Java compile-time static analysis with Error Prone and NullAway

Static analysis is often used to identify problematic or dubious pieces of code early. This way we can avoid bugs and mistakes. In the Java ecosystem many already know the standard Java compiler warnings and errors, the feedback from your IDE, Pmd, Checkstyle, SpotBugs (or its predecessor FindBugs), and the likes. However, there are more solutions available, some of them lesser known .. at least to me. With the introduction of Java’s compiler plug-in system, it has become possible to introduce additional checks at compile-time.


Read more ...

Java fuzzing with JQF + afl

Many applications require user input or otherwise untrusted input, in order to do their work. One typically cannot assume that this input is always exactly according to the prescribed format and does not contain any invalid or illegal content. However, testing for every possible violation of the prescribed format is often not feasible. Fuzzing helps with this by automatically generating variations in input and offering it to process by the application.


Read more ...

On Class Design

This article goes into the specifics of designing a class such that we can achieve reasonable simplicity, readability and maintainability. In addition, this mechanism achieves desirable properties by working in a minimalist way, and ensures a lean-and-mean implementation. Note that a lot of what is described here is trivial and should be considered known to all developers, however in practice this isn’t the case. In many cases one cannot blame the individual for not knowing, because once you go down the wrong path you need to make compromise after compromise.


Read more ...

How to be efficient

This is a reflective article, in which I look back at the last years of open source development, done in my personal time, and professional engineering at work. I’m writing this given the assumption that the mind does not have a single “state of mind” that is suitable for all types of work, but rather has various possible states and not all types of work are suitable for all states.


Read more ...

On Error Handling

A living document on the fundamentals of case and error handling. A general programming language-agnostic guideline for application development of all sorts. The article attempts to establish first principles that can be applied in any context where defined trade-offs give you the necessary adaptability to make it suitable to any situation. Note In this document I use “case” and “error” interchangeably. Anything that’s not on the expected happy path is typically an alternative “case” and if this happens to be undesirable we call it an “error”.


Read more ...

Secure Boot Linux Shim (Mokmanager)

Previously, we’ve had a look at secure boot in Fedora 27 / 28. Now we will look at another part of Secure Boot in linux. It is important to know about this aspect in order to have a complete picture of how Secure Boot functions in a typical linux distribution. In part, because having the shim misconfigured, may limit the security that is claimed Secure Boot provides. The Shim fixing a problem The idea of Secure Boot is to have every step in the boot process verified before it is executed.


Read more ...

What is in spotbugs annotations?

NOTE This article was originally written in August 2018. As it was never posted, I have now posted it unmodified with an updated publication date. In my current project, I am working on extending otr4j with OTRv4 support. ‘otr’, off-the-record, is a communication protocol that allows a user to establish a secure communication channel over a plain (untrusted) chat network. Reducing distractions, allowing for focus As part of this work, I am looking into how we can alleviate developers from the trivial kinds of inspections, mistakes, formatting issues, etc.


Read more ...

The local build configuration for otr4j

otr4j, the Java implementation of Off-the-Record protocol (OTR), is a library for use by chat clients to include OTR protocol support. My recent effort has been focused on implementing OTRv4 (draft) in otr4j. This is a follow up to previous efforts in refactoring otr4j. I have been able to benefit greatly from the design and code structure improvements. As otr4j is used by other software, it is important to provide a robust library with a good API.


Read more ...

Secure Boot in Fedora 27/28

In this article I’m going to describe the process of setting up a notebook as a secured UEFI Secure Boot system. This includes installing my own self-generated certificates, which replace the by-default installed certificates that come with the notebook. In this article we focus on replacing all keys. Therefore it works best with operating systems for which you are able to sign the boot binaries. The ideal case is an operating system for which you manage the boot binaries, such as the kernel, yourself.


Read more ...

Refactoring otr4j

A while back I published the Object Oriented Programming series articles. As a use case to support this series, I’ve looked into the code base of the Java implementation of otr (off-the-record), called otr4j, and used it for verifying and validating ideas described in this series. This article describes the findings while refactoring and eventually improving otr4j. The work discussed here can be found at https://github.com/cobratbq/otr4j. (Most recent commit at time of writing c607f0d50b6e791a23be30ca7f123504a5bd4cf2)


Read more ...