Category Archives: Software Development

Java 8 Nashorn Script Engine

For a side project I am developing in Java I needed a good JavaScript parser but the publicly documented Nashorn interface is all about compiling when I only needed an intermediate representation. It is currently possible as of JDK8u40 to use the parser to get the AST as a JSON encoded string either from a JS file being executed by the ScriptEngine or from within Java using the non-public Nashorn API.

The below image should convey to you how a simple assignment statement is broken into a stream of tokens then an AST is generated as JSON on the right. This is why symbols like * + – are called binary operators because they take two operands, ! is the logical negation and an unary operator becaues it takes only one operand. The operands can also be expressions because expressions are defined recursively in terms of expressions which can be literals, terms, or other expressions. This is how we end up with tree’s which when coupled with additional semantic information such as keywords, types, and identifiers help us do code generation. This enables you to take in one language, say GML, and spit out a completely different one like C++ which, if you don’t already know, is exactly what ENIGMA’s compiler does.

Abstract Syntax Tree

An abstract syntax tree is produced by a parser after the lexer phase breaks code into a stream of tokens.

Wikipedia has additional information on abstract syntax trees if you would like to know more.
https://en.wikipedia.org/wiki/Abstract_syntax_tree
The following StackOverflow post provides clarification between an AST and a parse tree.
http://stackoverflow.com/questions/5026517/whats-the-difference-between-parse-tree-and-ast

This example shows you how to get the AST as JSON from Java. This was my own discovery from studying the Nashorn source code.

String code = "function a() { var b = 5; } function c() { }";

Options options = new Options("nashorn");
options.set("anon.functions", true);
options.set("parse.only", true);
options.set("scripting", true);

ErrorManager errors = new ErrorManager();
Context contextm = new Context(options, errors, Thread.currentThread().getContextClassLoader());
Context.setGlobal(contextm.createGlobal());
String json = ScriptUtils.parse(code, "<unknown>", false);
System.out.println(json);

This example should give the following JSON encoded AST as I executed it on Java 8u51. This JSON encoding provided by Nashorn is compliant with the community standard JavaScript JSON AST model popularized by Mozilla.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/Parser_API

{“type”:”Program”,”body”:[{“type”:”FunctionDeclaration”,”id”:{“type”:”Identifier”,”name”:”a”},”params”:[],”defaults”:[],”rest”:null,”body”:{“type”:”BlockStatement”,”body”:[{“type”:”VariableDeclaration”,”declarations”:[{“type”:”VariableDeclarator”,”id”:{“type”:”Identifier”,”name”:”b”},”init”:{“type”:”Literal”,”value”:5}}]}]},”generator”:false,”expression”:false},{“type”:”FunctionDeclaration”,”id”:{“type”:”Identifier”,”name”:”c”},”params”:[],”defaults”:[],”rest”:null,”body”:{“type”:”BlockStatement”,”body”:[]},”generator”:false,”expression”:false}]}

It is important to note however that this interface may change because it’s not well documented and is new to the JSE. Additionally the OpenJDK project is developing a public interface for Java 9 that allows AST traversal in a more standard and user friendly way.
http://openjdk.java.net/jeps/236

Limited documentation for the existing public Nashorn classes in Java 8 can be found below.
https://docs.oracle.com/javase/8/docs/jdk/api/nashorn/allclasses-noframe.html

The following link provides a list of all of the parser and compiler options that I set above. However it is important to note that the syntax is different when setting the options inside Java where – is replaced with a period.
http://hg.openjdk.java.net/jdk8u/jdk8u-dev/nashorn/file/tip/docs/DEVELOPER_README

The Nashorn source code can be found on GitHub and also on BitBucket. I prefer the BitBucket version as the GitHub version seems to be missing some classes.
https://github.com/uditrugman/openjdk8-nashorn
https://bitbucket.org/adoptopenjdk/jdk8-nashorn/src/096dc407d310?at=default

Security of Electronic Communications

One of the biggest problems facing software and technology companies as well as all major financial institutions today is the security and authenticity of electronically transmitted communications and data. When evidence of phone hacking surmounted around Piers Morgan back in Q1 2014 it was revealed that access was easily gained to victim’s voicemail recordings because they simply never changed the password (Spark, 2014). Why then do people often neglect and undermine the importance of securing their communications and what are some ways to address this? These are important cognitive, biometric, and psychological questions which must be answered in order to improve security of databases, emails, networks, and data transmission. This requires not only innovating and improving the encryption methods and techniques utilized in these systems by engineers but also changing the perception and appraisal by people, including the ordinary layman, of the problem.

During World War II the Germans used the Enigma machine to encrypt nearly all communications, which was of course until Alan Turing created the world’s first computer in the interest of automating much of the decryption process at Bletchley Park. In the process he laid the foundation of Computer Science and Artificial Intelligence positing the noteworthy Turing test as a measure of a machines intelligence. Every time you make a purchase at Amazon or Walmart.com, send a message on Facebook or Twitter your information is bounced between several servers, stored in databases on remote computers, and sometimes intercepted by even the National Security Agency, in offices and buildings occasionally not even in the same country as you. Merely opening an email attachment can compromise all of the data on your computer as attachments can be easily infected with Trojans and other viruses that can take over your computer, control system processes, or scan for files containing credit card numbers and upload them back to the intruder. Even if you consider yourself a modern Luddite of sorts, there is very little hope in escaping the arbitrarily encompassing technology of the digital age, unless of course you don’t mind not having a driver’s license and never taking out a loan for a house, car, or student loan.

Heartbleed was a major security vulnerability in OpenSSL, a popular open source socket security library, which could be used to bypass authenticity and security measures by the software and was in isolated instances. A Pew research poll indicated that only about 60% of adult internet users had heard of Heartbleed, and that even worse only 39% took additional steps to secure their online accounts (Rainie, 2014). Warnings of Heartbleed going largely unheeded Shellshock, a vulnerability in Bash a command prompt used in Mac and Linux, was just discovered with early estimates of 500 million affected computers (Lee, 2014). So it is evident the implications of data security on our jobs, lives, and basically our very way of life. But what can be done to address these issues? Well examples such as OpenSSL may actually be the solution and not just the problem. Open source software grants users special privileges including being able to read the source code easily without extensive reverse engineering, and sometimes even the rights to redistribute that code with certain caveats. For this reason not only were the hackers aware of the bug, so were other users of the software allowing the issue to be much more quickly addressed. With proprietary software this may not be the case, by the time the developers become informed it could be too late. We can also see companies like Oracle which are making a point of improving security in Java based applications. Their approach lately has been to promote wide spread adoption of new Java versions, which as a result of new features has been largely embraced by the community with Java 8 adoption up nearly 20% from previous releases (Oracle, 2014). Not only are they correcting the issues, they are giving users incentives to install and adopt these more secure versions. The now obsolete Windows XP operating system is the epitome of where this methodology could be applied as it is still used in many ATM machines today (Pagliery, 2014). They have been proven to be extremely susceptible to fraudulent attacks, even vulnerable enough to hacking from a cellphone!

763e936b510bc95323ea579f250a4278

New advances in physics are also creating promising solutions to encryption as well as classical computing problems. A lot of recent research has shown that lasers can be used to encrypt messages that cannot be deciphered without the original manifest, much like traditional asymmetric cryptography (Berridge, 2010). Optimizations in parallel processing that quantum mechanics is postulated to allow can also mean near instantaneous decryption of encrypted keys. This means that anybody or organization or corporation that can develop the first real quantum computer could decrypt every message using todays encryption standards instantly any time they want. It is no surprise then why the National Security Agency, NASA, Google, Microsoft and many other tech titans are clamoring to build these machines.

Another important aspect of this problem is the psychological importance of security and privacy that individuals feel. The most obvious issue here is that in order for passwords to be secure they also have to be somewhat hard to remember, and consider that usually people have more than 1 even 10 networked accounts on the internet for email, their student account, online bank account, social accounts and much more. Acronyms and anagrams can be conventionally applied as mnemonic devices for remembering passwords, but users generally prefer convenience. The most commonly used password for 2013 was, consistent with popular belief, you guessed it, “password” (Ngak, 2014). Many companies have begun to address this part of the problem in new ways, such as Apple which provides facial recognition locking for most iOS devices (Whitney, 2013). Besides facial recognition research is bringing new solutions such as fingerprint scanning, retina scanning, DNA tests, and other forms of biometric identification and authentication some of which are old and some of which are new. One of the most often utilized methods of preventing bots and spam on websites has been the contemporary use of optical character recognition or CAPTCHAS for example.

The problems of privacy and security have been perennial and persistent in many contexts and not just technology alone. Technology and science is not only expanding the issues but actively providing new and innovative solutions. The development of quantum computers seems to draw many parallels to Alan Turing’s creation of the first computer with grave implications. Millions of people are left vulnerable by security flaws and subject to attack, fraud, and other harm every single day. The problems of privacy and security are thus important matters that are frequently undermined and that must be taken more seriously and researched more thoroughly.

References

Berridge, E. (2010, September 1). Quantum encryption defeated by lasers. Retrieved October 17, 2014, from http://www.theinquirer.net/inquirer/blog-post/1730688/quantum-encryption-defeated-lasers

Lee, D. (2014, September 25). Shellshock: ‘Deadly serious’ new vulnerability found. Retrieved October 17, 2014, from http://www.bbc.com/news/technology-29361794

Ngak, C. (2014, January 21). The 25 most common passwords of 2013. Retrieved October 19, 2014, from http://www.cbsnews.com/news/the-25-most-common-passwords-of-2013/

Oracle Highlights Continued Java SE Momentum and Innovation at JavaOne 2014. (2014, September 29). Retrieved October 17, 2014, from http://www.marketwatch.com/story/oracle-highlights-continued-java-se-momentum-and-innovation-at-javaone-2014-2014-09-29

Pagliery, J. (2014, March 4). 95% of bank ATMs face end of security support. Retrieved October 17, 2014, from http://money.cnn.com/2014/03/04/technology/security/atm-windows-xp/

Rainie, L., & Duggan, M. (2014, April 30). Heartbleed’s Impact. Retrieved October 17, 2014, from http://www.pewinternet.org/2014/04/30/heartbleeds-impact/2/#main-findings

Spark, L. (2014, February 14). CNN host Piers Morgan questioned in UK hacking investigation. Retrieved October 10, 2014, from http://www.cnn.com/2014/02/14/world/europe/uk-piers-morgan-hacking-probe/

Whitney, L. (2013, December 20). How to use facial recognition on your iPhone. Retrieved October 19, 2014, from http://www.cnet.com/news/how-to-use-facial-recognition-on-your-iphone/