Solutions to SOA Security

IT/Architecture 2008/08/03 01:24

This article picks up where Security in a Loosley Coupled SOA Environment left off but it can also stand on its own.

Now that we've been "slapped in the face" by security concerns in the SOA in the last article, and said "Thanks, I needed that!" it's time to look at some possible solutions to these challenges. The short answer for SOA security problems is that you need to buy or develop a security solution for your SOA. The long answer, which follows, is quite subjective and complex. The goods news, however, is that most major security issues in the SOA can be resolved by a correctly designed SOA security solution. The solution itself may consist of a number of sub-solutions, each dealing with a certain aspect of SOA security. Depending on your needs, and the existing security infrastructure, you will probably require a specific set of solutions that might differ from those of another entity.

Let me repeat my earlier disclaimer: It is my goal here to give you a way to evaluate how security may affect your SOA planning. I am a vendor of SOA security products. And yes, you may detect some bias on my part for one solution approach over another. At the same time, you should be aware that I compete with many other companies that also approach SOA security in the same manner as I do. In effect, the market has validated some approaches to SOA security more than others.

SOAP message monitoring

SOAP message monitoring based on SOAP interception is one way to build the foundation of an effective SOA security solution. SOAP interception involves placing a special



Click here for a larger image.

Figure 7 A SOAP interceptor monitoring SOAP messages serves as a foundation for security in this SOA. The SOAP interceptor analyzes the user identities contained in the headers of the SOAP messages it monitors and compares them with those names stored in the existing security infrastructure. The result is authentication and authorization of SOAP message senders and receivers.

piece of software called a "SOAP interceptor" in the path of the SOAP messages that travel back and forth between a web services consumer and a web service. Because of their ability to digest, monitor, copy, and forward the data-rich SOAP messages, SOAP interceptors figure very prominently into SOA security. As shown in figure 7, an SOA security solution "watches" the SOAP invocation messages approaching the web service as well as the responses to those service calls. When it "sees" a message, the SOA security solution checks to make sure that the requesting entity is authenticated and authorized to use the web service. The SOA security solution accomplishes this by checking the user data contained in the SOAP message header.

In most cases your SOA security solution will be augmenting an existing security solution that you deployed to secure your entire enterprise before beginning transitioning to an SOA. In all likelihood, as a result, your SOA security solution will have to connect to and communicate with the existing security infrastructure. As shown in figure 7, the authentication and authorization of users on the SOA occurs when their credentials are checked with the enterprise's database of authorized users. Authentication and authorization are achieved by intercepting the SOAP messages and comparing the users listed in the message header with those users stored in the existing security infrastructure.

SAML and federated authentication

What happens when you need to authenticate and authorize SOA users who come from outside your enterprise? The openness of the SOA makes this scenario more likely than it has been in the past. You may be faced with the challenge of figuring out who is who, amid a group of users for whom you have no record in your existing security infrastructure. To deal with the security challenges inherent in securing third parties, an SOA security solution can utilize federated authentication. Federated authentication is a process by which multiple parties agree that a designated set of users can be authenticated by a given set of criteria. Users of the federated authentication approach can create a Federated Identity Management System, which is a sort of pool, of authenticated users. The SOA security solution can authenticate a user by checking with the Federated Identity Management System. In other words, a "federation" of systems, communicating with one another, can agree that certain individuals are okay.

In some cases, the authentication process will result in the SOA security solution creating a Security Assertion Markup Language (SAML) assertion that expresses the authenticity of the user in a way that will be accepted by the web service that the user is invoking. SAML is an XML-based standard that provides a framework for describing security information about a user in a standardized way. WS-Security is the name given to the set of security standards that have been ratified to date. Many SOA security solutions take advantage of these emerging security standards. As shown in figure 8, the SOA security solution can intercept the SOAP message, and then route it through an authentication process wherein the user is authenticated. Then, the SOA security solution passes the SOAP message along to the destination web services, but with a SAML assertion tacked on. Note: SAML assertions do not rely on federated authentication processes.

Figure 8 To use federated authentication in SOA security, the SOAP interceptor must forward an incoming SOAP message to a security solution that checks the identity of the user contained in the SOAP message header with the users listed in the federated authentication database. Once approved, the SOA security solution creates a security "assertion" that the user has been authenticated in a Security Assertion Markup Language document that is appended to the SOAP message as it travels to the web service it was intended to invoke.

Application proxy

One highly effective way to protect the security of core systems is to avoid letting anyone reach the service hosting platform. This can be done by deploying a proxy for the web services within your SOA. As shown in figure 9, a secured proxy can receive and respond to all web service requests on behalf of the actual web services, and is therefore protected from malicious intent. An added advantage of the proxy approach is its ability to reduce the load on the enterprise's security infrastructure. Instead of generating a lot of message traffic across the network to authenticate and authorize each user every time it wants to invoke a web service, the proxy reduces the traffic by centrally managing and caching the authentication and authorization of web service requests. The proxy also inserts the authentication and authorization SAML assertions into the message, thereby eliminating the need for the actual web service instance to query the security system directly.

Contract management

We'll spend a lot more time on this subject in the next chapter, but contract management, which is primarily an SOA management issue, also plays a significant role in SOA security. A contract is a set of rules that governs the use of a web service. For instance, a contract might stipulate that a particular user has the right to invoke a specific web service ten times per day. And, upon invocation, the service level must meet certain parameters, such as a one-second response time.

In security, contracts are helpful in determining whether the SOA is functioning properly or whether it is being misused due to a security breach. As shown in figure 10, the SOAP interceptor sends the web service request and response data to the SOA security solution, which then calculates whether the contract has been met or broken. If a security problem, such as a DoS attack, has slowed a web service to the point where it is not meeting its contractually agreed-upon service levels, the SOA security solution can alert management that there is a possible problem. Of course, a severe enough attack could bring the whole network to a halt, but the

Figure 9 The web service proxy helps secure an SOA by handling the SOAP message traffic, reducing the load on the enterprise's security infrastructure and protecting the web service from malicious use.

Figure 10 The SOA security solution monitors service levels and sends an alert when a security problem has caused a web service to miss its contractually set service level.

security solution would at least have the capability of issuing a notification that something is wrong.


Certificates, keys, and encryption

Over the years, the IT world has embraced a number of message-level security techniques involving cryptography. Now, you can apply these same techniques to your SOA. These processes, involving digital signatures, certificates, keys, and encryption, can play a role in securing your SOA. A quick disclaimer here: One could easily write a book or even several books about each of these four security techniques. Please look at this section as a brief overview of encryption-based security as it relates to the SOA.

If you want your SOA to have robust security, where you are confident that the users of your web service are properly authenticated and that the information flowing back and forth between web service and their invoking applications is not read by unauthorized people, then you will almost certainly need to apply the powerful tool of public/private key encryption to your SOA security solution. A key is a large number (humongous, really-hundreds of digits) that has certain special mathematical properties. Though they come in different shapes and sizes, the essential property of a key is that it can be uniquely connected with another key. That is, when one key meets its unique counterpart, they both say, "Oh, it's you, my unique counterpart… and no one else."

The unique key pairs serve two basic functions:

  • Because they are unique, they are a very powerful authentication tool.
  • Because of their mathematical properties, they can be used to create unique,
impenetrably encrypted messages that can only be "read" by a user who has both of the unique, matching keys in the pair.

Here's how it works when two users want to exchange encrypted information: User A creates a unique pair of keys. He then keeps one hidden within his own system (the "private key") but posts the other key (the "public key") at a location on the network where User B can access it. User B then takes the public key and uses it to encrypt the information he wants to send to User A. How this is actually done involves so much math that I get a headache just thinking about it, but basically the public key and message data are run through an encryption algorithm that produces an encrypted file that is impossible to open without the private key. User B then sends his encrypted message to User A, who uses the private key he hid at the beginning of the process to "unlock" the encrypted data. The bottom line is that User A is the only person in the world who can unlock the encrypted data because he has the unique matching key to User B's public key.

Now, if you're paranoid like I am, you might be thinking, great, but how does User A know that User B is actually User B? What if someone hacked into the system and found the public key that User B was meant to use? To answer this valid question, a number of entities have come into existence that assure the authenticity of specific users and grant them digital certificates that attest to their authenticity. These entities are known as certificate authorities (CAs). A well-known example of a CA is VeriSign, which issues certificates for use in e-commerce transactions.

Thus, an SOA security solution that uses keys, encryption, and certificates to enforce privacy and authentication might resemble the one in figure 11. In our manufacturer example, the vendor system wants to send a SOAP message to the manufacturer's web service. To make this possible, the manufacturer has to first send a public key to a CA. The vendor system then requests a certificate from a CA. The certificate that the vendor receives contains the public key that matches the private key residing on the manufacturer's system. The vendor then uses the certificate's public key to encrypt its message and transmits it to the manufacturer. However, as in the previous examples, the SOA security solution intercepts the message and checks the validity of the certificate with the CA. This serves to authenticate the vendor's identity. Only after this authentication has been completed does the encrypted SOAP message travel to the manufacturer. Once there, the manufacturer uses its private key to decrypt the message and process it.

If you think this sounds like a lot of work just to send a message, you're right. Security in the SOA, as in other areas of IT, creates a lot of "overhead." Each message has to travel to several places before it reaches its destination. Certificate files can be large and taxing to network infrastructure, and the whole process tends to slow down performance. Still, it is an unfortunate necessity.

XML encryption

To preserve the openness of your SOA while instituting tight message-level security standards, you will probably want to use XML for your encryption. When the SOA security solution uses a key to encrypt a message, it transforms the message into a

Figure 11 The step-by-step process of using public/private key encryption and certificates in a secure SOA

piece of XML that is encrypted. The message is in XML format, but the content is not apparent because it is hidden through the use of an encryption algorithm. The benefit is that the system that receives the message can accept it, decrypt it, and process it as XML without relying on custom or proprietary messaging standards. You get security, but your system remains based on open standards.

Digital signatures

Digital signatures, another form of message-level security, are a variation on the certificate, key, and encryption approach to security. A digital signature is a mathematical statement of authenticity that you attach to a SOAP message. Based on keys, the digital signature is a number (again, a very large number) that uniquely captures your identity and the content of your message, by running the two sets of data (the key and the message) through a special algorithm. So, to take a simplified example, if your message is "hello" and your key is 12345, the algorithm will process those two inputs-the digital value of the world "hello" and the key number 12345-and produce a third number, which is your unique digital signature. When the receiving system gets the message and attached digital signature, it can use the key to verify that

  • You are the true author of the message (authentication).
  • The SOAP message has not been altered in transit.

If it had been altered, then the unique signature number would no longer match the key and the original message used to create the key. The difference between digital signatures and the complete encryption process described earlier is that in the digital signature case, you do not have to encrypt the entire message. As a result, the performance of the system improves. As long as you don't mind if someone can see your message in plain text, then the performance considerations of digital signatures provide a high degree of security and integrity of data in your SOA.

Signatures can be a component of nonrepudiation, an important aspect of security that needs to be addressed in an SOA context. Nonrepudiation refers to an organization's ability to authenticate that a particular transaction occurred, and thus deny the sender the opportunity to repudiate (a fancy word for "deny") that the transaction went through. For example, if you placed an electronic order for merchandise, and that order was not authenticated in some way, such as with a digital signature, then it might be possible to repudiate the order. If the merchant's system provides for nonrepudiation, then the merchant can affirm that the order was indeed placed.

Replay attack protection and auditing

Finally, your SOA security solution should provide a facility for tracking SOAP requests in order to limit the potential for damage in DoS attacks. Usually, a tracking feature will monitor the sender of the SOAP message and the time that it originated. In some cases, the SOA security solution will "stamp" the SOAP message with a unique identifying number. If the solution is set to block duplicate messages, it then becomes impossible for the same message to be sent twice. Eliminating this potentiality helps reduce the change that hackers could flood the SOA with duplicate requests-a favored technique used in DoS attacks.

Auditing is a further use of SOAP message tracking capabilities. If the SOA security solution is configured to track messages, then it should be able to generate usage logs and audit reports for SOA message traffic during specific periods of time. The audit has many uses, but in security it serves as an important record of what has happened that can be used to investigate security problems and diagnose potential security weaknesses. This type of log has become essential to achieve regulatory goals such as Sarbanes-Oxley compliance.

The Savvy Manager Cautions: Don't Let Security Paralyze You

SOA security is a massive subject. I could write a whole book on it. In fact, that's not a bad idea... My intent in this chapter is to give you an overview that provides a basic toolset for evaluating information presented to you on the subject. If you are a business executive, my suggestion is to avoid becoming overwhelmed by security issues. It is easy to become paralyzed by security-security people can also do it to you-and balk at doing virtually anything for fear of security concerns. Indeed, I could probably take a proposed IT solution you are contemplating and walk you through enough security nightmares around it to scare you away from it.

Instead, I recommend that you seek high-quality counsel on security and explore what your enterprise already has in effect. Chances are, your company probably already has a pretty robust security system (or systems). The challenge with SOA is to figure out how to extend those existing security measures to the web services that comprise your SOA. Many SOA security solutions are designed to interconnect effectively with existing security functionality. At that point, the security risks might begin to look a bit more manageable and you can proceed with your plans.

Summary

Security is a pressing issue in SOAs because the SOA stresses machine-to-machine interaction, while most IT security is based on human-to-machine interaction. Authentication and authorization become more challenging in this environment. It is virtually impossible to block unauthorized use of web services in an unsecured SOA; it is quite simple for an unauthorized user to access web services. Web services have no innate ability to track who is using them or who is permitted to use them. And you cannot stop unwanted listening in and message interception. The unsecured SOA presents hackers with the ability to eavesdrop on SOAP message traffic and see information that may be private. In addition, it is relatively easy to intercept a SOAP message in an unsecured SOA and reroute it or transform its content for purposes of mischief or fraud.

You cannot secure unknown third parties in an SOA because of the architecture's open nature. It is possible for secondary or tertiary users-the partners of your partners, for example-to access an unsecured SOA. As a result, the unsecured SOA is vulnerable to overload. With no access controls, an unsecured SOA is open to being "flooded" with excessive SOAP message traffic from hackers. The result can be a DoS attack that harms the ability of your systems to function. Finally, you have no transaction logging. The unsecured SOA cannot keep track of its users or its messages. Thus, there is no auditable record of usage that can be used to investigate security problems or diagnose security weaknesses.

There are both prepackaged and custom solutions to SOA security that can potentially address all of these issues. As you examine your SOA security needs, consider implementing an SOA security solution that enables SOAP message monitoring; federated authentication; application proxy; contract management; certificates, keys, and encryption; and audit logging. It seems like a long list, but the truth is without any one of these in place, all the benefits from your SOA will evaporate.

SOAP message monitoring utilizes a SOAP interceptor model to intercept and monitor SOAP messages as they travel from invoking systems to web services. SOAP message monitoring is the foundation of SOA security because it gives your security solution the ability to stop and examine each message for user authentication and authorization. To secure third parties, your security solution can take advantage of federated authentication. You should offer the ability to authenticate users on the system through a federated authentication process. The end result is an SAML assertion that provides credible authentication of the user to the web service.

A web service application proxy aids security by receiving and processing SOAP requests in place of the actual web service. It can keep all users away from the actual service. Along with moderating the load on the network, the proxy provides an additional layer of security to the SOA.

Contract management is an SOA management feature that also contributes to security. Contracts establish who has the right to use a web service and when they can use it. By eliminating usage by noncontracted parties, the contract adds security to the SOA.

Certificates, keys, and encryption are also essential for a truly secure SOA. The most robust SOA security results from the implementation of encrypted messaging authenticated by private key/public key pairs from a certificate authority. XML encryption allows a web service user to send an encrypted SOAP message that retains its XML formatting. As a result, the system is secure but remains standards based. Digital signatures, a variant of the encryption model, offer the web service user the ability to create a unique, authenticated digital "signature" that serves the dual purpose of verifying the identity of the user as well as assuring the integrity of the message data.

Finally, in order to track the use of an SOA, it is necessary to employ an SOA security solution that maintains an ongoing audit log of all SOAP message requests and responses. The audit log is necessary for investigating security problems, diagnosing security weaknesses in the SOA, and achieving government regulatory compliance.

About the Authors

Eric Pulier is a pioneer in the software and digital interactive industries. A frequent public speaker at technology conferences around the world, Eric has helped establish cutting-edge technology companies in media management, professional services, voice systems, and peer-to-peer networking.

Hugh Taylor is an SOA marketing executive who writes, teaches, and promotes the business value of SOA and web services to major companies. The authors live in Los Angeles, California.


---------------------------------------------------


OWASP 프로젝트 사이트에서 어슬렁거리다가 동물적인 직감(?)으로 엄청난걸 발견했다.

아직 국내에 완벽하게 상륙하지 않은 서비스 지향 아키텍쳐(Service Oriented Architecture)

SOA의 Security에 대해서 언급하고 있는 페이퍼다.

아직 뉴비 아키텍트에 해당하는 나로서는(ㅠㅜ) 문제의 본질부터가 파악이 안되지만,

앞으로 스터디할때 유용하게 쓸 수 있을것 같다.


뛰는놈 위에 나는놈 있다더니..

IT의 기술변화는 정말 엄청난 속도를 다투는것 같다.
Trackback 0 : Comment 0

네이버 블로그에서 MIME 'octet-stream' 에러 해결법

IT/OSX Survival 2008/08/03 00:18
엄밀히 말해서 브라우저의 문제만은 아니다.
윈도우 미디어 플레이가 불가능한 QuickTime이 첫번째 문제이고,
다른 하나는 네이버 웹개발자들이 미디어에 MIME을 걸어주는데
무조건적으로 'octet-stream'으로 걸어주어 문제가 발생된다고 한다.
따라서 윈도우 미디어를 플레이 가능하게 해주고 MIME에 관련된 값을 설정해주기만 하면 된다.

Step 1, 
OSX에는 기본 플레이어가 QuickTime이기 때문에 이와 관련된 윈도우 미디어 플러그인을 설치해야 한다.
마이크로소프트 홈페이지에 가면 Flip4Mac이라는 QuickTime 플러그인을 받을 수 있다.
이 플러그인은 윈도우 미디어들을 QuickTime에서 재생시키는데 한몫한다.

Step 2,
이제 MIME 값을 설정해줘야 한다.
'QuickTime Player - QuickTime 환경설정 - 고급 - MIME 설정값 - Video'
위를 따라가 가보면 'Window Media'에 체크가 헤제되어있는 것을 확인할수 있다.
아래처럼 체크해주고 '승인'을 누른다.
사용자 삽입 이미지


Step 3,
이제 네이버 블로그에 가보면 정상적으로 플레이가 될 것이다.
Safari에서 테스트해봤고 FF나 Opera에서는 테스트해보지 않았다.
Trackback 0 : Comment 0

Wonderful Days - 원더풀 데이즈

Sentimental Pages/Movie 2008/07/26 00:40
사용자 삽입 이미지


디스토피아를 소재로 다룬 영화들을 갠적으루 상당히 좋아한다.
이 영화는 나온지 오래된 에니메이션인데,
솔까말 한국 에니들의 한계점에 실망할까 두려워서 미루고 미루다 결국엔 오늘 보고야 말았다.

사실 스토리의 취약성을 비롯한 꼬집어야 할 군살들이 엄연히 존재하는건 사실이나
동시공학적으로 따져볼때,
엄청나게 진보된 그래픽기술과 영화가 끝날때까지 나를 부여잡은 엔딩송,
영상 중간중간에 나오는 건축물들과 미술품들이 한국 고유의 것에서 비롯되었다는 사소한 사실,
더불어 잔잔한 영상미까지.. 참신한 생각과 진보된 기술력에 감탄하지 않을 수 없었다.

뭐 개인적으로 추천하는 작품은 아니지만,
앞으로 자주 이런 도전적인 작품들이 많이많이 나와서
극장에서 한국의 에니메이션을 감상할 수 있었으면 한다.
tags : Wonderful Days
Trackback 0 : Comment 0

[Updating] OSX 기본 팁

IT/OSX Survival 2008/07/23 04:15
SHIFT + SPACE로 한영키 전환하기(plist editor 필요!)
수정할 화일 : ~/Library/Preferences/com.apple.symbolichotkeys.plist
수정할 항목 : Root/AppleSymbolicHotkeys/60/value/parameters/2
입력숫자 : 131072

MPlayer 한글 자막 보기
Preference -> General로 가서 Default Encoding을 CP949로 변경한다.

iTunes에서 불필요한 음악폴더 생성방지
환경설정 -> 고급 -> iTunes Music 폴더 구성 유지(체크해제)
환경설정 -> 고급 -> 보관함에 추가시 iTunes Music 폴더에 파일 복사(체크해제)

Trackback 0 : Comment 0

Lara Fabian - Je Suis Malade

Sentimental Pages/Music 2008/07/22 23:20

Lara Fabian - Je Suis Malade
(저는 마음이 아파요 )
 
Je ne rêve plus je ne fume plus
Je n"ai même plus d"histoire
Je suis sale sans toi je suis laid sans toi
Comme une orpheline dans un dortoir
이젠 꿈도 없어요 담배도 못피겠어요.
인생 마저도 사라졌어요.
당신 없이는 초라하고 볼품도 없어요.
마치 고아원의 아이처럼..
 
Je n"ai plus envie de vivre ma vie
Ma vie cesse quand tu pars
Je n"ai plus de vie et même mon lit
Se transforme en quai de gare
Quand tu t"en vas
살고싶지도 않아요.
내 생은 당신이 떠나면서 끝나버렸어요.
이젠 더 이상의 삶도 없어요.
같은 침대인데 당신이 가버리자
이별의 역이 되어버렸어요.
 
Je suis malade complètement malade
Comme quand ma mère sortait le soir
Et qu"elle me laissait seul avec mon désespoir
제 정신이 아니에요 정말 제 정신이 아니에요.
어릴 적 엄마가 매일 저녁 나갈 때처럼
나 홀로 실망 속에 남겨두었을 때처럼..
 
Je suis malade parfaitement malade
T"arrives on ne sait jamais quand
Tu repars on ne sait jamais où
Et ça va faire bientôt deux ans que tu t"en fous
제 정신이 아니에요.. 정말 제 정신이 아니에요.
모르게 왔다가 모르게 가버리는 당신
이년 동안의 세월이 그렇게 아무것도 아니었나요.
 
Comme à un rocher comme à un péché
Je suis accroché à toi
Je suis fatigué je suis épuisé
De faire semblant d"être heureux quand ils sont là
Je bois toutes les nuits mais tous les whiskies
Pour moi ont le même goût
Et tous les bateaux portent ton drapeau
Je ne sais plus où aller tu es partout
바위처럼 형벌처럼 당신에게 걸려버린 나는..
다른 이들 앞에서 행복한 척 하는 것도
피곤해요 지쳐버렸어요.
매일 밤 취하도록 위스키를 마셔보지만
항상 똑같을 뿐..
항해를 할 모든 배들은 당신이란 깃발만
달고 있고 여기저기 당신의 모습 뿐인데
난 어디로 가야 할지 모르겠어요.
 
Je suis malade complètement malade
Je verse mon sang dans ton corps
Et je suis comme un oiseau mort quand toi tu dors
제 정신이 아니에요.. 정말 제 정신이 아니에요
내 몸의 피를 당신 몸 속에 쏟아버리고
당신이 잠든 사이 난 한 마리 죽은 새가 되어버려요.

------------------------------------------------

살면서 단 한번도 소름돋는 음악을 들어보지 못한 사람들을 위한 노래.

마치 마주앉아 이야기하는것같은 착각을 불러일으키는 독특한 퍼포먼스와
너무 커서 그 깊이를 파악할 수 없는 감정몰입.
허스키한 보이스와 파워풀한 가창력에 적당한 서정성까지..

내가 라라 파비앙을 안지는 벌써 8년가까이 되간다.
아끼는 음악일수록 자주듣지 않는 나만의 감상법칙에 의거하여 =_=
빼곡한 시디앨범사이에 수북수북 먼지가 듬뿍쌓여버린 뮤지션중 하나다.
별로 기억하고 싶지 않은 내 인생의 시련기를 버티게 해준 고마운 사람이다.
tags : 살면서 단 한번도 소름돋는 음악을 들어보지 못한 사람들을 위한 노래
Trackback 0 : Comment 0

센서 네트워크 최적화 시뮬레이터 제작중

IE/Optimization 2008/07/21 00:32
알고리즘을 만들면서 하는거라 쉽지 않네  ㅠㅠ
흐헝흐헝

교수님이 물으셨다.

교수님 : 그건 그렇고.. 자네는 주말인데 데이트 안하나?
PEPE : 업데이트 말입니까?
교수님 : ...
PEPE : ...(?)

솔로라서 업데이트해요~♡
Trackback 0 : Comment 2

두번째달 - Alice In Neverland

Sentimental Pages/Music 2008/07/18 01:59
사용자 삽입 이미지













1. 집으로 가는 길
2. Outlook Over The Ocean
3. 봄이다
4. 인형사
5. 외눈박이 소녀의 이야기
6. 그 여름 가장 조용한 바다 (With 장필순)
7. 신수동 우리집
8. 내게 말하기 With Casker
9. 잊혀지지 않습니다
10. 나비의 집 With 하림
11. 타악기 농장
12. 귀향
13. Eridanus
14. 앨리스는 더 이상 여기 살지 않는다 Part 1
15. 앨리스는 더 이상 여기 살지 않는다 Part 2

-----------------------------------------------------------

테마가 있어 매력적인 '두번째달'의 신보다.
instrumental 음악들은 재즈빼고는 별론데 '두번째달'은 역시 기대를 져버리지 않는다.
바다의 파도소리를 연상케하는 'Outlook Over The Ocean', 서정적 선율의 '잊혀지지 않습니다.'
뭐하나 버릴거 없고, 웅장해진 사운드는 'Secret Garden'을 연상케하지만 결코 가볍거나 하지 않다.
이번 여름은 이 앨범 하나로도 버틸 수 있을것 같아서 뿌듯하다.
ㅋㅋㅋ!!

tags : 두번째달 새로나온 음반
Trackback 0 : Comment 0

[TIP] How to create a DLL library in C and then use it with C#

IT/.NET Framework 2008/07/12 07:29

Introduction

After spending some time trying to implement this simple task, I started to search similar code examples over the Internet. I was really very surprised when found that all examples were slightly different from what I needed. Finally, I realized that there is no (at least spending 30 min in the net) easy-to-use example, that’s why I decided to write this article.

Assuming that you already know what a DLL is, let's begin with creating a simple one.

  1. Start Visual Studio .NET.
  2. Go to File->New->Project.
  3. Select Visual C++ Project, and from the “Templates”, select “Win32 Project”.
  4. Give the name to your project. This will be the name of your final DLL (in my case: TestLib).
  5. Press OK.
  6. Select DLL from “Application Type” (“Application Settings” tab).
  7. Check “Empty Project” (we need to create our project from scratch, right?), and press Finish.

OK, now we should attach an empty source file to our blank project.

  1. Start Solution Explorer (if it’s not displayed).
  2. Right click to the “Source Files”, Add->Add New Item then select “C++ File” and give the name to it.
  3. Press “Open”.

In the opened window, enter the following code:

#include <stdio.h>

extern "C"
{
  __declspec(dllexport) void DisplayHelloFromDLL()
  {
    printf ("Hello from DLL !\n");
  }
}

Please note that __declspec(dllexport) is an obligatory prefix which makes DLL functions available from an external application.

extern “C” (with brackets) is also very important, it shows that all code within brackets is available from “outside”. Although code will compile even without this statement, during runtime, you’ll get a very unpleasant error. So, do not forget to include it.

Build this application and your DLL will be ready-to-use.

Now it’s time to create an application which will use our DLL, as the main title explains. We will create this type of application using Microsoft’s C#.

Creating a simple C# application:

  1. Start Visual Studio .NET.
  2. Go to File->New->Project.
  3. Select Visual C# Project. From the “Templates”, you can either select “Console Application”, or an “Empty Project” just like it was described above.
  4. Give the name to your application.
  5. Press OK.

Into the specified class, insert the following two lines:

[DllImport("TestLib.dll")]

public static extern void DisplayHelloFromDLL ();

In C#, keyword extern indicates that the method is implemented externally.

Your code should look something like this:

using System;
using System.Runtime.InteropServices;     // DLL support

class HelloWorld
{
    [DllImport("TestLib.dll")]
    public static extern void DisplayHelloFromDLL ();

    static void Main ()
    {
        Console.WriteLine ("This is C# program");
        DisplayHelloFromDLL ();
    }
}

Please, note that System.Runtime.InteropServices is required for operations with the DLL.

According to MSDN:

“The System.Runtime.InteropServices namespace provides a collection of classes useful for accessing COM objects, and native APIs from .NET”

OK, now build this application, and then copy the previously built DLL into the Debug/Release directory of the current application. The DLL should be in the same directory as your main application.

Now start an application. If everything you’ve made was correct, you should get something like this:

That’s all, really simple isn’t it?
Trackback 0 : Comment 0

Linked Library

IT/.NET Framework 2008/07/12 07:29

Static Linked Library, 정적 링크 라이브러리

컴파일시 실행파일에 라이브러리의 함수코드가 추가되어 작성되기 때문에 실행파일이 커지는 단점이 있으나 별도의 DLL이 필요없다.

VC++6에서는 New Projects에 Win32 Static Library로 작성하고 2005에서는 Win32 콘솔 응용프로그램에서 정적라이브러리(미리 컴파일된 헤더 해제)를 선택하여 작성한다.
명령줄에서 작성하려면 cl.exe /c /EHsc 파일명.cpp(/c 옵션은 링크없이 컴파일) 로 컴파일 하여 obj 파일 생성후 lib.exe ~.obj 으로 ~.lib 파일을 생성한다.

만들어진 LIB(~.lib파일)과 ~.h(header파일)을 작성하고자 하는 Project 생성후라이브러리는 Project->Setting->Library modules에서 ~.lib를 추가하고 헤더는 원하는 코드에 추가하여 빌드한다.

Dynamic Linked Libarary(DLL), 동적 링크 라이브러리

우리가 흔히 말하는 DLLs 이다. 컴파일시 실행파일에 라이브러리의 함수코드를 넣지 않고 DLL 이라는 파일에 따로 두어 모듈화를 통해 관리와 테스트가 용이하며 공유를 통해 코드의 낭비를 줄이고 다국어버전등의 리소스교체를 용이하게 한다.

New Projects에서 Win32 Dynamic-link library로 작성한다. 2005에서는 win32 응용프로그램작성에서 DLL 을 선택하면 된다.

Header파일을 공통적으로 사용하기 위한 예시

#ifdef _USRDLL
#define DLLFunction  __declspec(dllexport)
#elseif
#define DLLFunction  __declspec(dllimport)
#endif

#ifdef __cplusplus
extern “C” {
#endif

DLLFunction void somefunc();
#ifdef __cplusplus
}
#endif


~.DEF 파일 
예전에는 ~.def 파일을 통해 dll을 export 하였지만 VC++에서는 __declspec(dllexport)를 통해서 dll 의 함수들을 export한다. 반대로 import시에는 __declspec(dllimport)를 사용한다.

LIBRARY              "TESTDLL.DLL"
DESCRIPTION 'SIMPLEDLL Windows Dynamic Link Library'

EXPORTS
  somefunc   @1


Implicit Linkage, 암시적 링크
LoadLibrary를 사용하지 않는다. 따라서 프로그램이 실행될때 dll이 로드된다.
그러기 위해서는 Static Library와 같이 ~.lib파일과 ~.h 파일이 필요하고 실행시는 같은 폴더 또는 시스템폴더(dll을 찾는 정책에 따라)에 dll 파일이 존재하여야 한다. 없을시 찾을수 없다면 에러가 발생한다.
dll을 생성하고 나면 생성된 폴더에 lib 파일도 같이 생성되는데 Static Library와는 달리 함수의 코드가 없다. 다만 함수형이 정의되어 있을뿐이다. 실행파일의 implict section에서 실행시 로드되어야 할 dll을 추가하여 나중에 프로그램이 실행되면 dll이 로드된다.

Explicit Linkage,  명시적 링크
  LoadLibrary로 명시적으로 dll을 로드한다. GetProcAddress로 사용하고자 하는 함수의 주소를 얻어서 사용한다. dll이 load되는 시점은 프로그램이 실행되는 순간이 아니고 LoadLibrary가 호출되는 시점이다.

Delay Linkage, 지연 링크
빌드시 옵션에 /delayload:dllname 으로 작성한다.
로드되는 시점은 프로그램 실행시가 아니라 함수가 사용되는 시점이 된다.
/delay 옵션도 참고할것

확장DLL
MFC 클래스에서 파생된 재사용 가능한 클래스를 구현한 DLL. 따라서 MFC로 만든 응용 프로그램에서만 확장 DLL이 사용되어 질수 있다.
이 DLL로부터 익스포트할 클래스에 대해서 여러분이 해줄일은 클래스 선언문에 AFX_EXT_CLASS란 매크로만 붙여준다.

예시

Class AFX_EXT_CLASS CDllDialog : public CDialog
{
...
}
Trackback 0 : Comment 0

Reliable Windows Heap Exploits

IT/Security 2008/07/12 06:36
Reliable Windows Heap Exploits
Trackback 0 : Comment 0
◀ PREV : [1] : [2] : [3] : [4] : NEXT ▶