Loose Bits Thoughts on distributed systems, cloud computing, and the intersection of law and technology.

Getting Started with Node.js in the Cloud - Presentation

Getting Started with Node.js in the Cloud

NovaNode had its first meetup event on March 20, 2012 at SpanishDict’s offices. I gave a talk titled “Getting Started with Node.js in the Cloud” covering Node.js application development and deployment to the cloud.

![Node.js cloud presentation][img_pres] [img_pres]: http://loose-bits.com/media/img/2012/03/24/nodejs-cloud.png

My talk goes through a first simple “hello world” application and builds up to a realtime chat application using Redis and websockets. We deploy the applications to Heroku and cover everything from logs and monitoring to add-on services and scaling. The talk concludes with an assessment and use cases for deploying on a Platform-as-a-Service provider like Heroku versus an Infrastructure-as-a-Service provider like Amazon Web Services.

The presentation is available live on GitHub, and uses the deck.js presentation framework. I have also posted the full demo source code to GitHub, including the chat server that we used during the meetup. Try it out!

Read more...

Return-Oriented Programming - Systems, Languages, and Applications

Return-Oriented Programming

Return-oriented programming is a software exploit technique to take over a program by diverting control flow without injecting any code. At UCSD, I did most of my graduate research around this specific attack, working with Erik Buchanan, Hovav Shacham, and Stefan Savage. Now three years later, the ACM Transactions of Information and System Security (TISSEC) journal has published our full article, “Return-Oriented Programming: Systems, Languages, and Applications” in the March 2012 issue.

For a great introduction to return-oriented programming attacks, see Hovav’s Black Hat presentation, “Return-oriented Programming: Exploitation without Code Injection”.

By way of a little background, software exploit techniques such as buffer overflows traditionally injected code into a vulnerable buffer, and then pointed control to that injected code whereby the attacker executed their own instructions. The original attack was succinctly described in Aleph One’s “Smashing The Stack For Fun And Profit”.

Software vendors responded to injected code attacks with various defenses, one popular being “write XOR execute” (“W⊕X”), whereby memory is either writable (e.g., data structure storage) or executable (e.g., library code), but not both. The logic behind the defense was that an attacker could inject arbitrary data in writable memory but could not execute it, thus preventing the classic type of buffer overflow attack.

However, preventing code injection is not sufficient to prevent arbitrary computation. Following a long line of W⊕X exploit research, return-oriented programming works by taking existing executable code (e.g., loaded libraries) and using small chunks of it in unintended ways by hijacking control flow via compromising the stack or writable memory.

Read more...

NovaNode Inaugural Meetup - Getting Started with Node.js in the Cloud

Node.js in NoVA!

We recently launched the NovaNode meetup group focusing on the Node.js event-driven JavaScript framework. We have a great set of talks lined up for our inaugural meetup event on March 20, 2012 at 6:30 pm. We’re hosting things at SpanishDict’s offices in Arlington, VA near the Clarendon metro stop.

Nova Node

Our talks are:

  • “Getting Started with Node.js in the Cloud”, which I’ll present.
  • “Everyauth: OAuth for Busy Nerds” by Jason Bond Pratt, Co-founder of Tixelated. OAuth is the standard interface for web services integration for user authentication, and is your starting point for linking an application to Google, Facebook, Twitter, etc. Jason’s talk will take us through Everyauth’s basic architecture and integration with other data stores like MongoDB.

Getting Started with Node.js in the Cloud

Node.js provides a solid platform for scalable and responsive web applications. Development in Node.js further has a lower learning curve compared to many highly-concurrent / asynchronous frameworks as it uses JavaScript, which is very familiar territory for web developers.

The cloud complements Node.js by providing the means to deploy applications rapidly and scale up with no upfront investment costs. The “big” cloud providers such as Amazon Web Services and Rackspace easily support an infrastructures for hosting Node.js applications. Moreover, there has been a burst of Platform-as-a-Service contenders that provide even easier Node.js application hosting, including: Heroku, NodeJitsu and even Microsoft’s Azure platform.

In my talk, I’ll walk through a basic Node.js application that we develop, deploy and then scale easily in the cloud. I’ll discuss best practices and what opportunities and pitfalls lie ahead when taking your Node.js applications to the cloud.

Hope to see you at the meetup!

Read more...