Folks, it's the spring!

In times of the 'GREEN IT', it's absolutely necessary to post such a picture on a software blog! ;-)

Software Architecture and balancing stakeholder needs

I recognized recently that I blog a lot about computer security (because of several reasons). This is definitely not a boring topic. On the contrary, it’s complex, fascinating and a fast moving target. You need a decent understanding in computer science to keep up with all the things going on out there. On the other hand, the area of system security (comprising computer and network security) is full of misconceptions. Too many people still believe that a firewall is the silver bullet to keep out attackers, worms and other malware. I don’t comment on that anymore. But this never ending discussion leads me to one of my core competences – software architecture and all the team, communication and development related aspects. A software architect needs to understand stakeholder needs. Typical stakeholders are end user, developer, test stuff, marketing folks, project manager, just to name a couple of them. But understanding and documenting is not enough. A stable and successful architecture balances stakeholder needs and reflects this in all their lifecycle stages, from requirement management until testing, delivery and maintenance. I know this happens just in theory, in an ideal world somewhere in a software glasshouse. But we should strive to come closer. Achieving tradeoffs is an important success criterion in the process of creating a stable and lasting architecture. These tradeoffs should be the result of negotiations with the ultimate goal to come to a win-win situation for all participants (àstakeholders). From the technical perspective, most of the tradeoffs must be achieved between functional and non-functional requirements (aka quality attributes). From this we see that there is s strong link to security as an essential quality attribute in a connected world of ubiquitous computing and routed protocols. Many design decisions in the scope of security architecture are in marked contrast to the ideas of usability folks and the needs of project management. But these contradictions must be addressed and resolved, which might be a tough job. Anyhow, for the sake of a successful product achieving broad market acceptance, failing in balancing stakeholders needs is not option.

Computer Security in the scope Web 2.0

The current issue of ACM Queue puts Web Security in focus. One article is titled Cybercrime 2.0: When the Cloud Turns Dark. In essence, it is really hard to disagree. I could just add a couple of web attack scenarios based on update services or instant messaging. A lack of security in the design of web applications and the underlying infrastructure is the root cause, as stated in the conclusion of the article. But it is really hard to see some kind of remedy in the near future. On the contrary, new solutions like offline web-applications, cloud computing and the so called Web-OS are all based on vulnerable technologies but connect a large number of users and machines. This will increase the attack surface because each single hole in the system might give an attacker access to a large network of assets and services. Some people call these new applications and architecture already Web 3.0. Unfortunately, nothing has changed in terms of security.

Waiting for my Netbook

There are rumors about a netbook made by Apple. Beside many other sources, Gizmodo came up with a couple of information and pics (touchscreen, …). The assumption that this gadget will be available before Christmas sounds logically. It makes my life easier picking up the right present for myself … :-)

Silverlight 3 at Mix09 / Las Vegas

The most important fact is that Silverlight 3 Applications (basically a subset of WPF) can be deployed and executed outside the browser in a sandbox. Beside this deployment scenario, advanced video features (H.264) and an updated version of Blend are the most remarkable renewals for the smart client ecosystem.

More testing tools for parallelization

Intel® offers a so called “Application Concurrency Audit Tool” for free. The Intel® Concurrency Checker 2.1 is available for Windows and LINUX and can be downloaded from their software network. I started to play around a little bit with the tool. It provides a decent overview on CPU utilization, elapsed time, parallel time, utilization regarding threads, and levels of concurrency. It allows to attach running application executables as well as to test java apps.

What's on my reading list?

Four books, basically:

• the Long Tail by Chris Anderson
  ... recommende for all people interested in the new economy and e-commerce
• Outliers by Malcolm Gladwell
  ... its about genius
• Das Scheekind by Nicholas Vanier
  ... a musher travels BC and Alaska with his wife and a baby
• Mechanics of User Identification and Authentication, by Dobromir Todorov
  .. it's for geeks

Offline-Web Applications & Security

We can read a lot about Computing in the Clouds these days, even in ordinary newspapers. It’s a big business with SOME open questions. I started to compile a couple of thoughts in Web Browser, Web-OS and the Era of Cloud. Beside the real differences to Client-Server Computing (“Dude, sometimes I can spot them, and sometimes not!”), I do have my concerns pertaining to security. Take the so called Offline-Web Applications (sometimes called Web 3.0) for example. Beside the fact that this word is a contradiction in itself, the vulnerabilities are an existing problem. Running web servers everywhere increases the attack surface. The HTTP-servers on the client machines are needed to keep the applications (that are web applications) running in case of a network blackout. In addition, to maintain state is another must to allow a kinda real application feeling. Maintaining state in the scope of web application based on HTTP with all consequences has been a security problem from the beginning. Nowadays, state is maintained by using cookies and other remnants initiated and used by browsers and plug-ins. Talking about Offline-Web Applications, small databases on client-side are in use. But this list is not complete yet. HTML 5 specifies a Structured Client Side Storage which includes database storage (local and relational). Some Web-browser vendors are planning to support to a certain degree (session, local, database). This will change attack scenarios as well as attack surface. Combined with excessive scripting, but this is another story …

Dresden’s castle got a (new) roof

webduke pics 2009

more pics on:
http://www.panoramio.com/user/1514395

(These Days) Development Skills

I do remember times very well when software development was envisioned as a process of combining components (either ActiveX or some kind of Beans), and smart people started to perceive software as a kinda utility (like water, electricity or network access). I did not comment on this. Talking about the technical aspects, not much has changed. Writing (beautiful) code is still a creative and a heuristic process. And, beside patterns and practice, it needs strong skills and a lot of experience. Again, there is nothing new about this (since 19** ?). Just two examples from today’s problem spaces: parallelization and distributed apps on a large scale. To cope with today’s hardware platforms (multi-core) needs a lot of knowledge and diligence in developing applications running on them. There is no magic tool, workbench, compiler, etc. to solve such problems implicitly, not yet. You need a decent understanding of processors, cashing, threads and shared memory. Sure, testing this stuff comes with another steep learning curve. Secondly, largely distributed systems (take upcoming clouds as an example) do need a different approach pertaining to availability and consistency (see my posts on BASE, CAP, etc.). It’s up to the development team to hide the trade-off between data consistency, system availability, and tolerance to network partitions. This is not a piece of cake. It needs new approaches and thinking models, pretty similar as when we moved from the client server-paradigm to more or less simple distributed- application-patterns. In essence, the heuristic part of software development is alive and kicking.

Security in Cloud Computing (Distributed Systems)

Security is one of the most important requirements to make a software system running in the cloud acceptable for the intended user community. This is especially true in times like this where people’s privacy is under attack on a daily basis. Just follow the news in Germany. It’s a big concern and not far fetched, not at all.
Computer security got a couple of basic pillars; Identity Management is one of them. In the new realm of cloud computing, this comes along with authentication and authorization in distributed systems. SAML (the SAML 2.0 protocol) and OpenID are more or less standards to support the implementation, also in terms of interoperability. Big vendor’s cloud architectures (just see the Geneva project as an example) do support these standards. This is not just a good approach in terms of interoperability; it also leads to a better understanding and visibility regarding the underlying implementation and infrastructure which probably leads to more trust and better acceptance.

New Pics on Panoramio

Friends, a added new pics to my Panoramio Account. Just check on: http://www.panoramio.com/user/1514395

Beautiful Dresden in wintertime

My technical wish-list for 2009

Talking about the New Year - What do I expect from the technical perspective? Here comes my wish-list which is a blend of my expectations and the trends I see in general for 2009.

• A better support for effective parallel programming, also with a more implicit approach
• New solutions to interact with smart devices (cell phones) to overcome tiny keyboards and cumbersome handling
• A synthesis of a Handheld-GPS and a simple mobile phone to reduce the number of devices in the outdoors (let’s call it a rugged GPS-Phone)
• Cool applications (and gadgets) making use of the so-called “cloud computing”
• GPS and RFID in much more tools and gadgets (cameras, mobile phones, bikes…) with the option to switch it off anytime
• Location Based Services (ez to use, respecting privacy, useful) with real benefits for the user
• NetBooks for all known OS platforms
• Home automation for mainstream households; many use cases are conceivable and could help saving energy, this would give the buzzword “Green IT” a very new meaning
• More awareness of security and privacy issues in a connected world which leads to new options to protect digital information, assets, and people’s privacy
• E-books based on gadgets and applications that create a new reading experience; don’t get me wrong, I will always stick to real books made of paper but I see E-books as a interesting alternative beyond the advantage to carry a lot of books wedged in a handy device when travelling
• A new album from my favorite band TOOL
• Anything to add? Feel free to comment.

Merry Christmas and Happy New Year!

I still hope for a White Christmas and perfect ski conditions.
Let There Be Peace on Earth!

ACID, BASE, CAP and the Clouds

This is not about chemistry, medication or transcendent music. But it is a fussy topic. I assume the ACID (Atomicity Consistency Isolation Durability) paradigm is well known and understood from working with databases or in the scope of transactional logic. But this is about to change in large distributed applications running in the clouds (of whatever flavor) with distributed data repositories (e.g.: partitioned databases on distributed nodes). Running in clouds implies the utilization of web services predominantly. This environment leads to the CAP theorem which is about Consistency, Availability and Partition Tolerance with the restriction that only two goals (of CAP) can be achieved in a real world implementation. So it is up to application development to decide between availability and consistency and to conceal this conflict by different means, for instance by using a smart user interface logic and design as well as sophisticated update and messaging strategies in order to achieve consistency in the second step. - I apologize for oversimplifying this whole topic for the sake of a concise post. – Anyhow, this is already in place in large online-stores. To bring the third acronym into the game, an approach to make this happen is called BASE. It stands for Basically Available, Soft state, Eventually consistent). An architecture based on decoupled subsystems is an important prerequisite to achieve this.
There is nothing new about these acronyms and the paradigm change. Great articles can be found on the web (for instance Werner Vogel’s “Eventually consistent”) or other stuff especially available at ACM QUEUE. I just wanted to emphasize the need to check on this from the architectural perspective in order to answer the question: Is this application the appropriate choice to be deployed in the clouds or not? Or say it the other way around: Is BASE good enough for you? Or, is ACID essential for your system and the underlying requirements that are basically quality attributes? For many systems in the industrial domain (where data integrity and consistency is king) the answer might be not (or probably not yet). To answer these question correctly in order to adhere to such paradigms (or not), is essential because the clouds are already on the horizon.

More Parallelism Support in upcoming IDE version

The October issue of the MSDN magazine contains an article on the improved support for parallelism in the next version of Visual Studio [v. 10] as well as in .NET 4.0. Stuff from the Parallel Extensions (TPL, PLINQ) to the .Net 3.5 Framework (available as Community Technology Preview) went in as well as new features to support parallelism in native code. In addition, testing tools to cover parallelism in code are in the pipeline too. Most of these new features were presented at this year’s PDC in Los Angeles (slides are available for download). This is definitely a step in the right direction but a long road to go until writing parallel code is daily business for mainstream programmers. I got still concerns if existing programming languages, libraries, frameworks and compilers can deliver the final answer to cope with the complexity of expressing explicit parallelism.

New Music on my turntable

Talking about the stock market, the October was a nightmare; everything went south. Fortunately, there is still Rock’n’Roll (“There is noting conceptual better than Rock’n’Roll!”, you remember John Lennon saying this in an Rolling Stone interview? It is so true, so true!). Well, the October was not so bad in terms of new releases. Here are my new acquisitions:

• Metallica - "Death Magnetic" [****]
• Oasis - "Dig Out Your Soul" [***]
• ACDC – "Black Ice" [*****]
  Please note, ACDC gets five stars [*****] by default.

Mauerfall und Schwarze Schwäne

Heute vor 19 Jahren ist die Mauer, ein Symbol von Unfreiheit und Unterdrückung, gefallen. Momentan lese ich gerade „The Black Swan“ von Nassim Nicholas Taleb. Wie passt das zusammen? Für mich ist der Mauerfall ein typischer Schwarzer Schwan, der alle Eigenschaften erfüllt, die Taleb in seinem Buch beschreibt: selten (rare), mit extremen Auswirkungen (extreme impact) und rückblickend vorhersehbar (retrospective predictable), ein so genannter Outliner. Natürlich ist das eine theoretische, fast schon philosophische Sichtweise, die die emotionalen Gesichtspunkte eines solchen Ereignisses (das extreme Leid vorher und die überschwängliche Freude beim Fall der Mauer) nur ungenügend berücksichtigt. Sie birgt aber auch die Hoffnung, das es in Zukunft ähnliche Schwarze Schwäne geben kann, die unterdrückten Menschen in Not endlich Freiheit und Demokratie bringen werden.

Autumn in Germany

autumn impression - webduke pics 2008

Concurrency Aspects

The new issue of the ACM Queue got the “The Concurrency Problem” on the front page. One article is about the programming language Erlang which has the ability to solve parallel problems by design. Another excellent contribution (Real World Concurrency) is about the why and when and tries to nullify any taste of black magic. I totally agree that developers should not feel forced to use parallelization by implementation in any scenario. Performance is the main objective when parallelization is considered. But there are different ways to achieve this (and not just by using threads and locks [lets call this multithreaded code] within one process). The author calls this approach concurrency by architecture. I can live with that perception perfectly. Furthermore, a lot of hints and pitfalls are listed in order to handle locks, threads, mutexes, semaphores, and debugging in the correct way which includes good advice how to identify the right code segments for parallelization. Must read (*****)!

A brief history of Access Control

Access Control is an important part of the computer security realm. It is complex, hard to achieve in a robust and bullet-proof manner and it will always screw up ordinary users that want to surf and play around without being confronted with nasty restrictions, decisions and limitations. Is this realistic, achievable? Well, everything seems to be a big loop in the computer and software industry [a reference to the good old times :-)]. Take the cloud-stuff as example. Sharing resources and deploying thin clients is not that new. Its just branded (and pushed) like a new hype. Where is the relation to access control? Access control can be implemented in the operating system (OS) as well as in other layers of the application stack. I’m gonna focus on the OS level here. I remember times [aka as the good old times :-)] where user-rights in terms of access control were very limited. The change came with the advent of personal computing. Everybody wants to be an admin (and can be an admin) very easily, even programmers. In case of a disconnected, single-user machine, it might not be a problem. But this is not a valid scenario. We want and need the Internet. Yes! But beside all the cool stuff, male-ware is everywhere, and needs our machines as host or target. We are easy prey when running everything as admin. So we need to get back to the good old times [in order to complete the loop:-)]. In Vista, a serious attempt has been started. It might be boring to get asked all the time when feeling like an admin (but just being a standard user for the process in execution which is the parent process for later stuff). And, it might be cumbersome to maintain the virtualized registries for the old programs. Security versus usability and maintainability, this is the battle that it is raging. It should be fought and security must prevail (in the era of identity theft, male-ware and root-kits); especially when everything is running in the clouds. Hopefully, smart people will come up with some smooth solutions that make limited user-rights in terms of access control more acceptable.

Security and Virtual Machines, Part II

I announced lately to get back to this virtual thing and the ramifications when talking about security. Here we go. Identity and ownership are important factors in the security realm. Both attributes are often handled different in the world of Virtual Machines (VM). The owner of the real box might not be the owner of the VM. Identifiers (port number, MAC address) can differ and old-fashioned identity-schemas can not be applied anymore. Another side-effect coming with VM’s is an increase of complexity for the patch and update management. This is because of the broad variety of operating systems and versions that can be installed (and that will be installed) on the top of VM’s. All of them got their own life-cycle and their security-patches that must be applied. The VM life-cycle which can be characterized by snapshots and rollbacks is definitely helpful for testing and other evaluation purposes. But there are operations in the area of cryptography that could suffer. Time, random numbers, seeds, initials vectors, transaction states – just to name a couple of potential vulnerabilities. I see some room for improvement, especially for randomness in a virtualized environment. This must be addressed in the scope of the security architecture for a given system.

Detroit in October

Detroit in late October 2008
- webduke pics

Book Recommendation

This is the perfect time to read "The Black Swan", a book written by Nassim T. Taleb. The current financial crisis might be such an event (or might be not). Anyway, the book is fascinating, intelligent and funny. The - scalability of today's jobs - is an approach I have never thought about a profession. This is just one of many new perspectives. Another one is the turkey and what we can learn from him (and his destiny).

Dresden Moritzburg

schloss moritzburg 2008 - webduke pics

It's already autumn

October 2008 - webduke pics

... Real Nature is much more inspiring than anything else ...

... forget about buggy systems ...

Surf Globally, Store Locally?

The era of clouds (see my post on that) comes along with a lot of options to outsource data processing, storage and integration. Well, using external processing power is definitely a good idea, and this service is already accepted and used. Also the integration scenarios offer a lot of chances (beyond the market place and b2b capabilities). But storing data on external machines is a different thing. Security (privacy) concerns exist and should be taken seriously. Incidents (just see what happened to customer data of a big German telecom / mobile phone company) are no exceptional cases and the most spectacular are probably just the tip of the iceberg. Bullet-proof security architecture does not come for free. It’s expensive and a never ending process. Richard Stallmann (RMS) published his concerns last week. He called cloud computing a trap. His view is more about the fact that user might loosing control when running there applications in the clouds. This implies the security aspect. So, should the slogan of the environmentalists “buy locally” a little bit adapted in order to recommend a “store locally” approach?

Late Summer Impressions

Dresden, September 2008 - webduke pics

Security and Virtual Machines

A lot of rumors are circling around that Virtual Machines (VM) could pose another threat to IT-Systems which use hypervisor-technologies extensively these days. Unfortunately, concrete facts on implementation issues are not available. This discussion is probably a little bit misleading. From the security perspective, Virtual Machines are an approach to realize Access Control on an Operating System level. This comes along with data isolation. Sandboxing is another option but on a higher layer in the application stack. Sure, security is not the main objective when applying solutions based on Virtual Machines. But these objectives, like flexibility and mobility, are topics we should take in account when talking about security in the scope of Virtual Machines. Why is that? Traditional security mechanisms were developed to protect non-virtualized systems (or real hardware in a broader sense). But Virtual Machines (better: systems based on it) behave different. They are mobile and highly dynamic (people do copy, move, switch on, switch off, change ownership), and follow different life-cycle patterns. This is not good news for firewalls, existing policies, access control within the scope of the VM, as well as for forensic analysis. Beside the technical issues, processes are not ready to face these challenges in many cases. Security folks and administrators should be aware of this and must update their instruments (tools, policies).
Other areas of security are affected as well. Cryptography is just one example. I’m gonna cover this fascinating topic in my upcoming posts. And, virtualization has started to exist in the clouds. How is security performing high above us in totally virtualized solutions? Mmmh.

BlackHat 2008 Revisited - this years location

Las Vegas, August 2008 - webduke pics

Web Browser, Web-OS and the Era of Clouds

The discussion about a “Web-OS” is alive and kicking. Some folks might call it Cloud Computing or Cloud*.*. However, new browser products and offline-gadget-frameworks are leading in this direction, and some blogs do emphasize this implicitly. Well, I don’t wanna spoil the party. Don’t get me wrong; I do not question the ideas of delivering software as a service or similar ideas. But my concerns about the underlying technologies like HTTP, HTML, JavaScript, AJAX and others still exist. Even simple applications (in comparison with a Web-OS) in the Web 2.0 environment are prone to security flaws. New threats pop up on a daily basis. Many web applications (> 90 percent) are vulnerable according to serious studies. Mail programs, automatic update services, browser plug-ins, communication services, all this stuff is affected. The Black-Hat 2008 sessions provide a decent overview on what is going wrong. Is this the right foundation to build a “Web-OS” based on? Not sure. In addition a “Web-OS” would increase our dependencies on the availability of the Internet; beside VOIP, television, mainstream Internet-Services and all the other stuff running over IP-Networks. On the other hand, today’s mainstream operating systems are making progress in terms of security, which is good news. Talking about client computing, I remember the times when a company came up with sleek, thin terminals (in blue color), and announced the end of the personal computer. Nothing really happened. Big fat machines (from different vendors running different big fat operating systems) still exist. And this is okay with me (as long as the multi-core issues will be solved). I do prefer a perfect symbiotic solution comprising a powerful and efficient machine and a fast web access with a lot of cool apps running in the clouds. And, I want to process my texts, spreadsheets and other documents locally. All of this should be working in a secure manner. And at the end of the day (when security concerns and paranoia prevail ;-)), I want to unplug the network cable without loosing the capability to work and to access my documents.

Buchempfehlung

Da ich die deutsche Ausgabe gelesen habe, möchte ich diese kleine Buchempfehlung auch in meiner Muttersprache verfassen. Amazon.com: Get Big Fast von Robert Spector beschreibt die Gründerjahre dieser unglaublichen Internetfirma aus Seattle. Wer die verrückten Jahre des Internetbooms miterlebt (und „mitprogrammiert“) hat, dem sei dieses Buch sehr empfohlen. Natürlich sollten es auch alle anderen lesen, die schon immer wissen wollten, was das Besondere an dieser Firma ist und was sie so erfolgreich macht. Eine Frage bleibt dabei offen – was wird Amazon.com in ein paar Jahren sein und womit wird dieser Pionier des E-Commerce, der heute über einzigartige und zukunftsweisende IT-Technologien und Services verfügt, sein Geld verdienen? Wahrscheinlich kann diese Frage nur ein Mann beantworten. Und auch über den gibt es diesem Buch viel zu erfahren.

A Tribute to Jim Gray

acm queue has started to publish a series of articles about computer-pioneer Jim Gray with the May/June issue. In January 2007, Jim Gray left the Bay Area with his sailboat heading for Faralon Islands and was never seen again – a tragic incident. The articles are absolutely worth reading, describing his work and the extraordinary personality of this famous computer scientist.

Ct - Parallel Extensions to C++

Intel has developed extensions to C++ supporting the optimization of serial code to be executed on multi-core processors. The research project is called Ct (t stands for throughput) and comprises language extensions as well as a runtime compiler, threading runtime and memory manager. Different sources on the web emphasize that the design goal to minimize threading/coordination overhead has been met. In comparison with OpenMP, fewer instructions are needed for parallelization.

No short term relief of multi-core programming issues available

Beside all announcements to tackle the multi-core programming challenges, no major breakthrough can be ascertained. The issues are especially relevant on the client-side in the domain of mainstream applications. I have already posted a couple of comments on that.
Even the business world has identified the current status as a problem. The Fortune magazine addresses the topic in the last issue with an interesting article - A chip too far? The article is about risks and opportunities, and a Stanford professor describes the situation as a crisis – probably yes, probably not. It is definitely a huge chance for skilled programmers and people with the right ideas. I do agree with one statement totally – after years of abstractions in terms of platforms and languages, the complexity and hardware dependencies of multi-core architectures increase the learning curve for an average programmer dramatically.

Wrapping-Up Black Hat

There have been a couple of highlights presented @Black Hat USA this year. I don’t want to distract interested folks from reading the docs and presentations which will be available from the website. Just some big topics from my point of view:

- DNS issues, DNS issues, DNS issues
- Web 2.0 (and also “Web-OS”) security problems
- Flaws in Software-update mechanisms via the internet
- Issues resulting in weak number generation

Black Hat USA 2008 ...

... was a great event. Beside all the cool briefings, the keynote from Ian Angell, Professor Information Systems at London School of Economics, was a highlight. The speech was about Complexity in Computer Security. I'm gonna point at the slides as soon as they will be availabe.

Top 44

Here comes my list. It’s a tough job to find an album for each year of my life. I was inspired by the list Werner Vogels posted on his blog. The toughest task was to leave bands or albums out in order to adhere to the rule “no repeat for artists”. I know, bands and artists like ZZ-Top, Jefferson Airplane, Grateful Dead, David Bowie, Henry Rollins or Slayer are not on the list - my apologies. Furthermore, bands and interprets as the Beatles or Frank Zappa could fill half of my list easily. Finally, Elvis is not on the list either. Well, the King should have is own list because he is the King of Rock ’n’ Roll.

1964: The Kinks, The Kinks
1965: Byrds, Mr Tambourine Man
1966: Beach Boys, Pet Sounds
1967: The Doors, The Doors
1968: Beatles, The White Album
1969: The Band, The Band (Brown Album)
1970: Black Sabbath, Black Sabbath
1971: Led Zeppelin, Led Zeppelin IV
1972: Deep Purple, Made in Japan
1973: Pink Floyd, Dark Side of the Moon
1974: Lynyrd Skynyrd, Second Helping
1975: Patti Smith, Horses
1976: Eagles, Hotel California
1977: Sex Pistols, Never Mind the Bollocks, …
1978: Bob Seger, Stranger in Town
1979: Frank Zappa, Joe’s Garage
1980: AC/DC, Back in Black
1981: Gun Club, Fire of Love
1982: Scorpions, Blackout
1983: Tom Waits: Swordfishtrombones
1984: Judas Priest, Defenders of the Faith
1985: Dire Straits, Brothers in Arms
1986: Metallica, Master of Puppets
1987: U2, Joshua Tree
1988: Lou Reed, New York
1989: Faith No More, The Real Thing
1990: Midnight Oil, Blue Sky Mining
1991: Nirvana, Nervermind
1992: Alice in Chains, Dirt
1993: Melvins, Houdini
1994: Oasis, Definitely Maybe
1995: Neil Young (with Pearl Jam), Mirror Ball
1996: Soundgarden, Down on the Upside
1997: Bob Dylan, Time out of Mind
1998: Queens Of The Stone Age, Queens Of The Stone Age
2000: Johnny Cash, American III: Solitary Man
2001: REM, Reveal
2002: Bruce Springsteen, The Rising
2003: Calexico, Feast of Wire
2004: Wilco, A Ghost is born
2005: Audioslave, Out of Exile
2006: Tool, 10.000 Days
2007: Foo Fighters, Echoes, Silence, Patience & Grace

Key Success Criterions in Software Development

Software Development is still a heuristic process affected by many internal and external parameters. Many books are written in order to make this sort of craftsmanship more deterministic. The outcome may vary. I really like to define 4 (four) key objectives at the beginning of a project, either software or system development. Our brains are filled up with too much information; so four (4) might be feasible to keep in mind:

• Tame complexity: complexity kills any system; over-engineering leads to a system that is not maintainable any more and just extensible by wrappers and such nasty type of things
• Requirement Management: make sure that a proper requirement management is in place; either by using the well-known (and rarely used thoroughly) principles [complete, traceable, testable, …] or by newer, agile processes
• Software & System Architecture: a well defined and described architecture must be in place and communicated to the whole team
• Plan for change and failure: we live in a world of constant change, and the same is true for a software projects; this must be addressed in our way of creating software; in addition, failure is an option, complex system are hard to comprehend and error-prone; we must accept this and should strive to develop a strategy to deal with this fact in an open manner

Awesome Crater Lake

Crater Lake, June 2008 - webduke pics

Domain Specific Languages and Software Factories

I put some thoughts about Domain Specific Languages (DSL) and UML in a post recently. But there is a broader scope to address DSL - it’s the promising and ongoing approach of Software Factories. The utilization of Software Factories is the wonderful dream to produce software systems like cars or industrial goods (which is a pretty simplified example). Anyway, in order to describe and specify the problem, it needs a language with semantics and syntax. There are examples for existing Domain Specific Languages, needed to solve these problems: SQL, Regular Expressions or HTML for instance. Based on a DSL, a standard development environment (like Eclipse) could be used to build a software factory. Sure, the tool must be customized, and it needs other components to have a Software Factory in place - templates, processes, patterns, frameworks, models (just to list a few of them). From the functional perspective, prototypes or main components of the domain encapsulating key mechanism and basic design elements are other essential parts. I don’t want to list all pro and cons of a Software Factory. Just as a final remark - software development is still a heuristic process containing a few deterministic steps. The utilization of Software Factories would increase the deterministic proportion (but would not make the heuristic part vanish completely which is good news for all folks writing code).

Handling Non-Functional Requirements with Utility Trees

I would like to pick up the topic Non-Functional Requirements (aka Quality Attributes) briefly. The topic is understood and accepted widely but the handling lacks clear methodology, structure and tools. Utility Trees are a good approach to overcome this. A Utility Tree contains Utility as the root node. The second level nodes are the quality attributes which are identified for the software system; in my tiny example: security, performance and availability. Btw, the example is about an e-commerce solution where payment is involved. Sure, extensibility/modifiability should be added as another quality attribute. We-based applications are subject for continuous change. Each of the quality attributes has specific concerns, in this example two per quality attribute. In the next level (just sketched in my example), scenarios are the leaves of the utility tree. They are typical prioritized along two dimensions – importance to the success of the system and identified risk in achieving the objective. Prioritization is based on a ranking using Low [L], Medium [M] and High [H]. I have just added two scenarios to my example; both are about performance. How to move forward with the utility tree? This will be covered in one of my upcoming post. Have great weekend!

We miss this place ...

webduke pics 2008

More is about to come ...

Watching the EURO2008 is time consuming. But it is real fun to see Germany playing. Our team is about to win this tournament. I can't see any team able to stop Ballack & Co. I'm gonna post new stuff after the final in Vienna and the Party in Berlin (Germany vs. ?).

California here we come

Mono Lake, 2001, webduke pics

Indirection #2

There is a quotation from a British Computer Scientist, David John Wheeler, I do really like and where I feel a strong need to post this again: “Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem." It is not new and we all know about the meaning behind it but it is still relevant today and tomorrow, and it describes the dilemma of toooo many “genericcontainerwrappingadaptergatewayframeworkolalasolutions” perfectly.

Some Clouds over Dresden

River Elbe Valley, Mid of May 2008

Limitations of today’s Parallelization Approaches

As already stated in detail, physics has stopped the race for more CPU clock speed. It’s about the heat, period. Hardware (Chip) manufactures response is to put more and more cores on a die – we all call this multi-core. I also tried to list and explain a couple of technologies (and also No-Go’s) to exploit those architectures; just skim through the blog. But most of the approaches are based on the process of determining sections of code which can be executed in parallel, loops for instance. Saying “sections of codes” does imply that we can expect serial remnants in the source code. And these parts [The percentage of code resisting tenaciously to be parallelized! :-)] determine the speedup factor defined by Amdahl’s Law (see post on Amdahl's Law). The dilemma looks a little bit similar to the expectations from the increase of clock speed in the past. It will not work out to lean back and wait until there are 16 or 32 cores on a single die. This will not fix the problem sufficiently because most of the existing approaches for parallelization does not scale. Other technologies and strategies have to be developed and applied. And before this will happen, it’s always a great approach to optimize the source code and to think about an effective usage of the cash (memory).

Beautiful Dresden in May

Amdahl’s Law

There is not just Moore’s Law and Murphy’s Law, both are well known to IT and Non-IT folks, but also Amdahl’s Law which is about the maximum of expected improvement to a system when only parts of the systems are improved. It is applied in Parallel Computing commonly, and specifies the theoretical speedup of a program running on multiple CPU’s in parallel. The maximum speedup is limited by the sequential parts of the code. A boundary condition is the assumptions that the problem size is the same when running in parallel. Here comes the formula (with N = number of processors and P the percentage of code that can be parallelized; hence, (1-P) is the serial code):

Speedup = 1 / (1-P) + P/N

You can play around with this formula. In essence, the sequential part of the code must be minimized to gain speedup. And, even a high number of processors does not have that impact when the percentage of parallel code is low. Anyhow, it’s a formula. In practice, the speedup depends also on other conditions, the communication (mechanisms) between the processors and the cache [Because Cache is king! ;-)].

Zurich, Switzerland (April 2008)

Rainy Zurich

April 2008

Computing in the clouds

Many people might perceive Amazon as THE online store for books, music, gadgets and many other things with advanced market place capabilities and as one of the trail blazers on the Web. But the company from the Pacific Northwest is much more. Amazon is a high-tech company when it comes to very large distributed architectures and technologies based on web services. The “Mechanical Turk” is one example, an impressive idea to use human beings as “end points” in a Service-Oriented Architecture in order to let them do what human beings can do best. I really like this concept.
Another great thing is Cloud Computing as currently (21-April-2008) covered by an article on wired.com. It’s a must read! The company offers computing capabilities for everyone. This is good news for young enterprises that don’t want to spend too much on hardware. In essence, it is a lesson and a serious example at the same time how to offer computing power (and hardware, of course) as a service. I strongly believe we can expect much more from Amazon in the future. These guys are working on a real new computing platform on the web. The vision that the network is the computer, as verbalized by other companies, might turn into reality …

Transactional Memory …

… is most likely one solution to overcome parallel programming issues. Currently, it is very difficult (and error prone) to use locks properly when accessing shared memory sections. Lock-free programming is much more difficult. All these issues are already covered in earlier posts.
Talking about transactional memory, this concept is not that new but not part of mainstream development platforms. Not yet, but transactional memory could be available in hardware and software soon. Basically, software-based transactional memory solutions do already exist. The concept is similar to mechanisms used in database systems controlling concurrent access to data. A transaction in the scope of software-based transactional memory is a section of code that covers a series of reads and writes to shared memory. Logically, this occurs at a single point in time. In addition, a log and a final operation, called commit, are also part of the concept. Sounds familiar? Published concepts (of software-based transactional memory) using an optimistic approach free of locks. It is up to the reader in the scope of the transaction to verify based on the logs that data in the shared memory has not been altered (by other threads). If so, a roll-back will be performed and give him another try …
This sounds really simple and desirable, right? What’s the drawback, why not using this technology for solving existing problems in parallel computing? It is the performance, decreased by maintaining logs and doing the commits. But those issues should be solved soon. It would make life easier pertaining to the understanding of multi-threading code and could prevent the pitfalls coming with lock-based programming. Each transaction could be perceived as a single-threaded, isolated operation.

UML and Domain Specific Languages

I joined an interesting conversation on the utilization of UML recently. The talk was about code generation out of UML (tools). Mmmh. Pro and cons will always exist when it comes to UML. I use UML for sketching and for my architecture and design documents. Use case, class, deployment and sequence diagrams are important tools to me. They create a better understanding in the team on the expected outcome based on a unified description - much better than proprietary pictures which often lead to different views in the minds of the team members. UML models do not cover non-functional requirements sufficiently. This is a real drawback when is comes to code generation. My hope is that Domain Specific Languages (DSL) will improve, gain more acceptance and will be extended to areas and domains where they appropriate.

Prioritize your non-functional requirements

Non-functional requirements (like usability, security, performance, fidelity) are important success criterions in software architecture and development. It is a misconception that all requirements can be covered by functional requirements. Many requirements are of twofold nature, say security, that typical consists of functional and non-functional types. If this has been recognized and accepted, prioritization is the next important step. It should be not acceptable to have TWO non-functional requirements (also known as Quality Attributes) with the very same high level of priority. This is a critical contradiction that must be communicated and resolved. If not, you might be end with a beast that is highly secured and comfortable to use (let’s call it digital monkey wrench) – which is basically not feasible. It is always a challenge to make compromises for each Quality Attribute and to communicate and explain this. Utility Trees are a great tool to list, depicts and prioritize non-functional requirements.

F Sharp (F#) – a functional programming language in the scope of the .NET ecosystem

C# is a well known programming language designed to be used in the scope of the Microsoft .NET framework. It is an imperative and object-oriented programming language and widely accepted in this managed environment.But there is another “sharp-language”: F# - developed by Microsoft Research. F Sharp is a functional programming language with imperative and object-oriented aspects. It is part of the .NET environment and can be used within the Visual Studio development environment. Programs written in functional programming languages are easier to parallelize because of missing side-effects. Concerning this characteristic (which is basically an advantage), it is worth checking on F# in order to solve parallelization problems. The language can be obtained from the Microsoft Research website and is covered by the Microsoft Research Shared Source License Agreement.

Seattle in April

One day of snow, one day of rain, and three sunny days in the Pacific Northwest.

Use-Cases und Problemstellungen im Bereich Nebenläufigkeit und Parallelisierung

Ich schreibe diesen Beitrag in deutscher Sprache, da ich alle betreffenden Diskussionen in letzter Zeit ausschließlich in meiner Muttersprache geführt habe. Sicher werde ich den Post demnächst auch in Englisch veröffentlichen. Ich habe die Thematik bereits mehrfach angerissen – „Wann ist welche Art von Parallelisierung sinnvoll und wann nicht?“. Diese Frage steht in engem Zusammenhang mit vielen Unschärfen in den Begrifflichkeiten. Ich möchte keinesfalls engagierte Entwickler davon abhalten, sich in dieser Herausforderung zu stellen. Aber ähnlich zum Lernkurven-Vergleich drängen sich auch hier Analogien mit dem Meilenstein Objektorientierung in der Softwareentwicklung auf. Es gibt Code der ist „dermaßen objektorientiert“ geschrieben, dass er unübersichtlich, kaum wartbar und nicht mehr weiterverwendbar ist. Ein typischer Fall, beim dem über das Ziel hinausgeschossen und damit die Objektorientierung konterkariert worden ist.
Was hat das mit Parallelisierung zu tun? Im Prinzip gilt auch hier der Ansatz: was ist die konkrete Anforderung und welche Use-Cases (Anwendungsfälle) lassen sich daraus ableiten? Wobei man die Zielplattform (Systemarchitektur) nicht vernachlässigen darf. Hier eine (nicht vollständige) Liste von Fragen, mit Hilfe derer man einer Lösung näher kommen kann:

1. Wie sieht die HW-Architektur der Zielplattform aus (Schlüsselworte: Hyprerthreading, symmetrische oder asymmetrische MultiCore-CPU’s, Shared Memory, Distributed Memory)?
2. Welches Betriebssystem mit welchen Laufzeitumgebungen und Programmiersprachen werden auf der Zielplattform eingesetzt? Dabei ist das Betriebssystem immer mehr zu vernachlässigen, da präemptives Multitasking heutzutage Allgemeingut ist und damit zumindest parallele Prozessausführung gegeben ist.
3. Ist Performance die wichtigste nicht-funktionale Anforderung? Mit Performance sind in diesem Zusammenhang Datendurchsatz und Verarbeitungsgeschwindigkeit gemeint. Hier geht es auch um den Fakt, dass die Zeiten höherer Taktraten vorbei sind und der Cache leider nicht die Lösung aller Probleme darstellt.
4. Haben die betreffenden Use-Cases einen synchronen oder asynchronen Charakter?
5. Wie soll der Datenaustausch zwischen Ausführungsströmen (ich verwende diesen Begriff hier ganz bewusst) erfolgen und in welchem Umfang? Benötige ich Zugriff auf „shared“ Ressourcen und in welchem Umfang?
   

Ausgehend von der Beantwortung dieser Fragen kann eine Architektur entwickelt werden, die den Anforderungen genügt und die auf die richtigen Lösungen setzt. Richtig bedeutet in diesem Zusammenhang auch, dass die passenden Techniken verwendet werden um weitere nicht-funktionale Anforderungen wir Wartbarkeit, Erweiterbarkeit, Testbarkeit und Einfachheit (!) zu erfüllen. Ich möchte und kann an dieser Stelle keine Entscheidungsmatrix liefern; werde aber kurz ein paar Lösungsmöglichkeiten skizzieren.

• Wenn Punkt 3 das entscheidende Kriterium ist, sollte eine gute Auslastung der zur Verfügung stehenden Rechenkerne das Ziel sein. Es gibt in diesem Fall immer noch die Möglichkeit, eine Lastverteilung der Prozesse als Lösung zu wählen. Sollte dies aufgrund der Problemstellung (Arithmetik, etc.) nicht möglich sein, muss der Weg über eine Verteilung der Threads gefunden werden. Hier bietet sich beispielsweise OpenMP an. Natürlich kann sich Punkt 3 auch mit Punkt 5 überlagern, wenn auf viele „shared“ Variablen zugegriffen werden muss. Es ist anzumerken, dass OpenMP uns nicht vor Race-Conditions oder Dead-Locks bewahrt.
• Bezüglich Punkt 4 gibt es sicherlich die am weitesten entwickelten Lösungsmöglichkeiten und gute Chancen, diese Problemstellung umfassend zu lösen. Eine gute Entkopplung sowie asynchrone Kommunikationsmechanismen sind hier die Erfolgkriterien. Konkrete Anwendungsfälle existieren vor allem im Umfeld von Benutzerschnittstellen (UI’s) auf Clientsystemen. Ausführungsströme (z.B. Threads) in der Präsentationslogik sollten von der Geschäftslogik mithilfe geeigneter asynchroner Kommunikationsmechanismen getrennt werden, um gezielt eine lose Kopplung zu erreichen.Ich möchte noch anmerken, dass die Aufgabenstellung in Punkt 5 (Asynchronität) für mich nicht originär zur Problemdomäne Parallelisierung / Nebenläufigkeit gehört, in der Diskussion aber dort oft eingeordnet wird.
• Punkt 5 ist sicherlich die komplizierteste Aufgabenstellung, da bisher nur wenig Unterstützung durch Entwicklungsumgebungen, Compilern und Frameworks vorliegt. Bis es diese gibt (beispielsweise auf der Grundlage von Konzepten des „Transactional Memory“) muss man noch mit all den Schwierigkeiten des „Lock-Free Programming“ leben. Dazu gehört natürlich ein ausgefeiltes Testkonzept, um Dead-Locks und Race-Conditions auf die Spur zu kommen. Generell kann ich hinsichtlich Punkt 5 nur empfehlen, Architektur und Design hinsichtlich alternativer Lösungsmöglichkeiten des Datenaustausches genau zu prüfen.
  

Natürlich ist anzumerken, dass es auch einen Mix an Lösungen geben kann. Als konkretes Beispiel im Hochleistungsrechnen sind Hybridanwendungen aus MPI (Message Passing Interface) und OpenMP zu nennen.

Dogmushing

I went to Alaska in wintertime in 1998 the very first time (after backpacking in summer for many years). The reason was: Dogmushing. The picture is just an impression of a beautiful time in the cold at the Goldstream Kennel.

More Music is about to come ...

... just one tiny recommendation. Listen to ZOOT ALLURES (1975) from Frank Zappa. Title #3 - the torture never stops - is the perfect soundtrack for a day in the middle of the week. And remember, music is the best ...

More OpenMP Details (Data Scopes, Critical Sections)

Here comes a little bit more information on OpenMP, the standard programming model for shared memory parallelization. Variables can be shared among all threads or duplicated for each thread. Shared variables are used by threads for communication purposes. This was already outlined in an earlier post. The OpenMP Data Scope Clauses private and shared declare this behavior in the following way: private (list) declares the variables in list as private in the scope of each thread; shared (list) declares the listed variables as shared among the threads in the team. An example could look like the following: #pragma omp parallel private (k)
If the scope is not specified, shared will be the default. But there are a couple of exceptions: loop control variables, automatic variables within a block and local variables in called sub-programs.
Let’s talk about another important directive, the critical directive. The code block enclosed by
#pragma omp critical [(name)] will be executed by all threads but just by one thread at a time. Threads must wait at the beginning of a critical region until no other thread in the team is working on the critical region with the same name. Unnamed critical directives are possible. This leads me to another important fact that should not be overlooked. OpenMP does not prevent a developer to run into problems with deadlocks (threads waiting on locked resources that will never become free) and race conditions where two or more threads access the same shared variable unsynchronized and at least one thread modifies the shared variable in a concurrent scenario. Results are non-deterministic and the programming flaws are hard to find. It is always a good coding style to develop the program in a way that it could be executed in a sequential form (strong equivalency). This is probably easier said than done. So testing with appropriate tools is a must. I had the chance to participate in a parallel programming training (btw, an excellent course!) a couple of weeks ago where the Thread Checker from Intel was presented and used in exercises. It is a debugging tool for threaded application and designed to identify dead-locks and race-conditions.

Google Phone

Gizmodo.com published an article (+ picture) on HTC's Google phone called "Dream" last Thursday. It got a touchscreen as well as a keypad. There are rumours that the gadget will be in store by the end of the year. Looks promesing.

Just a recommendation

There is a fascinating article on the WIRED MAGAZINE (16.04.) with the title: How Apple Got Everything Right By Doing Everything Wrong. This is a must read for all folks interested how Apple is doing their products, maintaining their status and myth, and with many interesting insights. It is also about company and management culture, openness, transparency, proprietary solutions, vertical integration, and the different approaches in the high-tech industry from Apple to Google.
The phenomenon is that any other company, especially the software giant located in Redmond, would have been ended with endless criticism, if they had done their products this way. Another interesting view is mentioned briefly, the so-called “three-tiered systems” consisting of blend hardware, installed software and proprietary Web application. Let’s see how this model is doing in the future because this is the antithesis to the Open Source / Open System approach.

Green IT and Parallel Programming

Green-IT is one (or the) buzzwords these days. Everybody wants this sticker on the box. I do Green-IT for many years. I switch off my computer and monitor + DSL-modem when I’m done. But this behavior should not be the topic of the post. Chip design might lead to an architecture where many cores run on a lower clock speed (than a single core processor does). This is not contradiction to Moore’s law by the way. For an application which is not designed and developed to exploit a multicore-architecture (either by process-based load balancing of multithreading), the result could be a decrease in performance. So this is my point and it is probably not far-fetched. Green-IT might be another trigger to force efforts to make applications ready for today’s hardware architecture.

Erich Kästner and Dresden

Erich Kästner is one of the most popular authors of my hometown Dresden. His book “Als ich ein kleiner Junge war” is about his childhood in Saxon’s Capital, a wonderful homage to the splendor of Dresden. He was born in the “Dresdner Neustadt” and by the way, I grew up in the very same house where he was born. And here comes my recommendation, and a picture as well (this blog needs a picture from time to time!). A museum was founded in 1999 and is located very close to the places where he spent his boyhood – Antonstrasse 1 / near to the Albertplatz. The photograph shows the young Erich sitting on the wall surrounding the museum watching the busy life on the Albertplatz.

More Music …. (Music is the best)

Hey, here comes another favorite album of mine done by Frank Zappa. It’s Bongo Fury which is a co-work with Captain Beefheart by himself! Please start with the last title Muffin Man. The lyrics and the guitar at the end of the song are terrific. It might not be the appropriate album for rookies absolutely new to Frank’s music. But as it is said by the Muffin Man: I for one care less for them!

Some More Details on OpenMP

Well, in order to move forward with some annotations to OpenMP, here are a couple of details. Parallel Regions in OpenMP are separated by #pragma omp parallel [clause [clause]…]. The block inside will be executed by the designated threads in parallel (same code is executed in each and every thread). The number of threads can be defined by an environment variable and can be set to a specific number or to the maximum number of threads. Other environment variables allow the setting of the chunk size for the schedule type. Beyond this simple structure of Parallel Regions, work sharing constructs (directives) are available. One example is the do/for directive. An implicit barrier exists at the end of the do/for block for synchronization purposes. This can be disabled by specifying a nowait. A schedule clause defines the distribution on the different threads. For options are available static, dynamic, guided, and runtime. Please not the default value depends on the underlying implementation. This should be enough for tonight. It’s Friday and we should listen to some music. Find some recommendation in the next post.

Nebenläufigkeit

Folgenden Text habe ich auf meiner Website veröffentlicht, um den Link auf diesen Blog etwas zu illustrieren. Da er einen kleinen Überblick über die Intension und Thematik in deutscher Sprache gibt, möchte ich ihn gleichzeitig hier noch einmal veröffentlichen.

Multi/Many-Core, Multi-Threading und Parallelisierung

Die Zeit des Geschwindigkeitsrausches ist vorbei, zumindest was die Prozessoren betrifft, die heutzutage in Workstations, Servern und Laptops verbaut werden. Höhere Taktraten sind aufgrund der geltenden physikalischen Gesetze nicht mehr DIE Lösung für eine bessere Performance (neben der Optimierung der Instruktionen und des Cash-Speichers). Dafür werben die Hersteller mit neuen Produkten wie Dual-Core, Quad-Core, etc.. In diesen Lösungen sind mehrere (Haupt)Prozessoren auf einem einzigen Chip untergebracht und das in einer symmetrischen Art und Weise. Das heisst, die Kerne sind identisch und können dieselben Aufgaben erfüllen. Die einzelnen Kerne erhalten dabei einen eigenen Cash, der weitere Möglichkeiten der Performanceoptimierung bietet. Okay, das war die Hardware. Leider kann die Software diese neuen Möglichkeiten nicht in jedem Fall per se nutzen; sie muss darauf vorbereitet sein. Der Weg dahin ist steinig und kompliziert und wird leider durch die existierenden Compiler, Entwicklungsumgebungen und Frameworks nicht genügend unterstützt. Hier muss man zwischen den existierenden Programmiersprachen und Laufzeitumgebungen (Java, .NET) unterscheiden, die verschiedene Ansätze bieten. Dazu kommen Frameworks wie OpenMP und MPI, die in der Welt des Hochleistungsrechnens schon länger existieren. Neuerdings denkt man in dem Kontext der Parallelisierung auch wieder über funktionale Programmiersprachen nach. Wie man leicht erkennen kann, ist die Lernkurve für Entwickler hoch und die Fehlerquellen sind zahlreich. Dazu kommt, dass es oft Unschärfen in den Begrifflichkeiten gibt, vor allem wenn es um Multi-Threading, Hyper-Threading und Multi/Many-Core sowie Multi-Tasking (im Rahmen von Betriebssystemen) geht. Oft wird die Parallelisierung in der Softwareentwicklung mit dem Meilenstein Objektorientierte Programmierung verglichen. Dieser Vergleich ist durchaus realistisch. Ich befasse mich auf meinem Blog mit dem Thema Parallelisierung und möchte dabei Lösungen und aktuelle Trends aufzeigen.

Shared Memory, Multi/Many-Core and OpenMP

A typical hardware architecture these days could be outlines as follows: n cores or processors are interconnected to memory segments that can be shared. Each processor has the same access conditions (with the focus on performance) to each memory segment. OpenMP is a right choice for this hardware architecture (I’m not talking about the program code or the arithmetic inside). This is done by the developer using directives which is an explicit process. Parallel sections (typically loops) must be defined. The parallelization is done by the compiling system (using the OpenMP libraries). This means that data decomposition and communication are implicit. Parallel sections are called parallel regions; typically comprising a master thread and a team of threads which is basically a fork-join model. Only the master thread continues when the parallel region is completed. Variables can be shared among all threads or duplicated for each thread. Shared variables are used by threads for communication purposes. All this must be done carefully. OpenMP does not stop you from creating race conditions and dead-locks! More about the parallel regions and important environment variables in my next post.

Application Design, Multi/Many-Core and Other Basics

When I’m writing about concurrency I do not mean Multi/Many-Core per se. This is just about a clarification on some basics and premises. Concurrency starts with processors that support multithreading (in order to overcome idle-times). This means in hardware (and a little bit simplified), program counters and programmable register sets are added. By doing this, processors are able to run more than one instruction stream at a time. In order to exploit this behavior, the software must be coded accordingly. If this is done, the code is ready for multithreading and for Multi/Many-Core processors. I admit that this sounds toooooooo ez. Coded accordingly means either a design from the scratch or a redesign in order to support concurrency. A rework could lead to a decomposition into software threats (please use the appropriate framework to handle threats, locking, synchronization, etc) or into sub-programs. Of course and as already mentioned a couple of times, arithmetic (code) and cash usage should be reviewed and considered as well. If the system is reworked into sub-programs, today’s multitasking operating systems will take care of this. Each approach should be considered thoroughly pertaining to pro and cons. Multithreading and Concurrency (using Multi/Many Core) might come with a higher effort in testing and in hunting nasty bugs. But let’s get back to the beginning of this blog entry. Multi-Threading and Multi/Many-Core are not the same technologies and buzz-words but highly complementary.

Music is the best ...

Basically, there is much more than coding and multi/many core. I started to review my Frank Zappa collection recently. His music is so great, and he is such an smart guy with a real sense of humor (does humor belong in music?). I don't say he was! Well, for all folks out there with no idea who Frank is and what his music is all about and whatta great guitar player he is, and and and ... . Here are some recommendations from a long list of albums. Let's start with ONE SIZE FITS ALL from 1975. Two songs on this Vinyl/CD are more than brilliant: Inca Roads and San Ber´dino. Check it out. And don't forget the Sofa's on this record.

Some Annotations

I should add that the Parallel Extensions to the .Net 3.5 Framework are currently in the CTP (Community Technology Preview) status and available for download. It comprises two basic feature-sets: Data- and Task Parallelism-API and parallelization support for LINQ. The download comes with documentation and examples.

I would like to address another comment I received recently. Of course, before considering any parallelization activities, two preliminary steps are a must:

- Optimization of the numeric (actually the code)
- Optimization of the cache (because cache is always king!)

Both activities might lead to the expected performance increase without diving into complex parallelization efforts in an overhasty manner.

More Concurrency

I’m receiving a lot of questions about the status of parallelization in today’s world of software development. More and more people are interested in this topic. Some are driven by requirements. Some are mixing it up with the 64-bit change. ;-) Well. Despite all the support in Java, .NET, and all the frameworks like MPI and OpenMP, it is still a mess. It is not addressed adequately in respect to the roadmap of the processor industry, especially for client applications. Functional programming languages and transactional memory are no way out, because of missing acceptance and the current state of these languages, concepts, etc. On the other hand, the increase of the clock speed is no longer a save heaven. Everybody should be aware of this. And, cache is also just a workaround. Beside the existing support mentioned earlier, today’s concepts in terms of languages and compilers make assumptions that might be not true. Basically, the processors and compilers just see sequential code, but they do not work on strictly sequential code. There is always the threat of some kind of optimization, which might be a requirement for the CPU developers to gain some extra-performance. Other pitfalls are dead-locks, different locking mechanisms, and data corruptions in case of failed locking. I have not mentioned the state of complexity yet, the KISS (keep it …) is definitely not addressed. This is especially true for lock-free programming which can’t be recommended for mainstream programming. Talking about my experience, the utilization of OpenMP should be preferred for simple shared-memory scenarios. Developers should consider the positive impact of cache and must learn to utilize environmental variables, pragmas / compiler directives, and the library functions properly. Of course, the code (basically the loops) must be organized respectively. Btw, this is another condition to use OpenMP (If not, it makes no sense). More is about to come.

Raising Awareness

Microsoft is addressing the Parallel Computing topic explicitly, and compares this kind of shift with other milestones in the world of computing like graphical user interfaces or the internet. A whitepaper called “The Manycore Shift” is available on the company’s web site outlining Microsoft’s Parallel Computing Initiative. From my point of view, this comparison is correct and the need to emphasize and address this subject is overdue and should lead to results quickly, especially for mainstream development. Exciting times!

OpenMP and MPI

Beside the support for parallelism in .NET’s managed code environment and some support in the Java World, two powerful frameworks exist to support parallel programming in an explicit manner: MPI (Massage Passing Interface) and OpenMP. Both can be used with C/C++ and FORTRAN but with a different focus. OpenMP is fine in a shared memory scenario. It is a strongly coupled approach. MPI fits better into a distributed memory environment, in a loosely coupled scenario. It is probably not exact to say that both frameworks are strictly explicit. In case of OpenMP, the invocation of OpenMP statements is explicit and up to the developer, but the synchronization is implicit and organized by the framework. Of course, a hybrid approach of both frameworks is feasible and used for bigger solutions. I’m gonna publish more on both, OpenMP and MPI. It’s a pretty fascinating topic.

Ein echtes Highlight

Am letzten Donnerstag gab es im Nürnberger "Hirsch" ein Konzert der Extraklasse: Engerling und Mitch Ryder. Sowohl Mitch als auch Engerling sind Könner ihres Fachs, in der Kombination jedoch ein ganz besonderes Ereignis! Wer die Gelegenheit hat, sollte ein Konzert dieser Tournee unbedingt besuchen: http://www.engerling.de/. Ich freue mich schon auf den ersten Mai, wenn Engerling wieder im Dresdner Bärenzwinger spielen wird. Diese Band ist etwas ganz Besonderes und mit Sicherheit die beste Bluesband Deutschlands.

Parallelism in Managed Code

The Parallel FX Library is offering support to express potential parallelism beginning with the .NET Framework Version 3.5 in order to unleash the power of Multi-Core Architectures (--> Static Method : Parallel.For (….) { }. Of course, it is up to the developer to identify potential areas of parallelism and to apply these mechanisms of concurrency (an explicit approach). And, same rules apply as for other techniques like OpenMP. Code and Cash Optimizations should be number one before starting to “develop parallel”. I will open a “new thread” (what a pun!) in order to check on this new library in more detail soon.

New Blog Pointer

I added a link to Stefan's Blog (see Blogroll). He is an expert in test automation and an excellent architect. I have had the opportunity to work with him in a team. Both topics are in a very deep relationship: architecture and testing. But again, he is the expert.

Book Recommendations

Holiday Season and one week skiing have offered some extra time for reading (as usually). I got four recommendations from two different areas of interest: mountaineering/climbing and technology (not coding!). Here we go:

• Alexander Huber: Der Berg in mir. Klettern am Limit. An extraordinary book from an extraordinary guy. Alex is one part of the famous Huber Buam. His climbing record is unbelievable.
• Reinhold Messner: Die weiße Einsamkeit. Mein langer Weg zum Nanga Parbat. The Diamir (Nanga Parbat) is his mountain of destiny. Reinhold Messner is the greatest Alpinist of all times. This book is breathtaking and it is telling a story of tragedy and courage.
• Scott Berkun: The Myth of Innovation This book is a must for all people having dreams and an innovative mindset. Yes, yes, yes innovation needs a special environment to foster cool and smart ideas.
• Donald A. Norman: The Design of Everyday Thingseverything is so true. Hey, but why we are still surrounded by so many goods and devices of poor design and usability? This book was written in 1988!
  

In addition, I need to post two DVD’s for all folks in love with outdoors, wilderness and the mountains:

• Der letzte Trapper [Director: Nicolas Vanier]
• Am Limit (The Huber Buam, again!) [Director: Pepe Danquart]

Some sort of Indirection

There is a quotation from a British Computer Scientist, David John Wheeler, I do really like: “Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem." I know, it is not new and we all know about the meaning behind it but it is still relevant today and tomorrow, and it describes the dilemma of many
“genericcontainerwrappingadaptergatewayframeworkolalasolutions” perfectly.

Handling of Non-Functional Requirements

Non-Functional Requirements (aka Quality Attributes) are the „bread and butter business" for software architects. Unfortunately, non-functional requirements are often abstract and hard to grasp. A good approach to tackle this are so-called “utility trees”. Utility trees list important non-functional requirements (say security, usability and performance) in a tree structure; beginning with “utility as root”. It’s a good approach to use the list for a first prioritization. Each level in the utility tree represents a refinement of the non-functional requirement and ends with leaves. Leaves are scenarios. And this is a good approach from my point of view. A scenario is easier to comprehend for all stakeholders. It is based on the - Context Stimulus Response Pattern – and should lead to a decent understanding what, for instance, security really means for a software product. I will present an example in one of my upcoming posts.

Dresden: River Elbe View, January 2008

River Elbe Valley, January 2008
No bridge is cutting up the landscape, not yet.

Software Architecture and Feasibility

The following situation is well known. (Too) many requirements are compiled by the stakeholders of a software project. Everybody wants everything in terms of features and functionalities performed by the software product that should be called “monkey wrench”. It’s not possible to say simply yes or no about feasibility just from reading the requirements. Beside the fact that we all adhere to the KISS-rule, a well documented architecture can help to understand the intended solution and to identify contradictions in the requirements. Just one example: some requirements might ask for client implementations based on key features like high availability and a rich feature set in terms of user interaction. On the other hand, requirements coming from another group of stakeholders may request communication technologies and strong perimeter protection that will never support the features requested for the clients. A well-documented software architecture that encompasses different views of the software product can help to detect such contradictions early enough. Experts from different domains - say network, application server, and security, can use the architecture to assess the outlined approach. And even for the folks requesting all the important functions, it might be helpful to see their product in a very early state (with the chance to reconsider some decisions).

Software Architecture and Security

This is a about a very close relationship. A stable, consistent, well-defined and documented architecture is a crucial precondition to achieve a certain level of security. This is especially true in a world of web-technologies, peer-to-peer communication, ubiquitous computing - just to name a couple of trends and paradigms. But there does still a misconception exist on how to achieve this state of security. Typical approaches are the following measures listed without meaning and priority: network separation, appliances like firewalls and mal-ware detection, access control, monitoring, logging, encryption, and secure coding efforts to avoid buffer overflows and other nasty errors. I do totally agree on this list. It’s all a must in the world of TCP/IP based protocols, today’s operating systems and other of-the-shelf software products. But this is not enough. It is not possible to defend a software system where basic functionalities are not strictly separated in main components and without well defined interfaces. These components should be deployable on different nodes easily without greater adjustments. The identity of all actors (people and software!) in the system in order to achieve correct authentication and authorization must be guaranteed, especially in distributed scenarios. This enumeration is not complete but it illustrates the need of a basic foundation called architecture. Not easy to accomplish for complex systems but there is no other solution available. A simple example can help to illuminate this need. Threat Analysis and Threat Modeling are a probate approaches to find weaknesses in a system. Unfortunately, this is not feasible without having a documented architecture available. Any offer to do the documentation of the architecture afterwards is an unmistakable sign that there is something wrong. Security requirements must be addressed very early in the development process in order to be considered in architecture and design. If this is done, achieving the required level of security might be possible. To get back to the relationship thing, architecture and security have the same enemy: complexity (We all know this from Bruce Schneier). But well-structured architecture can help to tame this beast, by avoiding indirections, tons of wrappers and all the other things that make software inscrutable; well structured-architecture which adheres to one of the most important goals in software architecture: SIMPLICITY.

Software Architect: open minded and eloquent

There are a lot of job descriptions available for software architects. HR people have done a great job to list all the skills a candidate should fulfill. I expect, beside a solid and comprehensive technical background in computer science, distinct communication skills and the willingness to share his or her work and ideas. An architect should be prepared to explain the basic ideas, concepts and, of course, the architecture that is intended to be used in a project. A well documented architecture and a concise set of slides based on that are perfect tools to do this kind of job. In addition, I also expect the ability to give guidance to the team in order to provide a solid framework for development and to give them sureness that the concept will last. Guidance is especially important when times are rough and the schedule is tough. Okay, this might be enough when talking about my job description for an ideal architect, except the visionary thing …

How is SOA doing?

So how is SOA doing? There are so many products in store with the SOA sticker on the box. Great! This reminds me of the good old times when everybody claimed to have his or her software implemented strictly object-oriented. I don’t wanna be a bean counter. But I do have a couple of main characteristics that must be met to call the product “service-oriented”. First of all, essential functionalities, components and modules should be represented as services. These services must be able to talk to each other, shall be distributable and can be coupled dynamically in order to reflect business processes. This approach is especially useful for stakeholders like customers, marketing people and other sources of requirements. But I also expect more benefit from SOA for another group of stakeholders: developers and architects. A service-oriented architecture should address and support general problem domains like concurrency, persistence and a distributed approach. What I expect is that such basic functionalities should be encapsulated as services to make development faster and easier and to avoid that the same mistakes occur again and again. Sure, under the surface still exist objects, but they are covered by a service layer in order to get problems solved in a more consisted manner. If this is achieved on a broad base, developers will accept SOA as serious approach in software development.

Teach your Architecture!

A well documented System – and Software Architecture is a great tool to teach your team and other stakeholders. Developers need to know where their place in the system is, to whom they are talking and by what kind of messaging and communicating. This avoids painful integration in the end and makes the development much faster. It’s also beneficial to introduce your project to new members and entities working off- or near shore, wherever, by avoiding this typical learning-on-the-job behavior which slows down the efficiency of a group. Change Management is another aspect. The impact of changes to the system can be examined much faster and in more detail when all parties have an better overview provided by a documented architecture.

Why doing Software Architecture?

… Well, it sounds simple but it is definitely not. One reason is that software architecture is still new in many project as software engineering is in general (in comparison to other engineering disciplines). Sad but true. Software architecture pays off late in a project and it is not that visible as running code or prototypes. Hence, the temptation exist to leave this out or to reduce it to a non acceptable minimum. It is pretty much the same handling as projects treat requirement management very often. If this is just halfway done you must pay in the end. Sure, it is a lot of work and it slows down a quick start and first results , but it is necessary. A software that does not meet elementary (non-functional) requirements like extensibility, robustness or scalability is more or less a quick-hack that does not satisfies the majority of the stakeholders in the projects. As a result, re-design and main changes will increase the overall costs extremely. We all know this. Okay, I will write more about the pro’s of decent software architecture in the next posting. Stay tuned.

Software Architecture as Critical Success Criterion

Basically, architecture is a must and a success criterion for software and system development, especially when we are talking about complex and distributed systems. We may argue about details, different types of definitions, description and realization. But if we question software architecture in general, we are not doing serious business. Architecture must be a fixed part of building systems, because software development is about computer SCIENCE and should be based on ENGINEERING principles. Nobody would argue about having architecture in the process of building houses, bridges, etc. We must attain the same level of maturity in software and system development, especially when we take in account that writing software is still a heuristic process. I concede it is still a rough and bumpy road.
My definition is pretty simple: Software Architecture is the main interface between requirement management and development. Software Architecture defines the basic components (or services), their main interfaces, their interaction, communication and distribution within the system. It reflects non-functional requirements like performance, robustness and stability (just to name three) in particular. In addition, software architecture is essential to tame complexity, the worst enemy of stable, secure and lasting systems. And, a decent description of the architecture is the best tool to explain a system to all stakeholders – customers, developers, testers, marketing folks and managers. This might sound simple but it is definitely not. Let’s discuss the reasons in the next posting.

Dresden's Art Gallery Online

This is great news. Dresdens Old Masters Picture Gallery has opened a virtual tour this summer. There is an extraordinary article on this event available at wired.com. If you guys can't make it to Dresden, just check this article and the link to the tour on the net.

NYC in November

Hey, we took the chance and visit New York a couple of days ago. And had a great time. Not just the New York Marathon was a great experience. We also went to Staten Island and Coney Island. More pics on a separate website soon.

Off-line Web Applications

Many approaches for so-called “Off-line Web Applications” employ a bunch of vulnerable technologies running on the client. Sure, content must be cached and presented (in case of disconnection) and this needs two components: a database and a web server. In a scenario where a web server is running on each client in a network of Off-line Web Application, it needs strict rules in terms of configuration measurements. Honestly, who cares about this? Not even browsers are configured in a way to reach a decent state of security on the majority of desktop machines. This is another example how vulnerable many Web 2.0 approaches are, beside AJAX and the underlying excessive scripting model. Just check on the Black-Hat Sessions (and presentations) to read more about the risks and known weaknesses. It’s frightening …
Actually, I should add the keyword – Security – to the description of this blog. It turns out that this topic occupies more and more time of my daily work and research effort.

Concurrency and Functional Programming Languages

Following the thread on new trends and concurrency – I think we will see functional programming languages as one approach to tackle concurrency. It is worth to think about this option. Haskell is an elegant programming language; it’s functional and not sequential. Complex problem definitions can be described (by using a functional language) in a way that parallelization (a concurrent solution of the problem) is feasible. Program code is written more abstract, on a mathematical / abstract basis. It is not machine or processor specific. Using an imperative language, parallelization is not a piece of cake; especially when we are talking about lock-free programming. The learning curve is steep and the outcome error-prone. The current status of programming languages, tools and RAD is definitely not ready to support mainstream development in order to support concurrency in a world of dual-, quad-, or … core processors.

Atlantic Canada

We had a wonderful vacation time in Nova Scotia in July - great people, pure nature and delicious seafood.

More Hot Technology Trends

I would like to rework (extend) my list of hot technology trends a little bit after having some interesting conversation. I definitely need to address:

• Concurrency in a multi-core computing environment. This is basically an area where relief is needed. Existing solutions, either implicit or explicit, are not sufficient from my point of view. Not sufficient because of the complexity and the resulting learning curve for developers. In today’s world of mainstream development, many underlying details pertaining to the processor architecture are hidden by abstraction layers and programming models. Handling lock-free programming is not a piece of cake. I would expect that chip maker and RAD/Compiler manufacturer come up with a smart approach to handle this. And I’m not talking about functional languages …No question that this is needed. A constant increase in computing power based on higher “GHz’s” is limited by physical barriers. More cache is no way out. Server applications will handle this by load balancing. But desktop applications are different. Graphical centered applications (picture, video) and other complex computing stuff will need a robust concurrency concept/framework on all these dual-core, quad-core boards soon.
  
• Sure, virtualization. Virtualization is basically everywhere, on the boards, within operating systems and as add-on products. The solutions are different in their concepts and the market is fragmented and sometimes confusing. But virtualization is a cool technology with a lot of promising use cases.
  
• RFID-Tags are sneaking into many areas - industry, retail, and simply into out privacy (à ID’s, passports). A critical success factor will be the security aspect of such solutions. People care about the privacy of their information which includes positioning and profiling.
  
• Widgets, Offline-Web-Apps, Local Web-Server (all this related to the Web-OS) – I will write about this in more detail soon.

Hi-Tech Search for Jim Gray

Hi-tech pioneer and veteran Jim Gray (some keywords: databases and transactions, linked to many icons from Google, Amazon, Microsoft, and others) is lost at sea. He left San Francisco Bay Area heading out for Farallon Island on Sunday, January 28, 2007. He and his boat, the fiberglass cruiser “Tenacious” vanished in the open ocean. A high-tech search started when it turned out that traditional search and rescue by the coast guard had been unsuccessfully. High-tech giants (mentioned above) worked together and created a quick, impressive combination of different technologies in order to find Jim. Unfortunately, this great thinker and engineer was nowhere to be found. Not even the tiniest remnant or debris of his boat could be detected. It sounds like a mystery and is a real tragedy for his family and friends. An excellent but also sad story was published in the wired magazine; August 2007 issue. We all hope that Jim will return. The efforts to find him, driven by Werner Vogels and other high-tech executives, is an impressive example how a great person can link very different people, interests, positions and companies in order to find a solution. Unfortunately, his accident was the trigger to make this happen.