To content | To menu | To search

2018, Tuesday January 2

Happy New mORMot Year


Happy New mORMot Year 2018!

And thanks Mario for the video!

2017, Saturday November 11

Job Opportunities at LiveMon

You like working with mORMot ?

We're hiring new developers at LiveMon

We're a full-remote team (with a monthly gather-up in Paris), working on a real-time AI-powered monitoring tool.
I joined LiveMon this week, and we will work together on this exciting project, using mORMot and FPC!

Contact us at jobs at livemon dot com !

PS: You can send your resumé to this email address, preferably with link to some code you wrote (we like reading clean code!).
We offer remote work from home, if possible from Western Europe (for easy gathering in Paris) or the USA (for LiveMon, Inc.), using technical English and object pascal as language (French not required).

2017, Tuesday October 24

EKON 21 Slides

After having enjoyed EKON 21 conferences in Köln, some quick post to share material about my presentations.

I also included the "Practical DDD" source code in a new sample folder of the mORMot repository.

This sample was long-awaited from new mORMot users, and anyone willing to see how DDD may be implemented in Delphi.
I choose to store the sample in enumerated sub-folders (01, 02, 03...), to show the typical steps of building such kind of services.

Of course, it follows Test-Driven Design, so we write the test as soon as we add a new feature.
Stubing/mocking is also used for the Domain regression tests.
And we will eventually add new sub-folders, to include new features and services.

About EKON, sad I can't share some fresh beer as pdf or in a git/fossil repository...

2017, Thursday August 10

Faster and cross-platform SynLZ

You probably know about our SynLZ compression unit, in pascal and x86 asm, which is very fast for compression with a good compression ratio, and proudly compete with LZ4 or Snappy.
It is used in our framework everywhere, e.g. for WebSockets communication, for ECC encrypted file content, or to compress executable resources. 

Two news to share:

1. I've added SynLZ support for the NextGen compiler, now available in a new unit of the "CrossPlatform" sub-folder.
Feeback is welcome, since we don't use Delphi for iOS and Android with Delphi, and prefer FPC for Linux!

2. I've also written a new x64 asm optimized version of SynLZ, and profiled the existing x86 asm to be even faster than previously.
For a 100MB text log file, SynLZ is faster than Snappy, and compresses better (93% instead of 84%).
For other kind of files, Snappy is slightly faster at decompression, but SynLZ compresses better, and most of the time faster.
When used on a REST server solution, as with mORMot, compression speed does matter more than decompression.

For Win32:

Win32 Processing DragonFly-devpcm.log = 98.7 MB for 1 times
Snappy compress in 125.07ms, ratio=84%, 789.3 MB/s
Snappy uncompress in 70.35ms, 1.3 GB/s
SynLZ compress in 103.61ms, ratio=93%, 952.8 MB/s
SynLZ uncompress in 68.71ms, 1.4 GB/s

For Win64:

Win64 Processing DragonFly-devpcm.log = 98.7 MB for 1 times
Snappy compress in 107.13ms, ratio=84%, 921.5 MB/s
Snappy uncompress in 61.06ms, 1.5 GB/s
SynLZ compress in 97.25ms, ratio=93%, 1015.1 MB/s
SynLZ uncompress in 61.27ms, 1.5 GB/s

Of course, we didn't change the SynLZ binary format, so it is just perfectly backward compatible with any existing program.
Anyway, from my point of view, the main benefit of SynLZ is that it was designed in plain pascal, so it is clearly cross-platform and well integrated with Delphi/FPC (no external .obj/.o/.dll required).

Feedback is welcome in our forum, as usual!

2017, Wednesday March 22

Delphi 10.2 Tokyo Compatibility: DCC64 broken

We are proud to announce compatibility of our mORMot Open Source framework with the latest Delphi 10.2 Tokyo compiler...
At least for Win32.

For Win64, the compiler was stuck at the end of the compilation, burning 100% of one CPU core...

A bit disappointing, isn't it?

Continue reading...

2017, Saturday March 18

Application Locking using Asymmetric Encryption

A common feature request for professional software is to prevent abuse of published applications.
For licensing or security reasons, you may be requested to "lock" the execution of programs, maybe tools or services.

Our Open-Souce mORMot framework can leverage Asymmetric Cryptography to ensure that only allowed users could run some executables, optionally with dedicated settings, on a given computer.
It offers the first brick on which you may build your own system upon.

From the User point of view, he/she will transmit a user@host.public file, then receives a corresponding user@host.unlock file, which will unlock the application.
Pretty easy to understand - even if some complex asymmetric encryption is involved behind the scene.

Continue reading...

2016, Monday December 19

JSON Web Tokens (JWT)

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

They can be used for:

  • Authentication: including a JWT to any HTTP request allows Single Sign On user validation across different domains;
  • Secure Information Exchange: a small amount of data can be stored in the JWT payload, and is digitally signed to ensure its provenance and integrity.

See for an introduction to JSON Web Tokens.

Our mORMot framework now implements JWT:

  • HS256 (HMAC-SHA256) and ES256 (256-bit ECDSA) algorithms (with the addition of the "none" weak algo);
  • Validates all claims (validation dates, audiences, JWT ID);
  • Thread-safe and high performance (2 µs for a HS256 verification under x64), with optional in-memory cache if needed (e.g. for slower ES256);
  • Stand-alone and cross-platform code (no external dll, works with Delphi or FPC);
  • Enhanced security and strong design - per instance, it is by design immune from
  • Full integration with the framework.

Continue reading...

2016, Thursday November 10

EKON20 mORMot Conferences

EKON20 is now over, and there was a lot of people, great speakers, beautiful T-Shirt, and fresh beer!

I've published the slides of my mORMot conferences on SlideShare...

The "classic" Synopse/mORMot slides have also been uploaded to their latest revision, so don't hesitate to check what's new!

The PDF are also available for direct download from our server.


2016, Tuesday October 18

Cheat Mode for Private Keys

In order to follow best practice, our .private key files are always protected by a password.  A random value with enough length and entropy is always proposed by the ECC tool when a key pair is generated, and could be used directly.
It is always preferred to trust a computer to create true randomness (and SynCrypto.pas's secure TAESPRNG was designed to be the best possible seed, using hardware entropy if available), than using our human brain, which could be defeated by dictionary-based password attacks.
Brute force cracking would be almost impossible, since PBKDF2_HMAC_SHA256 Password-Based Key Derivation Function with 60,000 rounds is used, so rainbow tables (i.e. pre-computed passwords list) will be inoperative, and each password trial would take more time than with a regular Key Derivation Function.

The issue with strong passwords is that they are difficult to remember. If you use not pure random passwords, but some easier to remember values with good entropy, you may try some tools like which returns values like $$19*wrong*DRIVE*read*61$$.
But even then, you will be able to remember only a dozen of such passwords. In a typical public key infrastructure, you may create hundredths of keys, so remembering all passwords is no option for an average human being as (you and) me.

At the end, you end up with using a tool to store all your passwords (last trend is to use an online service with browser integration), or - admit it - store them in an Excel document protected by a password. Most IT people - and even security specialists - end with using such a mean of storage, just because they need it.
The weaknesses of such solutions can be listed:

  • How could we trust closed source software and third-party online services?
  • Even open source like may appear weak (no PBKDF, no AFSplit, managed C#, SHA as PRNG);
  • The storage is as safe as the "master password" is safe;
  • If the "master password" is compromised, all your passwords are published;
  • You need to know the master password to add a new item to the store.

The ECC tool is able to work in "cheat mode", storing all .private key files generated passwords in an associated .cheat local file, encrypted using a cheat.public key.

As a result:

  • Each key pair will have its own associated .cheat file, so you only unleash one key at a time;
  • The .cheat file content is meaningless without the cheat.private key and its master password, so you can manage and store them together with your .private files;
  • Only the cheat.public key is needed when creating a key pair, so you won't leak your master password, and even could generate keys in an automated way, on a distant server;
  • The cheat.private key will be safely stored in a separated place, only needed when you need to recover a password;
  • It uses strong File Encryption, with proven PBKDF, AFSplit, AES-PRNG, and ECDH/ECIES algorithms.

Continue reading...

2016, Saturday September 24

Public-key Asymmetric Cryptography via SynECC

After weeks of implementation and testing, we introduce today a new feature of our mORMot Open-Source Framework.

Asymmetric encryption, also known as public-key cryptography, uses pairs of keys:

  • Public keys that may be disseminated widely;
  • Paired with private keys which are known only to the owner.

The framework SynEcc unit features a full asymmetric encryption system, based on Elliptic curve cryptography (ECC), which may be used at application level (i.e. to protect your application data, by signing or encrypting it), or at transmission level (to enhance communication safety).
A full set of high-level features, including certificates and command line tool, offers a stand-alone but complete public-key infrastructure (PKI).

Continue reading...

2016, Tuesday September 6

Ride the mORMot at EKON 20 in Dusseldorf!

There are still a few days for "very early birds" offer for EKON 20 conference, and meet us for 3 sessions (including a half-day training/introduction to mORMot)!
Join us the 7-9th of November in Düsseldorf!

Our sessions are not restricted to mORMot, but will use mORMot to illustrate some concepts and design ideas:

You can contact me if you want to join, so that I may give you an additional discount password!

Hope we can meet for a chat and (a few) beers!

2016, Saturday July 30

Bloom Filter and Big Data

Especially if you are dealing with a lot of data, you often need a way to identify if a value is available in a value set.
A typical use case is if you have data sharded among several nodes, and you want to avoid asking each node for each incoming request.

A naive approach could be to store all data in a memory list.
But here we are really talking about a lot of data, and it would simply not fit into a memory list.

We may say that it is the purpose of a database to maintain such a list.
So you start a good CREATE TABLE on your RDBMS with a single indexed primary key column, fill it with your data, and run a proper SELECT.
But it takes a lot of storage, insertion is slow, and this database becomes a bottleneck.

Then you consider using some NoSQL database like Redis.
It is faster than a RDBMS, but it tends to use a lot of memory, and it is still resource consuming to update the values.

No comes Bloom Filter magic.
It allows to store the presence of high-number of values with a small memory space, with a predefined ratio of potential false positives.

We just introduced a TSynBloomFilter class in our Open Source mORMot framework trunk, which features an optimized and self-tuning Bloom Filter storage, with potential low-bandwidth synchronization over the wire.

Continue reading...

2016, Monday May 30

SOA and stub/mock working on Linux x86, x64, arm32 and aarch64

Some patches, provided by ALFred, did introduce some new platforms under Linux:

  • Linux x86 (aka Intel 32-bit)
  • Linux x64 (aka Intel 64-bit)
  • Linux AARCH32 (aka ARM 32-bit)
  • Linux AARCH64 (aka ARM 64-bit)

It needs the latest trunk version of the FPC compiler, and the "Interface Enhanced RTTI" patch.

Here is a screenshot of Lazarus running all SOA tests (including asynchronous callbacks via WebSockets) on a remote ARM 64-bit box:

Thanks a lot, Alfred, for the hard work, and all the time spent during debugging!
There was some low-level asm involved here, to invoke an interface, or create a fake interface implementation on the fly... not any easy task...

Any feedback is welcome on our forum, as usual!

2016, Saturday May 14

Anti-forensic, safe storage of private keys

In any modern application, especially on Client/Server nTier architecture as our little mORMot offers, we often have to persist some private keys in a safe way.
Problem with such keys is that they consist in small amount of bytes (typically 16 or 32 bytes), easy to be left somewhere in disk or memory.
Given the abilities of recent forensic data recovery methods, data can't be destroyed on magnetic or flash storage media reliably.

We have just added to our SynCrypto OpenSource library the Anti-forensic Information Splitter algorithm, as proposed in TKS1, and implemented in the LUKS standard.
LUKS is the de-facto standard of platform-independent standard on-disk format for use in various tools.

Continue reading...

2016, Friday April 22

Support of Delphi 10.1 Berlin

You should have noticed that Delphi 10.1 Berlin has been released.

Our Open Source projects, including mORMot and SynPDF and their associated documentation have been updated to support this new revision.
Any additional feedback is welcome, as usual!

2016, Saturday April 9

AES-256 based Cryptographically Secure Pseudo-Random Number Generator (CSPRNG)

Everyone knows about the pascal random() function.
It returns some numbers, using a linear congruential generator, with a multiplier of 134775813, in its Delphi implementation.
It is fast, but not really secure. Output is very predictable, especially if you forgot to execute the RandSeed() procedure.

In real world scenarios, safety always requires random numbers, e.g. for key/nonce/IV/salt/challenge generation.
The less predictable, the better.
We just included a Cryptographically Secure Pseudo-Random Number Generator (CSPRNG) into our SynCrypto.pas unit.
The TAESPRNG class would use real system entropy to generate a sequence of pseudorandom bytes, using AES-256, so returning highly unpredictable content.

Continue reading...

2016, Monday February 8

Linux support for Delphi to be available end of 2016

Marco Cantu, product manager of Delphi/RAD Studio, did publish the official RAD Studio 2016 Product Approach and Roadmap.
The upcoming release has a codename known as "BigBen", and should be called Delphi 10.1 Berlin, as far as I understand.

After this summer, another release, which codename is "Godzilla", will support Linux as a compiler target, in its Delphi 10.2 Tokyo release.
This is a very good news, and some details are given.
I've included those official names to mORMot's internal compiler version detection.
Thanks Marco for the information, and pushing in this direction!

My only concern is that it would be "ARC-enabled"...

Continue reading...

2016, Saturday January 9

Safe locks for multi-thread applications

Once your application is multi-threaded, concurrent data access should be protected. We already wrote about how debugging multi-thread applications may be hard.
Otherwise, a "race condition" issue may appear: for instance, if two threads modify a variable at the same time (e.g. decrease a counter), values may become incoherent and unsafe to use. Another symptom of broken logic is the "deadlock", by which the whole application appears to be blocked and unresponsive, when two threads have a wrong use of the lock, so are blocking each-others.
On a server system, which is expected to run 24/7 with no maintenance, such issues are to be avoided.

In Delphi, protection of a resource (which may be an object, or any variable) is usually done via Critical Sections.
A critical section is an object used to make sure, that some part of the code is executed only by one thread at a time. A critical section needs to be created/initialized before it can be used and be released when it is not needed anymore. Then, some code is protected using Enter/Leave methods, which would lock its execution: in practice, only a single thread would own the critical section, so only a single thread would be able to execute this code section, and other threads would wait until the lock is released. For best performance, the protected sections should be as small as possible - otherwise the benefit of using threads may be voided, since any other thread would wait for the thread owning the critical section to release the lock.

We will now see that Delphi's TCriticalSection may have potential issues, and what our framework proposes to ease critical section use in your applications.

Continue reading...

2015, Friday December 11

Audit Trail for Services

We have seen previously how the ORM part of the framework is able to provide an Audit Trail for change tracking.
It is a very convenient way of storing the change of state of the data.

On the other side, in any modern SOA solution, data is not at the center any more, but services.
Sometimes, the data is not stored within your server, but in a third-party Service-Oriented Architecture (SOA).
Being able to monitor the service execution of the whole system becomes sooner or later mandatory.

Our framework allows to create an Audit Trail of any incoming or outgoing service operation, in a secure, efficient and automated way.

Continue reading...

2015, Saturday November 21

Try to avoid RTTI (ab)use

There is a very trendy move, since a few years, to value so called "meta-programming".
In short, it is about the ability to treat programs as their data.
It is a very powerful paradigm in functional languages, and it was also introduced to OOP languages, even in SmallTalk a long time before this concept was trendy in Ruby, C# or Java.

In OOP compiled languages, reflection is used to achieve a similar behavior at run-time, mainly via RTTI (Run-Time Type Information).
Delphi supports RTTI since its version 1, as it was heavily used e.g. for all UI streaming.
In our framework, we rely on RTTI for its main features: ORMSOA and MVC - and even in some other parts, like Desktop UI generation.

But RTTI could easily be abused.
Here are some thoughts, started as a comment in a good old Mason's blog article about how RTTI performance may be a bottleneck.
My comment was to get rid of RTTI, and follow a SOLID implementation with explicit OOP code, like use of interface.

Continue reading...

- page 1 of 18