Delphi Meetup Web Development bij TMS op 12 juni 2018

Het is al bijna zover, de volgende Delphi Meetup. Dit keer in Wevelgem op het kantoor van TMS Software.

Bruno Fierens laat zien hoe je vanuit de Delphi IDE, met de Delphi taal en componenten, op een een RAD manier web user-interfaces kunt bouwen. Ook zie je hoe vanuit die Delphi web applicaties op eenvoudig bestaande Javascript libraries, zoals bijvoorbeeld jQuery, gebruik kan worden gemaakt van user-interface controls. Als laatste laat hij zien hoe dit samen met Delphi databinding te gebruiken is..

In aansluiting op de sessie van Bruno combineert Danny Wind in een use case een aantal technologieën om je te laten zien hoe eenvoudig het is om gebruik te maken van RADical Web. Danny zal een op REST gebaseerde micro-service back-end gebruiken en een  front-end die zowel RADical Web als Apps (Android/iOS) gebruikt. En dit alles gewoon met Delphi Code!

Meer info vindt je hier:

Get your App in the Google Play store before August 1, 2018

Google is changing its requirements for the target SDK API level. Starting from August 1st any new app uploaded to the Play Store must target API level 26 (Android 8.0). If you have an existing app in the Play Store you’ll have some more time, as updates to the app must only meet this same requirement on November 1st.

This means that if you are currently developing a new Delphi Android App you should consider uploading it into the Play Store before August 1st. Why? The current version of Delphi uses a target SDK of API level 14. If you upload your new app now, this buys you some time until November 1st to become API level 26 compliant with an app update.

I’m working on an API level 26 issue right now, where I’m extending the JContext of Delphi with some of the new API level 26 features for starting a foreground service. This is needed to comply with the new background execution limits introduced in Oreo. This works quite well, and does not require a lot of code.

If you can not upload your app to the Play Store before August 1st, then this blog post from Dave at Delphi Worlds may help you further. It changes some of the Delphi code to achieve (partial) API level 26 compliance.

Delphi 10 Tokyo Update and Firemonkey-Android Power training March-2018

On March 8th and 9th we have the Delphi 10 Tokyo Firemonkey and Android Power training planned in Etten-Leur in the Netherlands. In just two days you will learn how to develop an Android App in Delphi, with high level features in the GUI down to high tech stuff when interacting with the Java side. This training is available in both English and Dutch. Registration can be found here.

A week after, on March 15th and 16th, we have the Delphi 10 Tokyo Update training in our agenda. As one of the previous attendees told me a couple of weeks after attending this training “I’ve learned so many new things in these two days; I especially liked the (PPL) TTasks chapter”. This one is only available in Dutch, registration can be found here. Note: due to a conflict in planning with an on-site training this open training has been moved to April 19th and 20th.

Meltdown, Spectre and Delphi

Don’t panic. 😉

All applications are vulnerable to Spectre attacks.
Unfortunately this also includes applications written in Delphi. Does this mean Delphi developers have been on high alert the past few weeks? Well, it all depends. If you’re creating software for a high-risk business with a large user base and public deployment, then probably yes. But in most cases it’s a no.

As you may already know, its sibling called Meltdown (Rogue data cache load, CVE-2017-5754), can be completely fixed with updates. Most of these are already available, so update your computers. Use some care though, some of these patches have been reported to cause reboots and blue screens on specific CPU versions from both Intel and for AMD as reported by Microsoft.

However, Spectre attacks can not really be mitigated with microcode updates or operating system updates alone. That’s because it attacks at the way that most CPU’s optimize code execution, which is not something you can simply turn off. The simplest CPU’s are the only ones that are not affected, as you can read in this rather easy to read article on RaspberryPI.

The Spectre attack requires the hacker to construct a specific attack for each specific piece of software. Setting this up takes some work as you need to trick the existing application to leak its information via a side channel attack through repeated iterations of having it call into specific instructions. In other words, suppose a vulnerable instruction sequence would be triggered by a click on a specific “button”; the hacker would have to write some code that would keep clicking this “button” while data is leaked from the applications protected memory locations.

This means the hacker would have to analyze the application beforehand and write an exploit specifically for this application, and somehow persuade the end-user to run this exploit side by side with the vulnerable application. This takes some serious effort. In fact, if you can already get such an exploit to run in the same user space, there are many more ways of attack that are far easier to perform. This means that a Delphi (or any other)  application with a small user base, say below 10.000 users and/or those without public deployment (not in any app store) have a relatively low risk of being attacked. It’s still possible though, just not very likely.

Does this mean we could just do nothing, like go Niksen? Well, that’s not exactly what I meant. What if someone analyzes the compiled code for one of the most popular used components of Delphi and writes an exploit for that? This hasn’t happened yet, but given time, someone will find a way to more easily exploit Spectre in a generic fashion. Need an example? The past weeks you could already exploit Spectre by just running JavaScript inside a browser, as described in the paper. Yes, this does mean that the Delphi TWebBrowser component, which is just a window to the underlying OS browser architecture, was vulnerable. Hopefully you’ve already got your browsers updated.

Ok, so what can we do? For variant 1 of Spectre (Bounds-Check bypass, CVE-2017-5753) Intel suggests using a LFENCE instruction. There is a compiler switch, that was previously undocumented that results in adding these LFENCE instructions for the MSVC compiler. In Delphi you can just add LFENCE instructions in your code using


but I’m not sure if you can place these LFENCE instructions in between pascal statements at exactly the right positions for this to always work out as we want. If I translate the example Microsoft uses for Bounds-Check bypass into Delphi:

if (untrusted_index < array1_length) then
  value := array1[untrusted_index];
  value2 := array2[value * 64];

this results in the following view in the disassembler:

This looks OK, the LFENCE is placed at the same location as in the Microsoft example, so you could modify your existing sources with this code. Still, it’s probably better if adding these LFENCE instructions were handled by the compiler.

Google has proposed a solution on a compiler level to prevent the branch-target-injection variant of Spectre (CVE-2017-5715) using retpoline. Open source versions of the code have already been submitted to LLVM and GCC. However, there is no easy way to modify your Delphi code to introduce this solution. The indirect branch that is vulnerable is generated by the compiler, for instance when you write polymorphic code that calls a overridden virtual method of a subclass such as described in Google’s example. For the Delphi developer that’s just one line of code, with no easy way to add this new calling construction. This one needs to be handled by the compiler and for LLVM and GCC this change is being evaluated.

If this all works out that means we will have an option to mitigate these two variations of Spectre attacks on existing applications by just recompiling that application. These solutions could become part of all compilers out there, including all of the Delphi tool chains, LLVM-based or not. My preference would be to add this as a Compiler Option similar to the one we had for the Pentium FDIV bug. Because just like the FDIV bug, Spectre will also disappear with newer CPU’s that handle things a little differently, and then you can choose to disable that option again.

If you’re into a challenge and want to know more on the details of Meltdown and Spectre I suggest reading the original posting on Googles Project Zero page.


CodeRage XII Modernizing your VCL application

Thank you for watching my session on Modernizing your VCL application at CodeRage XII.

If you want to watch the video again, you can use this YouTube link:

Slides, source code and database for this webinar is available for download here:

The zip file is password protected to add some level of security to it.
The password is coderagexii

Additional Tips:

The Windows-10 styles can be modified or appended with your own styling using Tools | Bitmap Style Designer.

When using a TTask to get things done in the background, avoid sharing resources with the main thread. Either disable access from the main thread to these resources or create copies for the TTask. After that feedback the results to the main thread using TThread.Queue or TThread.Synchronize.

When using TTask, use a task-based approach just like you would in the real world when you let a colleague do a task. Just delegate an entire task with the required resources (memory, file handles, connections, datasets) to a TTask and allow the task to feedback its results at the end of the task. Avoid using locking as this can easily lead to deadlocks, waitlocks and other blocking effects.

When using Change Views keep in mind that the first time a subscription is activated on the Change View it will return all records, as it does not yet know which records you have already received for the specified subscription identifier.

Change View subscription identifiers should be unique but repeatable for each running application instance. Create an identifier, such as [MachineName+UserName] and use it to activate the subscription. If the application is stopped and then run again, it can activate the subscription using the same identifier, so you will get the changes back again.

CodeRage XII – Modernizing your VCL application

If you haven’t already sign up for this years CodeRage XII conference.

CodeRage XII is an online conference for three days starting Tuesday Nov 7th on 13:00 in the afternoon (CET, Amsterdam time), until Thursday Nov 9th at one a clock in the night.

There are a lot of interesting sessions this year, covering everything from JSON to Linux Libraries, Amazon data storage to running on Arduino with Visuino. And many more.

Key speakers this year are Robert C. Martin on Clean Coding and Agile, Marco Cantu on ExtJS, and of course our own Paweł Głowacki on Amazon data storage integration.

I’ve got a session as well, on Modernizing your VCL application. It takes a Webshop BackOffice application and re-styles it for Windows-10 and 2017, removes the user wait times by using FireDAC Async SQL and TTask from the Parallel Programming Library (PPL) and uses Interbase Change Views to take a first step to changing from a save/load based approach to a state-based application, where the user always has the latest data available.

Delphi 10 Update Training – 14 en 15 december 2017

Ben je al wat langer met Delphi bezig, kom dan naar de Delphi 10 Update Training om je kennis op te vijzelen met de nieuwe features en mogelijkheden.

Op donderdag 14 en vrijdag 15 december 2017 stomen we je klaar voor al je goede Delphi voornemens in 2018 met de mooiste, belangrijkste en nuttigste onderwerpen behandelen die Delphi erbij heeft gekregen sinds Delphi 2010.

We behandelen in deze twee dagen heel veel Delphi onderwerpen; Unicode, FireDAC, Parallel Programming (PPL), FireMonkey, Livebindings, maar ook advanced language features zoals Generics en anonymous methods.

Er is ook ruimte voor eigen inbreng en vragen. Heb je interesse in Interbase ChangeViews bijvoorbeeld, dan kunnen we dat ook behandelen.

Meer info en inschrijven voor kan hier.

Delphi “The LAB” – 19 september 2017

Er komt een mooi evenement aan met de prachtige gelegenheid om rustig te spreken met de presenters van het evenement in “The LAB”.

Neem de tijd om bij een kopje koffie te praten met elk van de presenters in het restaurant van het Evoluon, maar volg ook de interessante sessies van sprekers als Jens Fudge, Andrea Magni, Bob Swart en David Millington. Vergeet ook de CurieWise C++ Builder sessie van Ludo Stroetenga niet.

Mijn sessie op dit seminar gaat over het oppeppen van bestaande Delphi VCL applicaties. Verplaats de gehate zandloper naar TTasks, poets je User Interface op met fraaie controls en gebruik enkele nieuwe technieken om je code indrukwekkend sneller te maken. In “The LAB” heb je ook nog eens uitgebreid de tijd om me vragen te stellen over het gebruik van TTask, User Interfaces of over het maken van een goede espresso.

The LAB, where you get to spend time with Delphi presenters


PDF met de sessies:

Inschrijven kan hier: