Cross Site Scripting (XSS) Attacks must be one of the most popular type of attacks of websites these days with maybe only SQL Injection attacks getting more attention that that.

XSS Attacks

The concept is quite simple for Persistent Attacks. User A attacks a website and via some vulnerability, it manages to push an XSS script into the storage (some database most of the times) of the website.

User B looks at the attacked website and part of the content delivered by the website the injected XSS from the User A is delivered to User B. Now, depending on what the script was, User A could have a great deal of control on what User A does and sees. From session stealing to running operation on behalf of User B.

These type of attacks can be devastating for a website with one of my preferred examples being the Samy is my hero XSS attack on MySpace back in 2006

Almost every year I talked at Microsoft TechEd I had to say something about XSS and how dangerous it is and I’m always surprised that very few people know about it and try to take measures to avoid XSS attacks on their websites.

Mitigations

Some of the mitigations factors are Input Validation, Input Filtering and Output Encoding. None of this mitigations have any value if used alone or incompletely.

Input Validation and Input Filtering are mandatory but don’t have them as your only protection. There are tools out there that can try to automatically throw hundreds of attacks at your application to see how it responds to input validation.

However I think Output encoding is the most critical one as the other ones are just security gates that sooner or later someone will be able to bypass one way or another. Output encoding is also the hardest one to test as you have to verify that your website properly encodes every bit of data that is/was/will be potentially modifiable by a malicious user.

XSS Attack Tool

This is where the XSS Attack Tool comes into place. The tool will simulate an attack on your database and update up to 5000 rows in every table and replace your strings in your database with random XSS attacks. Just imagine a malicious user had direct access to your database and tried to to his best to XSS attack your site.

After you run the tool go and browse your website. Considering the large number of XSS scripts injected in your database you should expect some of the scripts to surface in the UI as potential attacks. This will allow you to find and encode all the places where data could surface. The tool is not intended to cover every scenario possible so using the tool does not guarantee that your website is not vulnerable, however it’s yet another tool in the arsenal we are required to have to better protect our sites.

Usage

1. Download XSS Attack 1.0.
2. Unzip
3. BACKUP your database.
4. Now BACKUP your database again. Are you sure you did that? Do it one more time just to be sure you can get back to it.
5. Modify the “Database” connection string in the XSSAttack.exe.config to point to your database
6. Enter any Schema, Table or Column name (format Schema, Schema.Table or Schema.Table.Column) in the ignore field in the config file to let the tool know those should be ignored.
   • Ignore tables like System Properties tables that contain properties required for your site to run or Reference Data tables that can’t be modified or never surface back to the user
7. Run the tool and watch it update your database.
   • The tool might fail to update some columns every now and then or fail if you have some custom indexes or referential integrity.
8. Go back to your website and browse. If some scripts make it to the surface un-encoded you should see it pretty quickly.
9. Note that you might have to do some manual updates to your database to get your site up and running again (e.g. fix your user name so you can login or your password).
10. If ALL your website still looks good run the tool few more times and try again.

Note: The tool DOES NOT INSERT any data in your database. It only updates existing rows so make sure your database has a good sample set of your data that you can use for testing.

Demo

My current demo site, a GUID Store (just in case anyone wants to buy a GUID):

Running the tool:

Loading the website:

And few more alerts and errors.

I did a restore of the database and tried a new run of the tool and got different results:

The tool might give you false positives, e.g. modify columns that can never be modified by anyone and the results of which should not be encoded or not manage to create injections so take it’s results with a bit of salt. It’s for you to decide what a good result is and maybe try restore your database to a known state, configure the tool to ignore more columns and re-run the process.

Note: I’m not responsible for any loos, damage, security issues, fame or whatever before, during or after using this tool. This is a tool for developers and security reviewers so treat it as such. Make sure you backup your database before running this tool and make sure you never run this on a production system. The tool injects scripts from other websites that could be malicious to your browser or OS.

If you do find the tool useful then drop me an email at corneliu at acorns dot com dot au to let me know how you used it.

Download XSS Attack 1.0.

Last few months I’ve been working on a WPF and as my design skills are close to zero I’ve decided to the the app a bit of sexiness by using the WPF goodness of Themes. Best place to start for that are the WPFThemes on CodePlex.

Sample from one of the themes:

Applying the standard themes to your project is pretty straight forward if you want to use 100% of the theme:

This works a treat however because the default styles are all keyed on the types there is no way for you to “customize” the styles in the themes and add new properties to them without modifying the original themes (which would create a maintenance nightmare and no chance of you ever merging with new version of WPFThemes) or use named styles which would imply you have to define the style of each element in all your code.

Option 1: Modify original theme:

Proper maintenance nightmare.

Option 2: Create named style:

Ugly as you need to use named keys through your application.

Option 3: Override it as window level not application level

Ugly as you have to maintain it for each window.

Note: You can’t use option 3 at application level as the BasedOn will be applied based on the standard style not the themed one.

None of the two options sounded like a good option so when all I wanted to do is be able to set default Width or Height of my buttons:

Wouldn’t it be nice if we could no “use the theme as it’ given to us” but “merge the theme” into our code as have it as the base of what we want to build on top of it.

Merging themes and overwriting via target inheritance

The only other option that I found was to do a custom load of the theme file as named keys and not as types even if they are defined as types and force my custom styles to inherit from the theme styles.

First the code:

CustomStyles.xaml – my custom (master) styles

x:Key is x:Type Button so I want this style to get applied to all my buttons.

Theme.xaml – default theme from WPFThemes

These are the styles from the themes. We don’t want to modify them but we would like to merge them with our Custom Styles.

Merge code:

This code will try to load the theme file and see if we have any keys as types that we override in the CustomStyles.xaml.

If we have a “conflict” we change the x:Key of the theme style to a named key and we change the BasedOn of the custom style to be based on the theme style. If there is no conflict we load the old theme.

This merges the two files like this:

We then load the new combined style.

This get the best of the two words out there combined. We can apply a theme while also overwriting/merging parts of it.

Merged styles: WPFThemes Gradients, My Width/Height

Now the next challenge is to be able to override part of the content. I’d like my buttons to have two lines of text. One with the text and one with the shortcut defined via a dependency property. I’d like to keep the theme contents of the button and be able to add to that in a very simply way.

I’m sure there are a billion articles out there talking about using database encryption but I didn’t really find one that simply has a quick and simple guide.

Step 0: What do we need

The simplest approach is to use: a Master key on the database, a certificate and a symmetric key.

Step 1: Create Master Key

MSDN: The database master key is a symmetric key used to protect the private keys of certificates and asymmetric keys that are present in the database.

CREATE MASTER KEY ENCRYPTION BY PASSWORD = 'Some Really long and complex password'

If you have no idea for a long and complex password you can use a free online password generator. Use a length of 28 or longer.

Step 2: Generate a Certificate

MSDN: […] when SQL Server generates a self-signed certificate, the private key is always created. By default, the private key is encrypted using the database master key. If the database master key does not exist and no password is specified, the statement will fail.

CREATE CERTIFICATE MyDatabaseCertificate
   WITH SUBJECT = 'Certificate For My Database',
   EXPIRY_DATE = '10/31/2011';

Step 3: Create the symmetrical key used for the encryption

MSDN: When a symmetric key is created, the symmetric key must be encrypted by using at least one of the following: certificate, password, symmetric key, asymmetric key, or PROVIDER.

CREATE SYMMETRIC KEY MyDatabase_Key WITH ALGORITHM = AES_256
    ENCRYPTION BY CERTIFICATE MyDatabaseCertificate;

Step 4: Give rights to the user(s) that will encrypt and decrypt using the certificate and key

In order to use (to open) the certificate for encryption and decryption you need to give view definition and control rights on the certificate to the user(s) that will do the operations.

GRANT VIEW DEFINITION ON CERTIFICATE :: MyDatabaseCertificate TO "MyDbUser"
GRANT CONTROL ON CERTIFICATE :: MyDatabaseCertificate TO "MyDbUser"

NOTE: the usage of quotation marks instead of normal apostrophes around the user name.

If you use Integrated Security your user would look like “DOMAIN\UserName”:

GRANT VIEW DEFINITION ON CERTIFICATE :: MyDatabaseCertificate TO "SERVER\MyWebUser"
GRANT CONTROL ON CERTIFICATE :: MyDatabaseCertificate TO "SERVER\MyWebUser"

Step 5: Encrypting and Decrypting Data

To encrypt and decrypt data you need to be able to open the symmetric key. In order to open a symmetric key you need to be in a stored procedure. You can’t open the certificate from a function or from code via TSQL calls.

Procedure to encrypt credit card numbers:

CREATE PROCEDURE [dbo].[usp_EncryptCreditCardNumber]
(
    @CreditCardNumber AS VARCHAR(16)
    , @Result VARBINARY(32) OUTPUT
)
AS
BEGIN
    SET NOCOUNT ON

    OPEN SYMMETRIC KEY MyDatabase_Key
    DECRYPTION BY CERTIFICATE MyDatabaseCertificate

    SET @Result = EncryptByKey(Key_GUID('MyDatabase_Key'), @CreditCardNumber)

    CLOSE SYMMETRIC KEY MyDatabase_Key
END

Procedure to decrypt credit card numbers:

CREATE PROCEDURE [dbo].[usp_DecryptCreditCardNumber]
(
    @EncryptedCreditCardNumber VARBINARY(32)
    , @CreditCardNumber AS VARCHAR(16) OUTPUT
)
AS
BEGIN
    SET NOCOUNT ON

    OPEN SYMMETRIC KEY MyDatabaseKey
    DECRYPTION BY CERTIFICATE MyDatabaseCertificate

    SET @CreditCardNumber = CONVERT(VARCHAR(16), DecryptByKey(@EncryptedCreditCardNumber))

    CLOSE SYMMETRIC KEY MyDatabaseKey
END

Step 6: Creating the table that will contain the encrypted data

Note: The encrypted column(s) have to be of type VarBinary of a length enough to keep the encrypted value of the data. Length depends on the algorithm used which in our scenario is AES_256. The AES works on blocks of 16 bytes so you should align your data to the next 16 size than the one that you have to encrypt.

So, lets just say you want to encrypt credit card details: You could create a table like:

CREATE TABLE [dbo].[CreditCardDetails](
    [CreditCardDetailsId] [int] IDENTITY(1,1) NOT NULL,
    [CreditCardNumber] [varbinary](32) NULL, -- Encrypted Credit Card
    [CreditCardLast4Digits] [char](4) NULL,
    [CreditCardExpMonth] [tinyint] NULL,
    [CreditCardExpYear] [int] NULL,
    [CreditCardName] [varchar](255) NULL,
    [CreditCardTypeId] [int] NULL,
 CONSTRAINT [PK_CreditCardDetails] PRIMARY KEY CLUSTERED
([CreditCardDetailsId] ASC)
)

You really want to keep the Last4Digits of the card in a separate column so you can present them in different UI items without having to decrypt the real credit card number.

Step 7: Inserting credit card details

Once we have the encrypt and decrypt procedure, the insert and retrieve become simple two step processes.

Save and encrypt:

CREATE PROC [dbo].[usp_CreditCardDetailsInsert]
    @CreditCardExpMonth tinyint,
    @CreditCardExpYear int,
    @CreditCardLast4Digits nchar(4),
    @CreditCardName varchar(255),
    @CreditCardNumber VARCHAR(16),
    @CreditCardTypeId int
AS
    SET NOCOUNT ON
    SET XACT_ABORT ON

    BEGIN TRAN

    DECLARE @EncryptedCreditCardNumber VARBINARY(32)
    EXECUTE dbo.usp_EncryptCreditCardNumber @CreditCardNumber, @EncryptedCreditCardNumber OUTPUT

    INSERT INTO [dbo].[CreditCardDetails] ([CreditCardExpMonth], [CreditCardExpYear], [CreditCardLast4Digits], [CreditCardName], [CreditCardNumber], [CreditCardTypeId])
    SELECT @CreditCardExpMonth, @CreditCardExpYear, @CreditCardLast4Digits, @CreditCardName, @EncryptedCreditCardNumber, @CreditCardTypeId

    COMMIT
GO

Retrieve and decrypt:

CREATE PROC [dbo].[usp_CreditCardDetailsSelectForPayment]
    @CreditCardDetailsId INT
AS
    SET NOCOUNT ON
    SET XACT_ABORT ON

    -- retrieve the encrypted credit card
    DECLARE @EncryptedCreditCardNumber VARBINARY(32)
    SELECT @EncryptedCreditCardNumber = CreditCardNumber
    FROM dbo.CreditCardDetails
    WHERE  [CreditCardDetailsId] = @CreditCardDetailsId

    DECLARE @CreditCardNumber varchar(16)
    -- decrypt
    EXECUTE [dbo].[usp_DecryptCreditCardNumber] @EncryptedCreditCardNumber, @CreditCardNumber OUTPUT

    -- select the other bits
    SELECT [CreditCardDetailsId], [CreditCardExpMonth], [CreditCardExpYear], [CreditCardLast4Digits], [CreditCardName], @CreditCardNumber AS CreditCardNumber, [CreditCardTypeId]
    FROM   [dbo].[CreditCardDetails]
    WHERE  [CreditCardDetailsId] = @CreditCardDetailsId

GO

PLEASE  make sure that you have another procedure for retrieving the non-critical data like name and last 4 digits of the card for display purposes without having to decrypt the credit card.

The only reason why you would need to decrypt the credit card is to send it to a payment gateway to process a transaction.

As my good friend and Readify colleague Buddhike observed the generated WCF Dynamic Proxy was not implementing IDisposable. This is a bit scary as I was quite sure I had that implementation prepared done already so all I can image is that for some reason (no source control?) I’ve been working on an older code base.

So, here is a new implementation that is implementation that implements IDisposable. The only trick is that you have to cast the received proxy to IDisposable in order to use it in a using statement. As a difference from the WCF implementation, the dynamic proxy does not throw at all from the implementation of the IDisposable so it’s safe to use in a using statement:

IService1 service = WCFClientProxy<IService1>.GetReusableFaultUnwrappingInstance("Service1");
using (service as IDisposable)
{
    service.MyOperation1("a", 0);
}

Please download the new version of WCF Client Proxy 1.3.1.

A while ago I published a small and neat Dynamic Proxy that could be used to automatically create for you implementation of the (WCF) ClientBase<T> so you would not have to generate that from the service interface and hand-coded or even bother to maintain.

One of it’s great advantages was that you could ask for a “Reusable” proxy which was basically a wrapper around the proxy that you didn’t have to close/dispose in case of a fault.

As you might know WCF requires that you dispose of the proxy if there is any type of fault detected. Doing this is a pain in any type of code as you have to manage that connection life-time while actually all you care most of the times is that you talk to the service and not the life-time of your connection. The WCF Client Proxy was also doing this management for you allowing you so simply focus on your business and not on opening/closing your connections.

However there are moments in which you also want to specifically close your proxy for example using a using statement. Because the WCF Client Proxy was returning you the exact interface that you requested and if that interface was not implementing IDisposable you had to reside on a trick and cast the received proxy to IDisposable (as the proxy generates that behinds the scenes for you anyway) and use it like this:

IService1 service = WCFClientProxy<IService1>.GetReusableInstance("Service1");
using((IDisposable)service)
{
    service.MyOperation1();
}

This was again a bit ugly as you have to care about the connection and you can’t just use it as any other interface. You do have to be aware that your interface represents a WCF service that you want to dispose of.

One other potential scenario that several people hit is in websites that talk to external WCF services and you use the same service from within the same page several times (for example from different controls). In practice in this scenario you will open/close the same proxy multiple times during the lifetime of the page.

Connection Pooling

In order to simplify the management of WCF connections during the lifetime of a webpage or even a WCF Operation Call and reduce the overhead of caring to dispose of proxies I’ve now added a ProxyConnectionPool class to the dynamic proxy that can be enabled to automatically pickup all the created WCF connections and pool them (as in return the same one back to you if you use it from the same thread and it’s safe to reuse).

To enable the connection pooling all you have to do is:

ProxyConnectionPool.EnableConnectionPool = true;

Now every time you do a call do GetReusableInstance or other methods on the WCFClientProxy the connection you receive might be a pooled one (same tread only pooling) or a new one just registered with the pool. This should improve your performance as creating WCF Proxies is an expensive process that you want to avoid as much as possible.

Disposing the pool

Once you finish your work on that thread you can simply ask the connection pool to dispose all the WCF connections from the pool using:

ProxyConnectionPool.Current.Dispose();

Automatic disposing

If you use WCF inside a website to call other WCF services you should then simply include the following module in your web.config so you get automatic disposing of all WCF connections created on each page request (with peace of mind included).

<system.web>
    <httpModules>
        <add name="WcfConnectionPool" type="ACorns.WCF.DynamicClientProxy.Pool.WcfConnectionPoolHandler,ACorns.WCF.DynamicClientProxy"/>
    </httpModules>
</system.web>

This module will automatically enable the connection pool for you and make sure all the WCF proxies created are nicely disposed at the end of each page request. This truly allows you to focus on writing your business code and not bothering about connection management of your WCF services. Your code will now become:

IService1 service = WCFClientProxy<IService1>.GetReusableInstance("Service1");
service.MyOperation1();

Let someone else deal with the fact that you use WCF

Licence

I was requested several times about the licence this code is. Here is my official statement:

This package is provided "AS IS," without express or implied warranty of any kind, and may be used and modified.

This package may be used in corporate applications without any pretence.

However I would appreciate if you would drop me a line to let me know you are using it to corneliu at acorns.com.au or even donate some money by PayPal to the same address

Download

Here is the latest version of the WCF Client Proxy 1.3.0

For a while now I’ve been writing to write a non-reflection based property reader that allows me to read properties of an object in a deep hierarchy.

So lets say you have the following simple class hierarchy:

public class FirstLevel
{
    public string Leaf { get; set; }
}
public class SecondLevel
{
    public FirstLevel First { get; set; }
}
public class Root
{
    public SecondLevel Prop { get; set; }
}

Then you want to read the Leaf from the FirstLevel by looking at the Root level and all you have is the path to the property: “SecondLevel.FirstLevel.Leaf”.

Using reflection is a simple process of recursively going through the object, finding the proper property doing a GetValue on it and then repeating the process until you find your property. This is ok but it’s very slow. Very very slow.

Your other two alternatives if you don’t want the bear the hit of reflection is to code emit a method that would resemble something like this:

public static string GetLeaf(Root root)
{
    SecondLevel secondLevel = root.Prop;
    if ( secondLevel != null )
    {
        FirstLevel firstLevel = secondLevel.First;
        if ( firstLevel != null )
        {
            return firstLevel.Leaf;
        }
    }
    return null;
}

Or use dynamically created delegates to map to the get_Property and set_Property methods generated for each property.

using System;
using System.Reflection;

namespace ACorns.Utils
{
    public interface IPropertyAccessor
    {
        object GetValue(object target);
        void SetValue(object target, object value);
    }

    public interface IPropertyAccessor<TargetObject, FinalProperty>
    {
        FinalProperty GetValue(TargetObject target);
        void SetValue(TargetObject target, FinalProperty value);
    }

    /// <summary>
    /// Super-dooper, super-fact deep property extractor.
    /// You can use it to get/set properties deep in an object hierarchy without using reflection.
    /// Please cache the returned IPropertyAccessor if you want to reuse it.
    /// Good performance is only achived with cached IPropertyAccessor(s)!
    ///
    /// Usage: IPropertyAccessor accessor = PropertyExtractor.GetAccessor(typeof(Root), "Prop.First.Leaf", true);
    /// accessor.GetValue(target);
    /// </summary>
    public static class PropertyExtractor
    {
        public static IPropertyAccessor<TargetObject, FinalProperty>
            GetAccessor<TargetObject, FinalProperty>(Type targetType, string propertyNames)
        {
            return GetAccessor<TargetObject, FinalProperty>(targetType, propertyNames, true);
        }
        public static IPropertyAccessor<TargetObject, FinalProperty>
            GetAccessor<TargetObject, FinalProperty>(Type targetType, string propertyNames, bool throwOnNull)
        {
            IPropertyAccessor internalPropertyAccessor = GetAccessor(targetType, propertyNames, throwOnNull);

            Type accessorType = typeof(TypedPropertyAccessor<,>).MakeGenericType(typeof(TargetObject), typeof(FinalProperty));
            IPropertyAccessor<TargetObject, FinalProperty> propertyAccessor =
                (IPropertyAccessor<TargetObject, FinalProperty>)Activator.CreateInstance(accessorType, internalPropertyAccessor);

            return propertyAccessor;
        }
        public static IPropertyAccessor GetAccessor(Type targetType, string propertyNames, bool throwOnNull)
        {
            string[] deepPropertyNames = propertyNames.Split('.');
            IPropertyAccessor internalPropertyAccessor = GetAccessor(targetType, deepPropertyNames, 0, throwOnNull);
            return internalPropertyAccessor;
        }

        private static IPropertyAccessor GetAccessor(Type targetType, string[] deepPropertyNames, int level, bool throwOnNull)
        {
            string property = deepPropertyNames[level];

            PropertyInfo propertyInfo = targetType.GetProperty(property);

            // Create a delegate to a get_ method. The delegate looks like
            // Func<TargetType, PropertyType> func to a property like class TargetType { public PropertyType { get; } }
            Type getterDelegateType = typeof(Func<,>).MakeGenericType(targetType, propertyInfo.PropertyType);
            Delegate getDelegate = Delegate.CreateDelegate(getterDelegateType, propertyInfo.GetGetMethod());

            IPropertyAccessor accessor;

            level++;
            if (level < deepPropertyNames.Length)
            {
                // Recursive detect the down the property
                IPropertyAccessor nextLevelAccessor = GetAccessor(propertyInfo.PropertyType, deepPropertyNames, level, throwOnNull);

                Type accessorType = typeof(PropertyAccessor<,>).MakeGenericType(targetType, propertyInfo.PropertyType);
                accessor = (IPropertyAccessor)Activator.CreateInstance(accessorType, getDelegate, nextLevelAccessor, throwOnNull);
            }
            else
            {
                Type setterDelegateType = typeof(Action<,>).MakeGenericType(targetType, propertyInfo.PropertyType);
                Delegate setDelegate = Delegate.CreateDelegate(setterDelegateType, propertyInfo.GetSetMethod());

                Type accessorType = typeof(LeafPropertyAccessor<,>).MakeGenericType(targetType, propertyInfo.PropertyType);
                accessor = (IPropertyAccessor)Activator.CreateInstance(accessorType, getDelegate, setDelegate);
            }

            return accessor;
        }

        #region TypedPropertyAccessor
        internal sealed class TypedPropertyAccessor<T, U> : IPropertyAccessor<T, U>
        {
            private readonly IPropertyAccessor _next;

            public TypedPropertyAccessor(IPropertyAccessor next)
            {
                _next = next;
            }

            public U GetValue(T target)
            {
                return (U) _next.GetValue(target);
            }

            public void SetValue(T target, U value)
            {
                _next.SetValue(target, value);
            }
        }
        #endregion

        #region Recursive Property Accessors
        internal sealed class PropertyAccessor<T, U> : IPropertyAccessor
        {
            private readonly Func<T,U> _readDelegate;
            private readonly IPropertyAccessor _next;
            private readonly bool _throwOnNull;

            public PropertyAccessor(Func<T, U> readDelegate, IPropertyAccessor next, bool throwOnNull)
            {
                _readDelegate = readDelegate;
                _throwOnNull = throwOnNull;
                _next = next;
            }
            public object GetValue(object target)
            {
                object result = _readDelegate((T)target);
                if (result == null)
                {
                    if (_throwOnNull)
                        throw new NullReferenceException("Property '" + _readDelegate.Method.Name + "' on '" +
                            typeof(T).Name + "' returned null.");
                    else
                        return default(U);
                }
                return _next.GetValue(result);
            }
            public void SetValue(object target, object value)
            {
                object result = _readDelegate((T)target);
                if (result == null)
                {
                    if (_throwOnNull)
                        throw new NullReferenceException("Property '" + _readDelegate.Method.Name + "' on '" +
                            typeof(T).Name + "' returned null.");
                    else
                        return;
                }
                _next.SetValue((U)result, value);
            }
        }
        internal sealed class LeafPropertyAccessor<T, U> : IPropertyAccessor
        {
            private readonly Func<T, U> _readDelegate;
            private readonly Action<T, U> _setDelegate;

            public LeafPropertyAccessor(Func<T, U> readDelegate, Action<T, U> setDelegate)
            {
                _readDelegate = readDelegate;
                _setDelegate = setDelegate;
            }
            public object GetValue(object target)
            {
                object result = _readDelegate((T)target);
                return result;
            }
            public void SetValue(object target, object value)
            {
                _setDelegate((T)target, (U)value);
            }
        }
        #endregion
    }
}

To use it you would request an IPropertyExtractor and then ask it to do a GetValue for you:

[TestMethod]

public void ExtractPropertyFromLeafFixture()

{

    Root r = new Root();

    r.Prop = new SecondLevel();

    r.Prop.First = new FirstLevel();

    r.Prop.First.Leaf = "original value";

    IPropertyAccessor accessor = PropertyExtractor.GetAccessor(typeof(Root), "Prop.First.Leaf", false);

    Assert.IsNotNull(accessor);

    object value = accessor.GetValue(r);

    Assert.AreEqual("original value", value.ToString());

    accessor.SetValue(r, "new value");

   
    value = accessor.GetValue(r);

    Assert.AreEqual("new value", value.ToString());

}

The beauty of this approach is that once the IPropertyAccessor is created (using Reflection) in the beginning,  the Get/Set on it is done via a set of direct delegate calls to the property and calls via the interface to the next level.

The callstack is thus very small and efficient:

Make sure you cache this accessor if you need it again at a later time as creating it is expensive.

The performance should be as good as you can get without using code emitting.

One more Improve your code for an issue that I found in every .Net project I’ve ever worked that used Regex(es): People instantiating them too often.

I don’t remember a single project where I’ve seen them used properly (from the code-usage perspective not from the Regular Expression perspective).

Before a recommendation it’s worth noticing this critical piece of information from the MSDN documentation:

Thread Safety: The Regex class is immutable (read-only) and is inherently thread safe. Regex objects can be created on any thread and shared between threads [...]

Yes, you can create one Regex and use it as many times as you want without issues.

Issue: Creating Regex classes is very very expensive

The Regex has to be parsed, a full execution tree has to be build and lots of code generated under the covers. Then, you use it once and it’s left hanging in memory for a long long time.

Thus, this is very expensive and wrong:

Regex regex = new Regex(@"^\d{13,19}$");

It’s even worse when it’s used inside a for-loop for example or multiple times in a page.

Recommendation

The proper way to initialise your Regex for the best performance is declaring them at class level as static read-only and with the compiled flag set.

Like this:

private static readonly Regex valueFormatMatch = new Regex(@"(\[*\])", RegexOptions.Compiled);

Why:

1. Make it static: so you always have access to it. It’s thread safe so it’s ok to have it static.
2. Make it read-only: so you avoid someone changing it half way through the run plus you help the JIT optimizer.
3. If the expression is complex flag it as RegexOptions.Compiled: Improves performance as the parsing is tree is exported to an assembly which should yield better performance.
• Note: from personal experience I’ve noticed that this only works better if you have a complex expression. For simple expressions the version without Compiled seems to be slightly faster

Running some tests

For for the fun I’ve put together a small performance test that will run a simple Regex over several strings:

Test 1: Static readonly Regex with compiled flag

private static readonly Regex valueFormatMatch = new Regex(@"(\[*\])", RegexOptions.Compiled);

private static void Test1()
{
    Stopwatch s1 = new Stopwatch();
    s1.Start();
    for(int i = 0; i < _iterations; i++)
    {
        valueFormatMatch.IsMatch("123:04");
        valueFormatMatch.IsMatch("23:34:56");
        valueFormatMatch.IsMatch("12345678");
    }
    s1.Stop();
    Console.WriteLine("Test1: " + s1.ElapsedMilliseconds );
}

Test 2: Creating the Regex inside the for-loop

private static void Test2()
{
    Stopwatch s1 = new Stopwatch();
    s1.Start();
    for (int i = 0; i < _iterations; i++)
    {
        Regex test = new Regex(@"(\[*\])");
        test.IsMatch("123:04");
        test.IsMatch("23:34:56");
        test.IsMatch("12345678");
    }
    s1.Stop();
    Console.WriteLine("Test2: " + s1.ElapsedMilliseconds);
    GC.Collect(); GC.Collect();
}

Test 3: Creating the Regex inside the for-loop with the Compile flag set

private static void Test3()
{
    Stopwatch s1 = new Stopwatch();
    s1.Start();
    for (int i = 0; i < _iterations; i++)
    {
        Regex test = new Regex(@"(\[*\])", RegexOptions.Compiled);
        test.IsMatch("123:04");
        test.IsMatch("23:34:56");
        test.IsMatch("12345678");
    }
    s1.Stop();
    Console.WriteLine("Test3: " + s1.ElapsedMilliseconds);
    GC.Collect(); GC.Collect();
}

Performance results over 10000 iterations:

1. Test 1: Static readonly Regex with compiled flag: 10ms
2. Test 2: Creating the Regex inside the for-loop: 153ms
3. Test 3: Creating the Regex inside the for-loop with the Compile flag set: 13725ms

So, quite clearly the static-readonly Regex is your best option.

The test 3 all it proves is that it’s very expensive to do the compilation of the Regex. I like the idea and I apply it but the compiled flag it’s not really required. Just make sure you don’t have Regex-ex created everywhere through your code and you’ll be ok.

In the first part of this article I was taking about my new pet project: Building a CarPC.

This is the standard in-dash CD/MP3 Player (via www.netcarshow.com) that I’m trying to replace.

First thing on the list is to figure out what I need for this CarPC, where to outsource the parts and how much they cost.

Most of the installations/guides I’ve seen use a computer installed under one of the seats and run cables to the touch screen in the dash. My plan is to try to squeeze the computer inside the dashboard behind the screen to save on space and avoid running cables through the car.

So, first things first, components list:

1. Motherboard: VIA Mini-ITX M10000 (eBay for about $100). Small and powerful enough to run XP + .Net and a bunch of USB devices. Should be powerful enough to run a navigation software.
2. Power Source: M3-ATX DC-to-DC 125W Automotive (eBay for about $80USD). Small and sleek and powerful. No need for extra screws or extra cables.
3. Touch screen: Lilliput 7″ 629 LED Touchscreen (eBay for $250USD): LED screen with high contrast, small enough to fit in the dashboard.
4. Fascia: Model 1 or Model 2 (eBay for $120USD). I’ll go for Model 1 for now as I think it looks closer to the design of the car. However I won’t purchase this part until I receive the car and have another look.
5. Case: Double Din Nano-ITX Compatible Case (ByByte for $119USD). I actually wanted the Double Din Mini-ITX Case that would correctly fit my board but they don’t have in stock the model that would fit the touchscreen I want to use. Now, the problem is that this case looks smaller than my board so I’ll have to see how I can fit the board in it.
6. GPS: SiRf III GPS Receiver (eBay for $40): Well, GPS, that’s it.
7. Bluetooth dongle (eBay for some change): standard, cheap USB dongle.
8. OBD 2 CAN – OnBoard Diagnostics with CAN support (eBay for $40): Good to convert bunch of parameters reported in real time by the car to some useful data on the screen. Stuff like speed, fuel usage, oil pressure and more parameters are all reported by the car via this nice adaptor. I’m still looking for a cheap one that works with Bluetooth and has support for the extra Mazda specific codes.
9. Audio Connector: PC2-78-4 (nexia.co.uk for 20$) connect the PC to the audio system without cutting any of the car wires. There is no proof this will work with my car but seems the closest one that might work.
10. Steering Wheel controls adapter: I’ll try to use FusioBrain (FusionControlCentre for $52USD) to convert the Steering Wheel resistive commands to key presses in software.
11. Software: CentraFuse with Australian maps(FluxMedia for $250USD): Looks nice, does most of the stuff I want to have done and it’s written in .Net. Plus it has support for third-party plug-ins.

Total cost around: $1100USD + shipping cost + other smaller bits that I might need. I’m still way under the stock SatNav for $3000.

For now this should suffice the list of components. If things go well I’ll add stuff like reverse camera, WiFi, 3G and other cool gadgets.

Long time no posts. I simply didn’t find something highly exciting, unique or nice to write about. Plus I was away, holidays, time with family so I’ve neglected my own blog. I even started to get errors from WordPress at the bottom of my pages that I have no idea how to fix. (contact me if you can help me fix this error please)

However these days I just found a new exciting project to keep me busy in my non-existent free time: Build a CarPC or a Carputer.

Why a CarPC?

Simply because the old car suffered a “small dent” being hit on the side @ 60Km/h by a girl running the red light and it’s a complete write-off. Luckily we all got out of the car safely with no injuries.

So we need a new car and we’ve decided to go for the new Mazda 6 Wagon (2008 model).

[Will update the post with a photo once I get the car]

The car has a nice dashboard with pretty standard audio functionality: CD player with MP3 support, radio and few other audio controls but nothing fancy. The Luxury edition has an option for BOSE speakers and/or integrated SatNav. It’s nice to have an integrated SatNav but when you think there nothing else you can do with it it feels a bit restrictive.

The device is non-upgrade-able, costs around $3000AUD and I’m quite sure the maps will cost a fortune if you want to install an update.

So my new quest is: Can I build a a better in-dash CarPC, cheaper and with more functionality?

I know there are several sites out there that are dedicated to building CarPC but I could not find any complete step-by-step guide or even some hints that someone did this on a Mazda 6 2008 model.

My Wish List:

1. Run .Net
2. Play music (MP3s)
3. SatNav with 3D view
4. Hands-free Bluetooth
5. Reverse Parking Camera
6. OBD 2 with CAN (On Board Diagnostics) to monitor the running parameters of the car
• I’d like the car to keep its own fuel usage, km and other statistics all the time
7. WiFi
• Sync my car’s music library with the Media Center
• So I can write an tool to wake up the car (or just the CarPC) at 7AM and download from the RTA the Live Traffic Report and maybe several images from the intersections I normally go through to help me decide on the best route to work
8. 3G + Web Browser
• For Google Map/Business Search that kicks in nicely when you do a search for a business from Google Maps on your mobile
9. Skype
10. Mail/RSS reader
11. Voice Control (nice to have)
12. Be able to control the CarPC from the steering wheel
13. Make it look as it was a stock item, nicely integrated and part of the car

Well, it seems like everyone is doing a post TechEd review of their own.

Me … I have to start with the comment that this was the best TechEd I’ve been too mostly because of the comments I’ve received for my sessions.

Some comments were good, some were great, some were funny and some were really eye-openers. (oh, yes, some were dull but they are worthless).

On Sunday I flew to TechEd NZ and much to my surprise when I’ve tried to book into my reserved hotel I was informed that I was upgraded and moved to the hotel on the other side of the road. Well, thank you. This was much appreciated. I was basically in the hotel just above the conference. I was taking the lift to level 4-5 and I was existing directly in the middle of the conference. You godda love that.

On Tuesday I had to do both my talks one after the other and then run straight to the airport. I didn’t get any feedback back as TechEd NZ seems to use paper to collect feedback and evaluations and heard no news from them. I hope they were good as I want to go back next year … one week earlier to do a bit of skiing as well …

On Wednesday I had my talk on debugging which went very well. The room was packed and the demos worked a threat. The only issue I had were the lights which were pointing straight into my eyes giving me the feeling of an FBI interview. It was hard to see the people in the room and the raised hands for questions.

The reviews&evals were really great. So great, I jumped straight in the top 10 best sessions and top 5 best speakers. Thanks everyone for filling in the reviews.

I have to write here some of the comments:

• Best session I’ve been to for several Techeds, congratulations. this is what it is all about….
• Simply amazed by this session, by far the best one I have seen during Tech-ed so far.
• Utterly brilliant – this session paid for the entire entrance fee Excellent

Well, there were over 50 such comments so thanks everyone for taking the time and writing them.

Now, some of the funny ones included no comments but a rating of “Too Technical“. Well, for what we considered (and it was marked as) a 400 level presentation and some considered in their comments as a 300 level presentation, a “Too Technical” comment can only be considered a compliment. If you left that comment, then mate, the session was supposed to be technical

Some of the eye-opener comments:

• I understand there was alot to cover, but at times the information was a bit rushed, and I found myself unable to keep up with some of the more arcane sections
• The only thing is that sometimes he’d speak a little too quickly, which combined with the accent made it hard to hear some things
• Well delivered. He did have a “balky” moment when he mentioned he might shoot himself in the “leg”.(Woops. It was supposed to be “foot”. Sorry for that.)
• Speaker’s accent was hard to understand at times

Comments from the security talk:

• Ease up on the hand waving Corneliu When flicking through code please linger a little longer to give people at least 2-3 seconds to process the context and the detail.
• Speaks very fast
• The guy was like a ferret on speed. Great knowledge, but flicked between code wayyy too quick. There were very few web developers in the room, and most of it was about web stuff. Can’t remember what was in the description, but this was disappointing.
• Very web oriented, which was not obvious from the title.

Thanks a lot for these comments.

I know exactly what I need to focus on for next year.

• Speak slower (and keep that rhythm of talking): I know I was quite conscious at times of this during my debugging talk but I completely lost myself in the security one as I had the feeling I’m running out of time
• Present less: Have a smaller amount of information to talk about in one hour. Plan to have the session for only 50 minutes so I have time to speak slower. It’s easy to have an ace up the sleeves prepared that can fill in the last 5 minutes if you finish early.
• Fix my accent: Maybe if I can just speak a bit slower it’s easier with my accent as well. I know my diction in English is quite bad and I’m hard to understand at time (let me tell you I speak as bad and hard to understand in my native Romanian as well). I’ve already engaged an English teacher (my lovely wife) to prepare a course for me to improve my diction and accent.
• Work on some of the “quotes”/”jokers” that I use in my talks and make sure they are right. I’ll have to make sure you shot yourself in the “foot” not in the “leg”. (The original joke I was trying to refer to is How to Shoot Yourself In the Foot)

Well, now, back to my small corner of development:

1. I have to finish the Deadlock detector as I think I have a fix for the tool not finding deadlocks between a lock() and a slim lock or read/write lock.
2. I want to publish a Secure Web library for automatic encoding for ASP.Net controls that I was talking about in my security talk.
3. I need to publish a new site for my games shop
4. I need to start planning my upcoming trip to Europe

And most importantly I want to start planning for some new RDN talks and for some cool talks for next year’s TechEd.

PS>> If you were in my sessions and are looking for the demos/slides, please logon to TechEd portal and navigate to the session scheduler and you can find the pptx attached to the description of the sessions.