Jordan Hubbard Talk @ LISA

1,888 views

Published on

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,888
On SlideShare
0
From Embeds
0
Number of Embeds
317
Actions
Shares
0
Downloads
84
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Jordan Hubbard Talk @ LISA

  1. 1. Mac OS X From the server room to your Jordan Hubbard Director, Unix Technology Group Apple, Inc.
  2. 2. Who I am • Long-time Unix zealot • Long-time Open Source contributor (go FreeBSD!) • Why I came to Apple (in 2001) • Unix won the server, so next the desktop • Freedom to Innovate (more than in
  3. 3. What I do (@Apple) • BSD and general open source technology • Security technology (OS and crypto) • Other things that would make your head hurt (mine does)
  4. 4. Let’s start with a quick history
  5. 5. Mac OS X Releases Release Release Date Delta Public Beta 09 / 2000 0 BX (Kodiak) 10.0 (Cheetah) 03 / 2001 6 months 10.1 (Puma) 11 / 2001 8 months 10.2 (Jaguar) 08 / 2002 9 months 10.3 (Panther) 10 / 2003 14 months 10.4 (Tiger) 05 / 2005 19 months 10.4 (Tiger/x86) 01 / 2006 8 months 10.5 (Leopard) 10 / 2007 21 months 10.6 Q1 2009 14+ months (SnowLeopard)
  6. 6. Mac OS X Releases Release Release Date Delta Public Beta 09 / 2000 0 BX (Kodiak) 10.0 (Cheetah) 03 / 2001 6 months 10.1 (Puma) 11 / 2001 8 months 10.2 (Jaguar) 08 / 2002 9 months 10.3 (Panther) 10 / 2003 14 months 10.4 (Tiger) 05 / 2005 19 months 10.5 (Leopard) 10 / 2007 29 months 10.6 Q1 2009 14+ months (SnowLeopard)
  7. 7. 10.0 in brief • Represented the first merger of NeXTStep and MacOS technologies as a new, functional whole • Introduced Aqua and Quartz • APIs: Cocoa, Carbon and Java • First “transition environment”: Classic • Unix bits: NeXTStep + various *BSD bits + some GNU software
  8. 8. 10.1 in brief • UI is more polished • A lot of Unix components are updated, many from FreeBSD • Added some new ones (like Apache) • Early scripting languages appear (Tcl, Perl, Python) and devtools get a small polish
  9. 9. 10.2 in brief • Quartz Extreme implemented on OpenGL • Rendezvous (now Bonjour) appears • Printer sharing, personal firewall and other “Unix features” surface to user • More productivity apps are bundled • FreeBSD is now principle OSS reference • Ruby is now bundled (but somewhat broke) LWMLAF: 20%
  10. 10. 10.3 in brief • Exposé and various fancy “UI tricks” appear • Fast user switching and filevault appear • Much improved Windows interoperability • First appearance of Xcode
  11. 11. 10.4 in brief • Spotlight appears - Immediately starts indexing everything in sight • Dashboard appears (along with a small explosion of widgets) • Voiceover and other key “Accessibility” features appear • Launchd eats init, xinetd, cron, mach_init, ... • Unix environment gets another big overhaul • LWMLAF: 70% (bye bye Vaio!)
  12. 12. 10.5 in brief • Marketing: Over 300 new features! • Engineering: Yes, actually, there is a very large number of features and improvements in there • LWMLAF: (so high it’s embarrassing, really) • The features, let me show you them...
  13. 13. Security Improvements in Leopard
  14. 14. Topics I’ll be racing through •File Quarantine •Sandbox •Package and Code Signing •Application Firewall •Parental Controls •Non-Executable (NX) Data •Address Space Layout Randomization
  15. 15. File Quarantine: The problem
  16. 16. File Quarantine: The problem • Opening a document is expected to launch an application on Mac OS X • Malware can therefore be disguised as documents • Casual inspection is no longer safe
  17. 17. File Quarantine: The problem • Opening a document is expected to launch an application on Mac OS X • Malware can therefore be disguised as documents • Casual inspection is no longer safe
  18. 18. File Quarantine: The problem • Opening a document is expected to launch an application on Mac OS X • Malware can therefore be disguised as documents • Casual inspection is no longer safe
  19. 19. File Quarantine: How it works
  20. 20. File Quarantine: How it works • Download content → Quarantine EA added ■ EA also stores context of download for later use ■ Download time, origin, application, etc…
  21. 21. File Quarantine: How it works • Download content → Quarantine EA added ■ EA also stores context of download for later use ■ Download time, origin, application, etc… • Activate quarantined content → system inspection, user dialog if needed:
  22. 22. Quarantine Propagation (in popular archivers) latestpics.dmg latestpics latestpics.zip latestpics latestpics.jpg
  23. 23. File Quarantine: How it works (under the hood) jkh@woot-> ls -l@ FluffyBunny.dmg -rw-r--r--@ 1 jkh staff 778014 Mar 7 2008 FluffyBunny.dmg com.apple.diskimages.recentcksum 80 com.apple.metadata:kMDItemWhereFroms 344 com.apple.quarantine 74 This is purely an implementation detail, of course, so don’t go relying on its name or contents!
  24. 24. File Quarantine • APIs and various LaunchServices mechanisms provided for creating / propagating Quarantine information • See Open Source tools for reference (tar, zip, et al). • Automatic Quarantine Mode ■ Quarantines all files created by an application ■ Info.plist keys ■ LSFileQuarantineEnabled ■ LSFileQuarantineExcludedPathPatterns
  25. 25. Sandbox
  26. 26. Sandbox • Hardens applications and services by restricting system operations, even for applications with system privileges
  27. 27. Sandbox • Hardens applications and services by restricting system operations, even for applications with system privileges • Reduces impact of vulnerabilities
  28. 28. Sandbox • Hardens applications and services by restricting system operations, even for applications with system privileges • Reduces impact of vulnerabilities •Many system services now run in a Sandbox ■ BIND, portmap, Xgrid, Spotlight importers, QuickLooks, … (see /usr/share/sandbox)
  29. 29. Sandbox Hey, that looks familiar! (OK, it’s Scheme) Profile language ;; NOTE: The profile language is a private interface and ;; subject to change without notice (version 1) (deny default) (allow sysctl-read) (allow network*) (allow file-write* file-read-data file-read-metadata (regex #quot;^(/private)?/var/run/syslog$quot; #quot;^(/private)?/var/run/syslog.pid$quot; #quot;^(/private)?/var/run/asl_input$quot; #quot;^(/private)?/dev/console$quot; #quot;^(/private)?/var/log/.*.log$quot; #quot;^(/private)?/var/log/asl.db$quot;)) (allow file-read-data file-read-metadata (regex #quot;^(/private)?/dev/klog$quot; #quot;^(/private)?/etc/asl.conf$quot; #quot;^(/private)?/etc/syslog.conf$quot; #quot;^/usr/lib/asl/.*.so$quot;))
  30. 30. Sandbox Profile language (version 1) (debug deny) (import quot;bsd.sbquot;) Let’s try a simpler example. (deny default) We’ll call this “testsandbox.sb” (allow process*) (allow file-read*) (allow sysctl-read)
  31. 31. Sandbox Profile language (version 1) (debug deny) (import quot;bsd.sbquot;) Let’s try a simpler example. (deny default) We’ll call this “testsandbox.sb” (allow process*) (allow file-read*) (allow sysctl-read) jkh@woot-> sandbox-exec -f testsandbox.sb bash I have no name!@woot-> ping localhost bash: /sbin/ping: Operation not permitted
  32. 32. Sandbox Profile language (version 1) (debug deny) (import quot;bsd.sbquot;) Let’s try a simpler example. (deny default) We’ll call this “testsandbox.sb” (allow process*) (allow file-read*) (allow sysctl-read) jkh@woot-> sandbox-exec -f testsandbox.sb bash I have no name!@woot-> ping localhost bash: /sbin/ping: Operation not permitted I have no name!@woot-> cat > /tmp/youcanttouchthis bash: /tmp/youcanttouchthis: Operation not permitted
  33. 33. Sandbox Profile language (version 1) (debug deny) (import quot;bsd.sbquot;) Let’s try a simpler example. (deny default) We’ll call this “testsandbox.sb” (allow process*) (allow file-read*) (allow sysctl-read) jkh@woot-> sandbox-exec -f testsandbox.sb bash I have no name!@woot-> ping localhost bash: /sbin/ping: Operation not permitted I have no name!@woot-> cat > /tmp/youcanttouchthis bash: /tmp/youcanttouchthis: Operation not permitted I have no name!@woot-> head .bashrc #!/usr/local/bin/bash # # This is .bashrc, a file composed solely of shell functions. ...
  34. 34. Sandbox Profile language (version 1) (debug deny) (import quot;bsd.sbquot;) ... To fix the “I have no name!” problem (deny default) (allow process*) (allow file-read*) (allow sysctl-read) (allow mach-lookup (global-name quot;com.apple.system.DirectoryService.libinfo_v1quot;))
  35. 35. Sandbox API • sandbox_init(…, SANDBOX_NAMED, …) • Predefined Sandboxes, see sandbox.h ■ Pure computation ■ Read-only ■ Read-only + write temporary folders ■ Prohibit networking
  36. 36. Sandbox How it works under the hood •Built on top of Mandatory Access Control (MAC) subsystem from SEDarwin (based on TrustedBSD) • Uses special “compiler” process to turn high-level form into highly efficient bytecode (sandbox- compilerd(8)) • An evolving work in progress • (JFYI, MAC was also used to protect
  37. 37. Code Signing
  38. 38. Code Signing • Hard cryptographic signature for stand- alone executables and application bundles
  39. 39. Code Signing • Hard cryptographic signature for stand- alone executables and application bundles • Application identity maintained across versions, resulting in far fewer Keychain-related dialogs
  40. 40. Code Signing • Hard cryptographic signature for stand- alone executables and application bundles • Application identity maintained across versions, resulting in far fewer Keychain-related dialogs • Used by Keychain, Application Firewall, Parental Controls, Authorization, …
  41. 41. Code Signing • Hard cryptographic signature for stand- alone executables and application bundles • Application identity maintained across versions, resulting in far fewer Keychain-related dialogs • Used by Keychain, Application Firewall, Parental Controls, Authorization, … • Can also be used to implement more advanced, secure IPC (“knock knock!”
  42. 42. Code Signing Even the Unixy ones jkh@woot-> codesign -v -d /bin/cat Executable=/bin/cat Identifier=com.apple.cat Format=Mach-O universal (i386 ppc7400) CodeDirectory v=20001 size=178 flags=0x0(none) hashes=4+2 location=embedded Signature size=4064 Info.plist=not bound Sealed Resources=none Internal requirements count=0 size=12 jkh@woot-> codesign -h 296 /bin/bash /mach_kernel
  43. 43. Package Signing •Packages are now cryptographically verified •Sign packages using PackageMaker
  44. 44. Package Signing •Packages are now cryptographically verified •Sign packages using PackageMaker
  45. 45. Package Signing •Packages are now cryptographically verified •Sign packages using PackageMaker
  46. 46. Package Signing •Packages are now cryptographically verified •Sign packages using PackageMaker
  47. 47. Package Signing •Packages are now cryptographically verified •Sign packages using PackageMaker
  48. 48. Application Firewall • New inbound filtering engine • Traffic is allowed based on application, not just port/protocol
  49. 49. Application Firewall • New inbound filtering engine • Traffic is allowed based on application, not just port/protocol
  50. 50. Application Firewall • New inbound filtering engine • Traffic is allowed based on application, not just port/protocol
  51. 51. Application Firewall • Much easier configuration for most users (no need to use System Preferences) • IPFW is still present for advanced users, of course • Applications are tracked by signature
  52. 52. Application Firewall • Much easier configuration for most users (no need to use System Preferences) • IPFW is still present for advanced users, of course • Applications are tracked by signature
  53. 53. Parental Controls Allows an admin to: * Limit access to apps * Restrict web activity * Restrict mail / ichat * Log suspicious activity Applications are, again, tracked by signature
  54. 54. Non Executable (NX) Data Thread 0 Stack Thread 1 Stack Library text Heap Library data Read-only, executable Read-write, non-executable
  55. 55. Non Executable (NX) Data Thread 0 Stack • Tiger/x86 had only NX stack Thread 1 Stack Library text Heap Library data Read-only, executable Read-write, non-executable
  56. 56. Non Executable (NX) Data Thread 0 Stack • Tiger/x86 had only NX stack • Leopard: 64-bit apps have NX stack, heap, … → W^X Thread 1 Stack Library text Heap Library data Read-only, executable Read-write, non-executable
  57. 57. Non Executable (NX) Data Thread 0 Stack • Tiger/x86 had only NX stack • Leopard: 64-bit apps have NX stack, heap, … → W^X Thread 1 Stack ■ Intel 64-bit (Intel Core 2 Duo or later) ■ PPC 64-bit (G5) Library text ■ 32-bit apps as in Tiger for compatibility Heap Library data Read-only, executable Read-write, non-executable
  58. 58. Non Executable (NX) Data Thread 0 Stack • Tiger/x86 had only NX stack • Leopard: 64-bit apps have NX stack, heap, … → W^X Thread 1 Stack ■ Intel 64-bit (Intel Core 2 Duo or later) ■ PPC 64-bit (G5) Library text ■ 32-bit apps as in Tiger for compatibility • Applications that need to execute Heap code in data segments use mprotect Library data Read-only, executable Read-write, non-executable
  59. 59. Non Executable (NX) Data Thread 0 Stack • Tiger/x86 had only NX stack • Leopard: 64-bit apps have NX stack, heap, … → W^X Thread 1 Stack ■ Intel 64-bit (Intel Core 2 Duo or later) ■ PPC 64-bit (G5) Library text ■ 32-bit apps as in Tiger for compatibility • Applications that need to execute Heap code in data segments use mprotect • Helps mitigate many buffer overflows, format string bugs, … Library data Read-only, executable Read-write, non-executable
  60. 60. Address Space Layout Randomization
  61. 61. Address Space Layout Randomization •Even with NX data, it may be possible for an exploit to jump to a library or framework function ■ e.g., system(3)—Pass a command to the shell ■ This is commonly known as “return-to-libc”
  62. 62. Address Space Layout Randomization •Even with NX data, it may be possible for an exploit to jump libSystem to a library or framework AppKit function ■ e.g., system(3)—Pass a CoreServices command QuartzCore to the shell ■ This is commonly known as WebKit “return-to-libc”
  63. 63. Address Space Layout Randomization •Even with NX data, it may be possible for an exploit to jump libSystem to a library or framework AppKit function ■ e.g., system(3)—Pass a CoreServices command QuartzCore to the shell ■ This is commonly known as WebKit “return-to-libc”
  64. 64. Address Space Layout Randomization •Even with NX data, it may be possible for an exploit to jump libSystem to a library or framework AppKit function ■ e.g., system(3)—Pass a CoreServices command QuartzCore to the shell ■ This is commonly known as WebKit “return-to-libc” 0x90046ff0 <system>: push %rbp
  65. 65. Address Space Layout Randomization •Even with NX data, it may be libSystem ab le possible for an exploit to jump ed ict to a library or framework AppKit pr function ■ e.g., system(3)—Pass a CoreServices command QuartzCore to the shell ■ This is commonly known as WebKit “return-to-libc” 0x90046ff0 <system>: push %rbp
  66. 66. Address Space Layout •Even with NX data, it may be possible for an exploit to jump to a library or framework function ■ e.g., system(3)—Pass a command •Common libraries are loaded in random order •Opt-in: Application executables and libraries loaded at random page ■ When linked with -pie (i.e., cc - Wl,-pie)
  67. 67. Address Space Layout •Even with NX data, it may be possible for an exploit to jump QuartzCore to a library or framework function libSystem ■ e.g., system(3)—Pass a command AppKit •Common libraries are loaded in random order CoreServices •Opt-in: Application executables and libraries loaded at random WebKit page ■ When linked with -pie (i.e., cc - Wl,-pie)
  68. 68. Address Space Layout •Even with NX data, it may be possible for an exploit to jump QuartzCore to a library or framework function libSystem ■ e.g., system(3)—Pass a command AppKit •Common libraries are loaded in random order CoreServices •Opt-in: Application executables and libraries loaded at random WebKit page ■ When linked with -pie (i.e., cc - Wl,-pie)
  69. 69. Address Space Layout •Even with NX data, it may be possible for an exploit to jump QuartzCore to a library or framework function libSystem ■ e.g., system(3)—Pass a command AppKit •Common libraries are loaded in random order CoreServices •Opt-in: Application executables and libraries loaded at random WebKit page ■ When linked with -pie (i.e., cc - Wl,-pie) 0x90046ff0 <sStringTable+6265>: sbb (%rdx),%dh
  70. 70. Address Space Layout •Even with NX data, it may be possible for an exploit to jump QuartzCore to a library or framework function libSystem ■ e.g., system(3)—Pass a command AppKit •Common libraries are loaded in random order CoreServices •Opt-in: Application executables and libraries loaded at random WebKit page ■ When linked with -pie (i.e., cc - Wl,-pie) 0x90046ff0 <sStringTable+6265>: sbb (%rdx),%dh
  71. 71. Address Space Layout •Even with NX data, it may be possible for an exploit to jump QuartzCore to a library or framework function libSystem ■ e.g., system(3)—Pass a command AppKit •Common libraries are loaded in random order CoreServices •Opt-in: Application executables and libraries loaded at random WebKit page ■ When linked with -pie (i.e., cc - Wl,-pie) 0x90046ff0 <sStringTable+6265>: sbb (%rdx),%dh
  72. 72. Developer Tools Options •Stack overflow checking ■ Canaries as in StackGuard, ProPolice, Microsoft Visual Studio /GS void const char *filename bad(const char *filename) { char path[PATH_MAX]; Return address ... sprintf(path, quot;%s/%squot;, getenv(quot;HOMEquot;), filename); ... } char path[PATH_MAX] Higher addresses
  73. 73. Developer Tools Options •Stack overflow checking ■ Canaries as in StackGuard, ProPolice, Microsoft Visual Studio /GS void const char *filename bad(const char *filename) { char path[PATH_MAX]; Return address ... Canary sprintf(path, quot;%s/%squot;, getenv(quot;HOMEquot;), filename); ... } char path[PATH_MAX] char path[PATH_MAX] Higher addresses
  74. 74. Developer Tools Options
  75. 75. Developer Tools Options •Object size checking
  76. 76. Developer Tools Options •Object size checking ■ Some unsafe API usage → checked-at-runtime behavior
  77. 77. Developer Tools Options •Object size checking ■ Some unsafe API usage → checked-at-runtime behavior ■ memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf,
  78. 78. Developer Tools Options •Object size checking ■ Some unsafe API usage → checked-at-runtime behavior ■ memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, void before(const char *filename) { char path[PATH_MAX]; ... sprintf(path, quot;%s/%squot;, getenv(quot;HOMEquot;), filename); ... } void after(const char *filename) { char path[PATH_MAX]; ... __builtin___sprintf_chk(path, 0, __builtin_object_size(path, 2>1), quot;%s/%squot;, getenv(quot;HOMEquot;), filename); ... }
  79. 79. Developer Tools Options •Object size checking ■ Some unsafe API usage → checked-at-runtime behavior ■ memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, void before(const char *filename) { char path[PATH_MAX]; ... sprintf(path, quot;%s/%squot;, getenv(quot;HOMEquot;), filename); ... } void after(const char *filename) { char path[PATH_MAX]; ... __builtin___sprintf_chk(path, 0, __builtin_object_size(path, 2>1), quot;%s/%squot;, getenv(quot;HOMEquot;), filename); ... }
  80. 80. Developer Tools Options •Object size checking ■ Some unsafe API usage → checked-at-runtime behavior ■ memcpy, mempcpy, memmove, memset, strcpy, stpcpy, strncpy, strcat, strncat, sprintf, vsprintf, void before(const char *filename) { char path[PATH_MAX]; ... sprintf(path, quot;%s/%squot;, getenv(quot;HOMEquot;), filename); ... } void after(const char *filename) { char path[PATH_MAX]; ... __builtin___sprintf_chk(path, 0, __builtin_object_size(path, 2>1), quot;%s/%squot;, getenv(quot;HOMEquot;), filename); ... }
  81. 81. Back to my mac • Uses wide-area Bonjour / DDNS (through .Mac) for name registration • Supports NAT-PMP and UPnP to get through NATs • Uses Kerberos and private certs for authentication • Makes screen/filesharing really easy without compromising security
  82. 82. Unix geek improvements in Leopard
  83. 83. DTrace • A dynamic, programmable tracing environment created by Sun in 2003 • Can trace the execution of everything from kernel routines, library functions and even scripts in various interpreted languages • Mac OS X offers a hugely comprehensive set of probe points all the way up the
  84. 84. DTrace • DTrace scripts are written in Sun’s D programming language, effectively a “safe subset” of C, and compiled to bytecode • A number of generally useful “canned” scripts can be found in /usr/bin/*.d for reading/running • Used internally by Instruments.app in DevTools
  85. 85. DTrace • Scripts need not be complex to do useful things: #!/usr/sbin/dtrace -s syscall:::entry { @num[execname] = count(); } ... dtrace 33 VZAccess Manager 50 softwareupdate 51 configd 157 WindowServer 234 Shows me most “system bound” tasks currently running
  86. 86. DTrace in Instruments Even easier!
  87. 87. Launchd • Since its introduction in Tiger, it has transformed how all things are launched on Mac OS X • Things are launched by dependency, not by static declarations • Execution environments are cleanly constrained • Ease of use has encouraged the
  88. 88. Launchd • All configuration controlled by per-user / per-system XML plist files (though launchd itself does not grok XML) • launchctl behaves differently depending on “which launchd you’re asking” • sudo launchctl list (system) • launchctl list (current session) • launchctl -S / -D flags control this also
  89. 89. ASL • Apple’s replacement for syslog (and a secret evidently too-well-kept) • Supports arbitrary number of log message properties in a clean, consistently encoded format • Powerful boolean operator search API • Per-process and per-system message filter values
  90. 90. UNIX03 • A fairly massive multi-year project involving many Unix commands, libraries and documentation • Leopard now joins the ranks of IBM (AIX) and Sun (Solaris) in being a fully certified UNIX® • API compatibility maintained through symbol versioning tricks and
  91. 91. X11 in Leopard • The XFree86 vs X.org saga • Consequences of going with X.org in Leopard • XQuartz project on Mac OS Forge • Current status of fullscreen, GLX, 3D,
  92. 92. ZFS • Sun’s highly fault-tolerant, dynamic storage pool-based, snapshotting “zetabyte” filesystem • Shipped read-only implementation in Leopard, for future compatibility only • Full read/write version available from http://zfs.macosforge.org (along with other useful info)
  93. 93. Scripting Languages • BridgeSupport: Describing ObjC and C APIs through Metadata (../Resources/ BridgeSupport/) • RubyCocoa and PyObjC are bundled, including XCode application templates • Compatibility will be maintained while evolving strategy here
  94. 94. Directory Services • Netinfo is dead. Long live Netinfo. • Lookupd is also dead, as are several intermediate layers of mechanism from the old system • DirectoryService now provides all lookup, caching and local host/user/group database services (as XML plist files in / var/db/dslocal)
  95. 95. Apple’s evolving Open Source strategy
  96. 96. Apple’s evolving Open Source strategy • 2000: In the beginning, there was Darwin and the stand-alone Darwin releases
  97. 97. Apple’s evolving Open Source strategy • 2000: In the beginning, there was Darwin and the stand-alone Darwin releases • 2002: The rise of OpenDarwin
  98. 98. Apple’s evolving Open Source strategy • 2000: In the beginning, there was Darwin and the stand-alone Darwin releases • 2002: The rise of OpenDarwin • 2006: The fall of OpenDarwin
  99. 99. Apple’s evolving Open Source strategy • 2000: In the beginning, there was Darwin and the stand-alone Darwin releases • 2002: The rise of OpenDarwin • 2006: The fall of OpenDarwin • 2006: ZFS and DTrace - working with Sun
  100. 100. Some projects on MacOSForge • CalendarServer: A CalDAV-compliant server • WebKit: Apple’s most successful OSS project • MacPorts: Apple’s 2nd most successful one • MacRuby: A version of Ruby for MacOSX
  101. 101. MacRuby • A port of Ruby 1.9 to the Objective C runtime • Uses Objective C generational garbage collector (“autozone”, just released as OSS) • Uses Core Foundation types (NSString, NSArray, NSDictionary, ...) natively
  102. 102. A very simple application Cocoa Hello World
  103. 103. #import <Cocoa/Cocoa.h> @interface ButtonController : NSObject Objective C version @end @implementation ButtonController -(void)sayHello:(id)sender {     N S L o g ( @ quot; H e l l o Wo r l d ! quot; ) ; } @end int main(void) {   NSApplication *app = [NSApplication sharedApplication];     NSWindow *window = [[NSWindow alloc] initWithContentRect:NSMakeRect(0, 0, 200, 60)       styleMask:NSTitledWindowMask|NSClosableWindowMask|NSMiniaturizableWindowMask|NSResizableWindowMask       backing:NSBackingStoreBuffered       defer:NO];     [ w i n d o w s e t T i t l e : @ quot; H e l l o Wo r l d quot; ] ;   NSButton *button = [[NSButton alloc] initWithFrame:NSZeroRect];   [[window contentView] addSubview:button];     [button setBezelStyle:NSRoundedBezelStyle];     [button setTitle:@quot;Hello!quot;];     [ b u t t o n s i z e To F i t ] ;   NSSize contentSize = [[window contentView] frame].size;     NSSize buttonSize = [button frame].size;     NSPoint point = NSMakePoint((contentSize.width / 2.0) - (buttonSize.width / 2.0),                                (contentSize.height / 2.0) - (buttonSize.height / 2.0));     [button setFrameOrigin:point];   ButtonController *buttonController = [ButtonController new];     [ b u t t o n s e t Ta rg e t : b u t t o n C o n t r o l l e r ] ;     [button setAction:@selector(sayHello:)];      [window display];   [window orderFrontRegardless];     [app run];   retur n 0; }
  104. 104. “Straight port” MacRuby framework 'Cocoa'  a p p = N S A p p l i c a t i o n . s h a r e d A p p l i c a t i o n  w i n = N S W i n d o w. a l l o c . i n i t W i t h C o n t e n t R e c t ( [ 0 , 0 , 2 0 0 , 6 0 ] ,      s t y l e M a s k : N S T i t l e d W i n d o w M a s k | N S C l o s a b l e W i n d o w M a s k | N S M i n i a t u r i z a b l e W i n d o w M a s k | N S R e s i z a b l e W i n d o w M a s k ,      b a c k i n g : N S B a c k i n g S t o r e B u f f e r e d ,      defer:false)  w i n . t i t l e = ' H e l l o Wo r l d '  b u t t o n = N S B u t t o n . a l l o c . i n i t W i t h F r a m e ( N S Z e r o R e c t )  w i n . c o n t e n t V i e w. a d d S u b v i e w ( b u t t o n )  button.bezelStyle = NSRoundedBezelStyle  button.title = 'Hello!'  b u t t o n . s i z e To F i t  b u t t o n . f r a m e O r i g i n = N S M a k e P o i n t ( ( w i n . c o n t e n t V i e w. f r a m e S i z e . w i d t h / 2 . 0 ) - ( b u t t o n . f r a m e S i z e . w i d t h / 2 . 0 ) ,                                    ( w i n . c o n t e n t V i e w. f r a m e S i z e . h e i g h t / 2 . 0 ) - ( b u t t o n . f r a m e S i z e . h e i g h t / 2 . 0 ) )  b u t t o n _ c o n t r o l l e r = O b j e c t . n e w  d e f b u t t o n _ c o n t r o l l e r. s a y H e l l o ( s e n d e r )    p u t s quot; H e l l o Wo r l d ! quot;  end  b u t t o n . t a rg e t = b u t t o n _ c o n t r o l l e r  button.action = 'sayHello:'  win.display  w i n . o r d e r F r o n t R e g a r d l e s s  app.run
  105. 105. MacRuby + HotCocoa version r e q u i r e ' h o t c o c o a '  include HotCocoa  application do    w i n d o w : t i t l e = > ' H e l l o Wo r l d ' , : f r a m e = > [ 0 , 0 , 1 2 0 , 1 2 0 ] d o | w |       button :title => 'Click me' do |b|        b . o n _ a c t i o n { p u t s ' H e l l o Wo r l d ! ' }        w << b      end    end  end
  106. 106. Our scary future...
  107. 107. The rise of the GPU Number of Transistors (in millions) 1,500 1,125 750 Hi! 375 0 1998 2000 2001 2002 2003 2004 2005 2006 2007 2008 2010 ? And these are largely computational, not cache!
  108. 108. The future: GPUs • GPUs are becoming insanely fast and capable • GPUs are also, finally, mathematically accurate and thus useful for general computation • OpenCL is an important development in this space • Convergence with CPUs is not that far
  109. 109. The future: Intel (all data coming from published roadmaps) • 2008: Penryn: 8 core configurations now common. • 2009: Nehalem: 12-16 cores become common, Larrabee also raising this to 32 for Intel’s “GPU” • 2010: 2nd die-shrink for Larrabee likely to yield > 32 cores in commodity hardware • 2015: Here’s the plan: ONE MILLION CORES!
  110. 110. The future: Intel • No, seriously, what does this mean? • It means that Hardware folks are out of headroom on pure clock speed and must go lateral • The hardware folks are also probably tired of paying for the Software people’s sins. ccNUMA is likely to eventually yield (back) to NUMA. Good for them, bad for us! • Memory access, already very expensive, will become substantially more so (ex-SGI ,
  111. 111. The future: Intel • Forget everything you thought you knew about multi-threaded programming (and, as it turns out, most developers didn’t know much anyway) • The kernel is the only one who really knows the right mix of cores and power states to use at any given time - this can’t be a pure app-driven decision • We need new APIs and mechanisms for dealing with this incoming meteor
  112. 112. The future: Intel If you think I am exaggerating the severity of this problem, just remember: Less than 30 years ago, this 16 bit 68000 was state-of-the-art, running at 8 Megahertz on a 3500nm process And we’re evolving much faster today...
  113. 113. The future: Mobility “coming”, it is • Ubiquitous computing is not already HERE • Small devices under increasing pressure to become “micro” devices (active badges, bluetooth headsets, cerebral implants, etc) • Start thinking in terms of milliwatts, not just watts, because your power budget is shrinking • The same applies to servers (think carbon
  114. 114. iPhone Lessons • “Enterprise” features (like code signing) can also be substantially leveraged on mobile devices • Mobile device features (like CoreAnimation) can also encourage innovation in “bigger” devices • You can actually can run a full Unix on a phone now
  115. 115. iPhone Lessons • It’s all about the power, and all resources (memory, flash, CPU) take power. We need to challenge our “Unix assumptions” about power being plentiful • Stability is key for something this critical (can’t crash while dialing emergency services). You just can’t run everything you want to • Even with reduced power demands, mobile
  116. 116. Any questions?

×