Security Benefits of Golang Concurrency
Getting started with Go: Part 1
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Related Stories: Golang
💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This post is a throwback to my old programming and software engineering blog, where I wrote about how I worked through figuring out various technical solutions.
I used Golang for a bit when I worked on the original Capital One cloud team. That was long before current events, not that I would have had much influence in that particular case, similar to some of the other talented security people who still work there. I liked the language when I tried it but then got away from programming in it for a while due to the particular problems I was solving. I’m exploring it again to see what has changed.
Number one reason to use Golang? Built-in Concurrency
Whenever selecting a technology, you should have a reason. The reason should not be “because all the cool kids do it.” In this case, I’m considering using Golang because of the way it handles concurrency. What’s that? I’ll explain in a few simplified pictures.
In this first picture, the program executes the steps sequentially. Each step takes 2 seconds to run the program. The program takes 8 seconds from the start of execution to finish.
In the second iteration of the program, the steps run concurrently, meaning multiple actions within the application can run simultaneously. The image below is a bit oversimplified because the hardware the program may not be able to truly execute all the steps at once. If a computer has one processor it can only perform one task at a time. Concurrency is not equivalent to parallelism.
Consider a program that makes API calls using HTTP Requests to process several records. The program sends a web request. Then it waits. Instead of remaining idle, the application can do something else if the program executes the steps concurrently. It may perform a second API call while waiting for a response from the first. This task management method helps some applications run faster because they spend less time sitting idle, waiting for each step to complete. Note that I am demonstrating concepts, not perfect math in this example.
Concurrency Caveats: Security Problems and Tricky Bugs
Concurrency sounds awesome, right? Well, some caveats exist. Your program needs to be the type of program that can execute the steps concurrently rather than an application that needs to complete tasks in a specific order like an e-commerce checkout flow.
Additionally, concurrency is the source of various types of tricky problems and security bugs. If you are not careful with concurrency, then one step may be processing a value that another step changes in the middle of the process. That leads to vulnerabilities such as double-spend, including the classic ATM concurrency programming error, where someone can withdraw the same amount of money twice before the application decrements the bank account balance.
Tangent: By the way, as soon as I saw the double-spend problem with Bitcoin, I said, “No, Thanks.” I worked on programming large financial systems for a bank with billions of dollars of assets under management. That is not acceptable for systems managing your money. Neither is BGP hijacking or lack of support from anyone when someone steals your money. But, I digress.
Concurrency may also lead to deadlocks, where two tasks need to use the same value. Both may get stuck in a waiting state. With this type of problem, you may experience an application hanging for no apparent reason.
Concurrency in Golang: It’s built-in!
Go helps with some of these issues because it has concurrency built-in from the ground up. Like Java’s attempt to reduce the chance your program has a buffer overflow, Golang tries to help you implement programs that leverage concurrency without errors. The language alleviates developers from worrying about things like blocking, scheduling, mutexes, and semaphores. Go handles all this for you using the construct of Goroutines and Channels.
Golang has other benefits, but this is one of the primary reasons I am looking at this language once again and considering using it for various security projects related to research papers for IANS. Here are some of my prior articles for those who are IANS clients:
I love Python for quickly-written scripts or programs that don’t require this level of complexity or performance. Yes, I have 20+ years of Java experience, but I’ve written concurrent programs in Java and C#. I’m hoping that Golang will make these things a bit easier. I’m also hoping that some advancements since the early days of Golang have improved package management.
If all goes according to plan, I will show the steps to get started in upcoming articles if you want to follow along. This current interest is just one of my ideas that I’m working on — concurrently. :)
Follow for updates.
Teri Radichel | © 2nd Sight Lab 2020
The best way to support this blog is to sign up for the email list and clap for stories you like. That also helps me determine what stories people like and what to write about more often. Other ways to follow and support are listed below. Thank you!
About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
Author: Cybersecurity for Executives in the Age of Cloud
Presentations: Presentations by Teri Radichel
Recognition: SANS Difference Makers Award, AWS Security Hero, IANS Faculty
Certifications: SANS
Education: BA Business, Master of Software Engineering, Master of Infosec
Company: Cloud Penetration Tests, Assessments, Training ~ 2nd Sight LabLike this story? Use the options below to support this blog.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
❤️ Clap
❤️ Referrals
❤️ Medium: Teri Radichel
❤️ Email List: Teri Radichel
❤️ Twitter: @teriradichel
❤️ Mastodon: @[email protected]
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
❤️ Buy a Book: Teri Radichel on Amazon
❤️ Request a penetration test, assessment, or training
via LinkedIn: Teri Radichel
❤️ Schedule a consulting call with me through IANS ResearchCybersecurity for Executives in the Age of Cloud
