Category Archives: Clarion 11

New application security features in Clarion

We’ve added two new linker options that can make your applications more secure from malware exploits; ASLR (Address space layout randomization) and DEP (Data Execution Prevention).

ASLR (Address space layout randomization)

ASLR also often referred to as DYNAMICBASE, modifies the header of an executable to indicate whether the application should be randomly rebased at load time by the OS.
ASLR is transparent to your application. With ASLR, the only difference is the OS will rebase the executable unconditionally, instead of doing it only when a base image conflict exists. ASLR is supported only on Windows Vista and later operating systems, it is ignored on older OS versions.

Why should you use ASLR? On platforms without ASLR support (versions of Windows prior to Windows Vista), there is a well know exploit approach for an attacker to find and manipulate code that exists within its modules (DLLs and EXEs) when the modules have been loaded at predictable locations in the address space of the process. Address space layout randomization (ASLR) randomizes the memory locations used by programs, making it much harder for an attacker to correctly guess the location of a given process, including the base of the executable and the positions of the stack, heap and libraries.

In the next build of C11, the “Dynamic Base Address” option is set on by default at the project level.

If you want to set it from the EXP file, the command is:

DYNAMIC_BASE
on any line by itself (outside of the Exports)

DEP (Data Execution Prevention)

The purpose of DEP is to prevent attackers from being able to execute data as if it were code. This stops an attack that tries to execute code from the stack, heap, and other non-code memory areas. DEP prevents malware from writing code into data pages then executing it.

In the next build of C11, the “Data Execution Protection” option is set on by default at the project level.

If you want to set it from the EXP file, the command is:

DEP
on any line by itself (outside of the Exports)

Summary

The combined use of DEP (Data Execution Prevention) and ASLR (Address Space Layout Randomization) have proven to be effective against the types of exploits that are in use today. DEP breaks exploitation techniques that attackers have traditionally relied upon, but DEP without ASLR is not sufficient to prevent arbitrary code execution in most cases. DEP is also needed to make ASLR (Address Space Layout Randomization) more effective.

Adding these two malware countermeasures to your applications is especially useful for applications that handle financial data, credit cards, health info, and more.

To set these linker options in Clarion at the Project level:

Open the Project properties page:

en

then click on the “Compiling” tab and set the checkboxes to ON

ASLR and DEP
ASLR and DEP

New Clarion language features

Some exciting new features in the Clarion language will be introduced in the next build for C11: Reference variables of Procedure types are supported by the compiler, and corresponding support is added to the linker and RTL.

Declaration of a Procedure reference

A reference variable of a procedural type is declared as follows:

Ref &<procedure label>

where <procedure label> is the label of a previously declared Procedure, a parameter of procedural type, or the label of a method in a CLASS or INTERFACE. If there is more than one Procedure or Class/Interface method with the label (for example, a class method is overloaded), or there is a data declaration with the same label in the current scope/context, the compiler returns an error.

A previous MAP structure must contain the corresponding Procedure type declaration to allow references to a Class or Interface method:

  MAP 
    MethodNameType  PROCEDURE (*ClassId, <other parameters>),...,TYPE       
  END

Ref   &MethodNameType

We’re also considering a possible extension in the future is to allow the <procedure label> to include the Class or Interface identifier as part of the declaration, for example:
Ref &ClassId.MethodName

2. Procedure Reference assignments

The reference assignment to a reference variable of procedural type has the same form as for any other reference assignment:

RefVar &= <source>

For reference assignments to reference variables of procedural types the right-hand side can be any one of the following:

1) NULL
2) an expression where the value can be converted to a LONG type
3) the label of a reference variable of procedural type
4) the label of a parameter of procedural type
5) the label of a Procedure declared in a MAP structure
6) the label of a Class method

For (3),(4) and (5) the profile of a Procedure, or a procedural type on the right hand side must be exactly the same as the profile of the procedural type used in the declaration of the reference variable on the left hand side:

meaning it must match the number of, the types of parameters, the return type, and the calling convention. (or both sides can have no return type)

For (6) if the method label on the right side is overloaded, the compiler tries to find the method with the most suitable profile. In this case “suitable” means that the first parameter (class type) on the right side can also be of a type which is a descendant
of the class type of the first parameter in the profile of the reference variable’s type. All other parameters, their order, return type, and the calling convention must be exactly the same.

The identifier on the right side can include:

  • the label of an instance of a class type, or the label of an interface
  • the label of a reference variable assigned to a class type
  • the label of a reference variable assigned to an interface type
  • the SELF or PARENT keywords
  • the label of a Class type

For example:

CType    CLASS,TYPE
M          PROCEDURE (LONG),LONG,PASCAL,VIRTUAL
         END

         MAP
PType     PROCEDURE (*CType, LONG),LONG,PASCAL
         END

R1       &PType
R2       &MESSAGE  ! the MESSAGE - built-in function
RC       &CType
AClass   CType

  CODE

  RC &= AClass
  R1 &= NULL
  R1 &= AClass.M
  R1 &= RC.M
  R1 &= CType.M
  R2 &= 0 + SYSTEM {PROP:MessageHook}

3. Reference equality operator

The reference equality operator for the reference variable of a procedural type has the same form as for any other reference variables:

Ref &= <right side>

If the left side of the reference equality operator is a reference variable of procedural type,
the <right side> can be of any form as the <source> described above in the “Procedure Reference Assignments” section.

There is one exception for this: if the <right side> is a label of a Class/Interface method, and this label is overloaded, the compiler reports an error; “Error: Ambiguous reference type“, rather than trying to choose the intended matching variation of the method.

4. Usage

A Reference variable of a procedural type can be used in any context where procedures/functions with the same profiles are valid:

  • call statements
  • a parameter of a procedural type
  • the Sort function parameter in QUEUE statements ADD, GET, PUT and SORT
  • as a parameter of the ADDRESS function
  • as a parameter of the BIND statement

Probably the most typical variations of usage for procedural type references are:

  • Calling DLL functions from addresses returned by the Windows API’s GetProcAddress function
  • SYSTEM hooks properties are no longer write-only in the upcoming RTL release. The result of getting these properties are RTL internal functions implementing corresponding statements:
    MESSAGE, COLORDIALOG, FONTDIALOG and other standard dialogs,
    OPEN for Windows and Reports, CLOSE for Windows and Reports, changing SYSTEM properties, etc.

    This means your program can retrieve the RTL’s hook function and replace it with your own function, which calls the original RTL code internally
  • Simulation of virtual functions in cases where the actual function can be changed at run time.

5. Some General info

  • Reference variables of procedural type can be declared as a field in GROUP/QUEUE/CLASS declarations
  • The DIM attribute is currently invalid for declarations of reference variables, and that same rule applies for reference variables of procedural types.
  • The ADDRESS function supports Class type labels in the identifiers of methods passed as parameters, for example, using the declarations from the example above the following expression:

    ADDRESS (CType.M)

    is valid in the upcoming release.

The new language enhancements can be likened to a pointer-to-method, and reference-to-method in C++. But in C++ a special syntax is used to allow the compiler and linker to handle these language constructs properly. No special syntax is required in Clarion.


TYPEd Class Methods

Another powerful language enhancement available in the upcoming release is support for TYPEd Class methods. I’ll be making a separate post on typed Class methods with an example of usage.

CIDC 2019

We are looking forward to the upcoming Clarion International Developers Conference (CIDC). We anticipate announcing some powerful new capabilities! And we’ll be posting from the conference to share with the Clarion community. If you can’t attend in person there is an option for live streaming. For more information visit cidc2019.com

Clarion IP Driver version 11

When we updated the IP Driver for version 11 we made two important changes; we moved from OpenSSL to LibreSSL, and (*as of version 11) the IP Server/Driver only supports secure data communications (SSL/TLS). This is covered in both the driver reference manual and the online help file, but it is easy to explain with these screenshots:

IP Server manager

 

 

Here we specify two ports; the port used by the RMadmin program, and the port used by the Clarion desktop client app.

Specify the 2 ports for the IP Server

IP Driver ports

When connecting to the server for admin work; registering data managers, etc., we connect using the RMadmin program on the ‘Administrator Port’, and in our Clarion client app we specify to connect on the ‘Client Secure Port’. You can choose any ports that are open on your machine, just be sure your firewall allows traffic on the ports you specify.

 

Clarion 11 gold release today!

The first beta release of C11 went out in early September, and today we are making it official, Clarion 11 gold release is out today! We are sending emails out to all Clarion devs with a current subscription. You will love the improved Template UI, as well as a ton of new features, and productivity improvements in the IDE. Please remember to renew your subscription before the end of October.  Renew your CSP

Review the latest fixes/changes/features here

Clarion 11 RC1 – update

The Clarion 11 Release Candidate (RC1) was delayed from its delivery on Monday. The two main reasons were a bug report about slower load time for Solutions containing a large number of .APP files (regression), and a report about slow load times in very large .DCT files for the initial selection of a column (old existing issue). In the readme file these correspond with:

CHANGE: A Solution with multiple Applications now gets loaded much faster than earlier Clarion versions. NOTE: Only ONE project with the name the same as the primary App/SLN should exist in the Solution (this would apply for the presence of an item with the same name but with a different file extension)

FIX: DCT Editor was very slow on initial display of the Field/Column information for Columns defined as Derived Columns, if the Table also had Aliases

In debugging the DCT problem, we decided to make it easier to find these types of problems, and to do that we needed a feature. So, now we have this new feature:

FEATURE: Dictionary Editor Options (Tools->Options->Clarion->Dictionary Editor) new option to display the Parent Table next to the Derived columns

Which looks like this (new DCT option):

 

FEATURE: OpenFileViaRedirection Dialog now supports writing/pasting a Folder name instead of a file, and it will then open the regular OpenFile Dialog in that directory with the *.* filter selected.

For the File->Open (New Open via RED file):

There are several other important changes/fixes – and all are listed in the readme file.

Clarion11 going out to 3rd party devs

The huge Unicode/ RTL/Compiler/Drivers implementation is progressing nicely but compatibility issues remain (and will take time to eliminate), so a re-think was in order, we have a ton of fixes, changes, and new features, and we have made the decision to release C11 today to the 3rd party  community, so that they can take advantage of the improved Template UI (details below), and modify their templates to make use of the improved UI.

We will continue to work on the compatibility issues while delivering a version of  C11 that assures the Clarion community can transition to version 11 with an absolute minimum of effort. Later on, we’ll release an update that can be run in parallel.

The next section highlights some of the improvements to Clarion 11, for the full list refer to the README.TXT file with the current build.

Templates
The Application Generator’s Template engine has been updated to provide for wider Template Dialogs (~2x wider) – While older templates (pre-C11) will continue to work exactly as before this change, they might not look as good aesthetically. This new implementation will make working with template options a lot nicer (and easier on the eyes). Here are a few screenshots to give you an idea of how we made minor changes to the core templates (ABC and Clarion chains) to take advantage of the new UI possibilities.

There are numerous improvements in the IDE designed to help streamline your development cycle, and here are some of the notable ones:

App file date/timestamp

The Applications Pad now shows the date/timestamp so you can easily identify where you last worked, or what you need to get updated.

Accessing embeds

Requested very often, access to the Embeds is improved with new buttons on the Procedure Properties tab. You have quick access to both “Filled” and “Source” embeds. Less clicks == more productivity.

Full path for the current solution
Another developer request, to make it easier to work with multiple variations of your APPs the full path to the Solution is shown in the Title bar (previously it was just the name of the Solution).

New shortcut button added to the Solutions Pad

User-defined text for indicating a Read-Only status

Usually any file opened in RO mode (like a DCT file opened when you have an APP that uses it loaded) displays the name of the DCT with a + sign
appended to the name, this was possibly a bit too subtle, and some devs lost time/work making mods to the DCT only to find thay couldn’t be saved (unless you closed the .SLN/App). To help with that we introduce user-defined text for read-only files. Here’s a screenshot

and here’s a screenshot of how it looks in action

DCT Editor: implemented new ‘Validation Choices’ dialog to add/edit/visualize, pairs of data, instead of entering a string pair separated by a pipe char (|)

Here’s a screenshot:

Tab Order Assistant / Actions and Embeds

We know that a lot of developers love to work from the TOA (Tab Order Assistant), now we’ve added another reason – direct access to both the Template Actions
and the Embeds for the selected control

Just a mention for one more shortcut, here’s one more in the Solutions Pad

Quick access to often used tasks

SQL drivers and Unicode data

Added support for UNICODE strings on the backend to the ODBC, SQLAnywhere, PSQL, and MSSQL drivers:

‘ using PROP:NAME’ UnicodeFile{PROP:Name, 2} = ‘strFld | UNICODE’

and

‘ using a Driver String’ driverString = driverString & ‘/UNICODE=TRUE’

A Look into what’s coming up next

The docs are done and these are implemented but are pending release to ensure ~100% compatibility.

BSTRING – The BSTRING is equivalent to the OLE API ‘s BSTR data type.

USTRING – Fixed-length Unicode string

VARIANT – The VARIANT is equivalent to the OLE API’s VARIANT data type.

INT64 – a SIGNED 64bit integer

UINT64 – an UNSIGNED 64bit integer

New implementation for Internationalization support

PUSHASTRINGS / POPASTRINGS – new functions for working with the ASTRING type

New user-defined Date pictures

New user-defined Time pictures

CHR function supports Unicode

VAL function supports Unicode

Pictures (@P, @N, @K, new style @D and @T) can use any displayable Unicode character.

Transition to the EMF format for Reports

A quick note

We’ve been extremely busy wrapping up C11 for Alpha/Beta 3rd party testing, updating documentation, and writing tests for all the new functionality coming to C11. In addition, we are also preparing for a final C10 release, and extending the Clarion chain in C11. In previous versions, the Clarion chain was extended to support ABC classes, but only at the local procedure level, in C11 the Clarion chain supports ABC classes at the global level, and that change will allow for the use of H5 in the Clarion chain.

so please be patient… and know that we are hard at work… for you.