-] autonomous vehicle systems, some type of sanity check seems a very good idea. Presumably, DOT and its non-US counterparts do things like this. But perhaps UL are banking on being able to bring a deeper expertise: your math library example is a good one. But, yes, seemingly far removed from conventional benchmarks.
Add a comment...

Elliott Hughes

Shared publicly  - 
 
Android: Getting better results from perf(1) on devices with Qualcomm processors.

A fairly frequently asked question is: "why do my perf results look wrong?". It turns out that Qualcomm's mpdecision daemon and perf don't get on well. Supposedly mpdecision fools perf into ignoring cores. You'll often get results that look superficially plausible (because you did get the kernel perf events from cores that were on before you started) but are quite wrong (because you won't get perf events from any cores that came online while you were recording).

The workaround is to "adb shell stop mpdecision" before using perf on a device with a Qualcomm processor.
6
Add a comment...

Elliott Hughes

Shared publicly  - 
 #VM
 
Time to test that your Android apps work with the new VM. It's the only VM in L, so it's the only VM for 64-bit.

https://developer.android.com/guide/practices/verifying-apps-art.html
5
7
Alan Viverette's profile photoEric Hung's profile photo
Add a comment...

Elliott Hughes

Shared publicly  - 
 
Just watching this makes my knees hurt.

I wasn't going to bother with the next generation of consoles, but a Mirror's Edge sequel that could make me involuntary go "ungh" and make me feel like I'm actually falling as convincingly as this video... I'd probably buy a console just to play that.

Mirror's Edge Parkour POV
4
3
Mike Kouvaris's profile photoEduardo Ramalho's profile photo
Add a comment...
People
Have him in circles
338 people
Nikunj Sakhrelia's profile photo
Phil Wu's profile photo
Michael Wright's profile photo
Michael Giacomelli's profile photo
Taichi Nishimura's profile photo
Mariano Mejia's profile photo
Nevin Chen's profile photo
Arthur Clune's profile photo
Sylvain Galand's profile photo
Places
Map of the places this user has livedMap of the places this user has livedMap of the places this user has lived
Currently
California, USA
Previously
England - Switzerland - Germany
Work
Occupation
Software Engineer
Employment
  • Google
    Software Engineer, present
  • BlueArc
  • GeneData
Basic Information
Gender
Male
Relationship
Married