Contributors, Mark your calendars!

11th and 12th June 2018

And the location is Oslo, Norway.

Oslo in June is a beautiful place to be, but the best part is that you will meet all the Qt Contributors!

The Qt Contributors’ Summit is an annual event open to anyone who has contributed toward the Qt project in the past year. Contributions can include code, helping on the forum, maintaining the wiki, or any other form of moving the Qt project forward. We are also happy to have advanced Qt users at the event, as there can never be too much user feedback.

For the past two years the Qt Contributors’ Summit has been run as part of bigger events. In 2016 we co-located with QtCon and last year with Qt World Summit. This year we want to have Qt Contributors’ Summit as it’s own event which focuses again more on the core Qt community.

Qt Contributors’ Summit is traditionally run as an unconference, participants bring their topics to the event and they are presented and discussed. We are thinking of changing the format somewhat, so that the topics can be prepared a bit more in advance and we could also have some hands on work ongoing at the event itself.

As always the event will be free of charge, but we will have a registration page, so we can prepare better.

If you are interested in sponsoring the event, please get in touch with me, we are more than happy to have help in making Qt Contributors’ Summit a great event.

I’m looking forward to seeing many of you in June in Oslo!

The post Qt Contributors’ Summit 2018 appeared first on Qt Blog.

I'm happy to announce that I just released qutebrowser v1.2.0!

qutebrowser is a keyboard driven browser with a vim-like, minimalistic interface. It's written using PyQt and cross-platform.

This release comes with a long changelog, but the most interesting changes are probably initial support for per-domain settings (I've had …

We are happy to announce the release of Qt Creator 4.5.2!

This release includes a workaround for an issue in Qt which makes Qt Creator’s summary progress bar and some other controls disappear (QTCREATORBUG-19716).

Get Qt Creator 4.5.2

The opensource version is available on the Qt download page, and you find commercially licensed packages on the Qt Account Portal. Qt Creator 4.5.2 is also available through an update in the online installer. Please post issues in our bug tracker. You can also find us on IRC on #qt-creator on chat.freenode.net, and on the Qt Creator mailing list.

The post Qt Creator 4.5.2 released appeared first on Qt Blog.

We are happy to announce the release of Qt Creator 4.6 RC!

Since the beta release we have been busy with bug fixing. Please refer to the beta blog post and our change log for an overview of what is new in Qt Creator 4.6. As always this is a final call for feedback from you before we release 4.6.0, so we would be happy to hear from you on our bug tracker, the mailing list, or on IRC.

Get Qt Creator 4.6 RC

The opensource version is available on the Qt download page, and you find commercially licensed packages on the Qt Account Portal. Qt Creator 4.6 RC is also available under Preview>Qt Creator 4.6.0-rc1 in the online installer, as an update to the beta release. Please post issues in our bug tracker. You can also find us on IRC on #qt-creator on chat.freenode.net, and on the Qt Creator mailing list.

The post Qt Creator 4.6 RC released appeared first on Qt Blog.

KNX Introduction

In its more than 25 years of history, KNX has an unrivaled track record of guaranteeing long-term support of automation solutions in any type of building.
Based on the KNX standard, building automation can be realized in a reliable, interoperable and extendable way: devices from over 400 manufacturers work together in a very stable distributed environment without a single point of failure. The current ecosystem is physically easy to install and logically configurable with one single tool, ETS™.

IoT is not an easy solution with cross-vendor support yet

Complexity has increased, reliability and interoperability are however still not guaranteed

• Many solutions are available that cover just one single use case (voice control, internet connected doorbell, lights and room temperature regulator controllable by App, …).
• To try to connect the different services provided by devices in a reliable way is not trivial.
• In many cases, the correct functioning of devices depends on internet connection.
• Customized software integrations can break upon every software update and is very complex to secure. Reliability and stability is not guaranteed over a longer period of time, a must for building automation.
• Integration may depend on cloud services managed by 3^rd party companies, out of control of the end user and with a specific business case in mind.

KNX and IoT

There are numerous good solutions from KNX manufactures to connect KNX to higher-level IoT systems already today. The internet side of these products is however not standardized or is created to match specific use cases.

As announced in 2016, as a first step towards standardizing the internet side of such KNX IoT gateways, KNX Association published the KNX web services specifications to allow aligning gateways to the existing web services protocols oBIX, OPC/UA, and BACnet web services.

Adding advantages from KNX to loT

As a second step in the KNX IoT project, KNX now wishes to make the key KNX advantages of interoperability, reliability, and extendibility also available on the IoT level. To demonstrate the goals, a demonstrator was created with Qt technology.

Qt KNX module

Qt KNX implements the client side of a connection between a client and a KNXnet/IP server. This connection enables sending messages to the KNX bus and controlling the functionalities of the KNX devices. The Qt KNX module is currently available as a Technology Preview as part of Qt for Automation add-ons. More details on the Qt KNX module can be found here: https://resources.qt.io/qt-knx/. Documentation: http://doc.qt.io/QtKNX/qtknx-overview.html/

Qt demonstrator

For the new KNX IoT solution, it is crucial that all device types can seamlessly tap into the communication. The demonstrator includes a representation of all possible involved device types. The goal is to explain the advantages of each type towards the overall solution.

The demonstrated devices include:

• KNX devices on twisted pair and radio frequency.
• NXP development boards with Thread group network stack, integrated with the KNX application layer
• RaspberryPi devices representing capable devices and cloud server
• A Linux desktop

The setup underlines the key points of the KNX IoT solution:

• Semantic interoperability
• A distributed solution containing both Classic and IoT device/services
• Integration of KNX Classic devices
• Integration of Fairhair group network devices based on Thread as example for constrained field bus level network
• High availability and eventual consistency, demonstrating how the distributed solution copes with device and network failures

Demo cases

1. Data is synchronized in real-time. Light color can be changed by any of the components, change is visible on all others
2. The system still works when disabling components, demonstration of how parts recover
3. The system works when the internet connection is down, requests for color changes can still be made from all sides (execution will not be immediate on all sides, but as soon as the broken link in the network is restored)
4. Show data-driven messages
5. Show semantic model
6. Show integration with Google drive

The Qt framework was chosen to easily create this setup for several reasons:

• Single codebase usable for RaspberryPi graphical solution + Android + Linux desktop
• Low effort to create a visually appealing interface, including animations and high framerate for smooth animations and movements within the frontend.
• Network libraries giving a better abstraction for networking
• Qt is also used for the authentication against the Google API
• Qt KNX is used to connect to KNXnet/IP to interact with the devices on Twisted pair and radio frequency

Summary

The KNX IoT solution will lower the barrier to access KNX as part of the Internet of Things. The aim is to reduce the knowledge required and open the current KNX ecosystem to non-KNX IT specialists through ‘out-of-the-box’ operation, while still allowing advanced configuration and adaption by specialists.

The KNX IoT solution is defined in partnership with key KNX manufacturers and standardization bodies (like Fairhair and the Thread group). KNX is also working on proofs of concept to validate the solutions. Qt makes it possible to concentrate on the key points and keep the code clear from system-specific implementations in these proofs of concepts.

Leveraging standards ensures that the value of KNX products is increased and long-term support can be guaranteed in a constantly changing IoT world. KNX has the advantage of a large KNX install base, which allows drawing on a wealth of experience that will help successfully extending the KNX integration into the Internet of Things.

More details on the KNX IoT project can be found here: https://www.knx.org/knx-en/Landing-Pages/KNX-IoT/

“The Qt Company is exhibiting at Light+Building 2018 at Hall 8.0 F98 as part of the KNX member booth and our experts will be on hand to discuss building cost and time efficient building automation applications. “

The post Qt used to demonstrate KNX IoT possibilities at ISE and L+B fairs appeared first on Qt Blog.

We’re excited to announce that Swift 4.0 has reached full release status. The packages can be downloaded from the releases page and a full list of new features can be found in the 4.0 changelog.

We encourage everyone to get the new build and try it out, and give us feedback on our latest release.

With the introduction of the Qt Quick software renderer it became possible to use Qt Quick on devices without a GPU. We investigated how viable this option is on a lower end device, particularly the NXP i.MX6 ULL. It turns out that with some (partially not yet integrated) patches developed by KDAB and The Qt Company, the performance is very competitive. Even smooth video playback (with at least half-size VGA resolution) can be done by using the PXP engine on the i.MX6 ULL.

continue reading

The post Qt Quick without a GPU: i.MX6 ULL appeared first on KDAB.

Cutelyst the Qt/C++ web framework just got a major release update, around one and half year ago Cutelyst v1 got the first release with a stable API/ABI, many improvements where made during this period but now it was time to clean up the mistakes and give room for new features.

Porting applications to v2 is mostly a breeze, since most API changes were done on the Engine class replacing 1 with 2 and recompiling should be enough on most cases, at least this was the case for CMlyst, Stickyst and my personal applications.

Due cleanup Cutelyst Core module got a size reduction, and WSGI module increased a bit due the new HTTP/2 parser. Windows MSVC was finally able to build and test all modules.

WSGI module now defaults to using our custom EPoll event loop (can be switched back to Qt's default one with an environment variable), this allows for a steady performance without degradation when an increased number of simultaneous connections is made.

Validators plugins by Matthias got their share of improvements and a new password quality validator was added, plus manual pages for the tools.

The HTTP/2 parser adds more value to our framework, it's binary nature makes it very easy to implement, in two days most of it was already working but HTTP/2 comes with a dependency, called HPACK which has it's own RFC. HPACK is the header compression mechanism created for HTTP/2 because gzip compression as used in SPDY had security issues when on HTTPS called CRIME .

The problem is that HPACK is not very trivial to implement and it took many hours and made KCalc my best friend when converting hex to binary to decimal and what not...

Cutelyst HTTP/2 parser passes all tests of a tool named h2spec, using h2load it even showed more requests per second than HTTP/1 but it's complicated to benchmark this two different protocols specially with different load tools.

Upgrading from HTTP/1.1 is supported with a switch, as well as enabling H2 on HTTPS using the ALPN negotiation (which is the only option browsers support), H2C or HTTP/2 in clear text is also supported but it's only useful if the client can connect with previous knowledge.

If you know HTTP/2 your question is: "Does it support server push?". No it doesn't at the moment, SERVER_PUSH is a feature that allows the server to send CSS, Javascript without the browser asking for it, so it can avoid the request the browser would do, however this feature isn't magical, it won't make slow websites super fast , it's also hard to do right, and each browser has it's own complicated issues with this feature.

I strongly recommend reading this https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/ .

This does not mean SERVER_PUSH won't be implemented, quite the opposite, due the need to implement it properly I want more time to study the RFC and browsers behavior so that I can provide a good API.

I have also done some last minute performance improvements with the help of KDAB Hotspot/perf, and I must say that the days of profiling with weird/huge perf command line options are gone, awesome tool!

Get it! https://github.com/cutelyst/cutelyst/archive/v2.0.0.tar.gz

If you like it please give us a star on GitHub!

Have fun!

Get your free ticket to Embedded World Nuremberg, courtesy of KDAB. Register here with code B377411.
Meet us on the Qt stand, Hall 4-258.

This year we've a training info point where you can find out about our on-site or scheduled, Introductory or Advanced courses in Qt, Modern C++, Qt 3D, OpenGL, Profiling and Debugging and more.

Or you can Ask the Experts if you have technical questions about any of these technologies, and get our latest publications, including a paper on C++ Modernization.

At Embedded World this year we will show the Qt Quick Software Renderer in action on the very competitively priced NXP i.MX6 ULL platform.

It's challenging to provide a fluid 60fps touch UI and H.264 video decoding on such hardware, with no GPU or hardware video decoding acceleration. Yet it's very much possible, having the full feature set of Qt at your disposal, even with as little as 64MB of RAM and/or Flash memory. We'll be giving you the full story in a blog post soon:

Qt Quick Software Renderer

• NXP i.MX6 ULL (no GPU/VPU/IPU)
• 64MB RAM/Flash
• Fluid 60fps touch UI
• H.264 video decoding using PxP acceleration
• Full Qt feature set available

Other demos on display:

CCI 1200 Agricultural Machinery Terminal

• intelligent control where the driver needs it

Qi - Cellular Tissue Imaging in Qt 3D

• using pictures to help profile and diagnose disease
  

Qt Automotive Suite

• a comprehensive package for automotive IVI systems

KDAB GammaRay

• letting you see your Qt code live at runtime
  

Clazy Static Code Analyzer

• the Qt-oriented code checker and clang plug-in

KDAB Hotspot Profiler for C++

• a GUI making Linux Perf accessible

See more on our demos here.

Get your free tickethere with code B377411 and meet us on the Qt stand, Hall 4-258.continue reading

The post KDAB at Embedded World Nuremberg appeared first on KDAB.

KDAB is sponsoring ACCU, the foremost annual conference in the UK for people interested primarily, but not just, in C++ and C. See the program here.

We're offering registrants to ACCU 10% off any KDAB training in 2018. Sign up!

and Meet us there.

Find out more about KDAB's C++ services, C++ modernization and C++ Training.

continue reading

The post KDAB at ACCU appeared first on KDAB.

It’s time to share who the Qt Champions for 2017 are!

As always, all the nominees were incredible people. It is hard to decide who is most worthy of the Qt Champion title. I asked for help from our lifetime Qt Champion Samuel Gaist, and together we faced the tough decision.

And without further ado, here are the new Qt Champions:

@mrjj and @kshegunov have been granted the Community Builder title. Beside answering questions on the forum @mrjj is always ready to try or build test applications in order to help fellow members to solved their problem. @kshegunov‘s deep C++ knowledge and insightful comments are always appreciated for moving the debate further.

@dheerendra is this year’s Ambassador for all the work he is doing in India that promotes the use of Qt through local meetups, training and also the forum.

@marco_piccolino gets the Content Creator reward. Outside of being the driving force behind the qtmob slack channel, Marco is also the author of the Qt 5 Projects book.

@aha_1980 is the 2017 QA Champion. While being present on the forum he’s also very active on the bug reporting front helping on triaging, improving the reports and fixing these nasty bugs especially on the QtSerialBus module.

The Developer title goes to @orgads. His work on Qt’s internal might not be visible to the outside but his gerrit record speaks loudly. Between his own patches and reviews, his helpfulness and friendly nature is praised by his peers.

Our Maverick Of The Year is @benlau ! Ben provides numerous helper libraries covering interesting aspects like promises handling for QML and C++, custom Android components and more.

Thank you everyone for your involvement in Qt, you make the community a better place for everyone!

And congratulations to all the Qt Champions!

The post Qt Champions 2017 appeared first on Qt Blog.

KDSoap is a tool for creating client applications for web services without the need for any further component such as a dedicated web server.

KDSoap lets you interact with applications which have APIs that can be exported as SOAP objects. The web service then provides a machine-accessible interface to its functionality via HTTP.

Changes in 1.7.0

General

• Qt 5.9.0 support (compilation fix due to qt_qhash_seed being removed, unittest fix due to QNetworkReply error code difference)

Client-side

• Fix unwanted generation of SoapAction header when it should be empty (SOAP-135).
• Abort the connection when destroying a job with a pending call (SOAP-138).

WSDL parser / code generator changes, applying to both client and server side

• Add support for body namespace specification in RPC calls.
• Fix namespace handling in typename comparison for optional element used inside itself (github issue #83).
• Add missing include in generated header, when an operation's return value needs one (ex: QDate) (github issue #110).
• Fix namespace handling in restriction and extension tags
• Fix wrong indentation of "};" for classes inside namespaces

Links

• You can see the changelog here.
• The source code can be found on GitHub here.
• Tarballs and zipballs are available here.
• Prebuilt packages for some popular Linux distributions can be found here  (use the qt5-kdsoap packages unless you are still on Qt4).
• We also provide Homebrew recipes (Qt4 and Qt5 based versions) for the Mac folks.
  See https://github.com/KDAB/homebrew-tap
• If you use KDAB Commercial you'll need to wait a few days for the download area to be updated.

• Find out more and how to download KDSoap here.

continue reading

The post KDSoap 1.7.0 is released appeared first on KDAB.

Expanding your team’s software development capacity is something that most managers will encounter at some point in their careers. There are several ways to do this – three of the most common options are hiring new employees, using a service company, or incorporating onsite contractors. Regardless of which route you choose to go, software certifications are an effective tool to help you identify the right resources. Qt certifications are a case in point.

Originally created by Nokia, the Qt certification program has been running for many years and is available through a number of third-party providers worldwide. It is a well-respected program, known for its fair and impartial grading, and is considered to be an accurate measure of Qt skill level, making it a no-brainer as a hiring/outsourcing criterion for your next Qt project.

The biggest benefit to you as a manager is knowing that Qt certified engineers have solid knowledge of the framework as well as the ability to apply it to real-world situations. A secondary benefit is knowing you’ve got engineers who are dedicated professionals willing and able to learn new skills, and adapt to the dynamic demands of the workplace.

Here’s what the different certifications mean:

• Certified Qt and QML Developer– demonstrates that the holder has a baseline knowledge of creating, building, and debugging Qt and QML applications
• Certified Qt C++ Specialist– confirms that the applicant has a sound working knowledge of UI creation using widgets as well as Qt C++ modules, APIs, and patterns
• Certified Qt Quick Specialist– verifies that the developer has a solid understanding of UI creation using Qt Quick and QML

KDAB certification
We at KDAB consider certifications to be vital. In fact, all KDAB engineers are Certified Qt and QML Developers at a minimum, and many have one or both of the extended certifications. Feel free to call us if ever you find yourself in need of Qt reinforcements! continue reading

The post Certifiably Qt appeared first on KDAB.

We are happy to announce the release of Qt Automotive Suite 2.0, the Qt solution for digital cockpits, developed in collaboration between KDAB, The Qt Company and Luxoft.

The Qt Automotive Suite provides OEMs and Tier1s with powerful frameworks and tools to build a consistent user experience for both the instrument cluster and the center stack. As it's built on top of an open platform, the Qt Automotive Suite makes it possible for the automakers to stay in complete control of the user’s brand experience.

The Qt Automotive suite seamlessly integrates KDAB's runtime introspection tool GammaRay in Qt Creator, with embedded device support of Qt for Device Creation. See the release blogs for GammaRay 2.8 and GammaRay 2.9 for a summary of the new features and improvements.

Another focus area for KDAB has been a revamp of the Qt IVI module, providing a flexible framework to design and create APIs to platform middleware. Using an IDL and code-generation, as well as ready-made simulation backends, enables work before the full hardware or software stack is available. Having tooling support built in makes your APIs runtime instrospectable out of the box, for easy debugging or automated testing. For more details, see KDAB engineer Mike Krus' presentation about the Qt IVI changes.

There are many more improvements in Qt Automotive Suite 2.0, make sure to check out the release blog.

See Qt Automotive Suite 2.0 in action, visit KDAB at the Qt stand in Hall 4-258 at Embedded World 2018. continue reading

The post Qt Automotive Suite 2.0 Released appeared first on KDAB.

Why would anyone want to hack an application or a device? And how would they go about their attack? And, most importantly, how can you protect your software against malicious attacks?

This post is a follow-up to part 1 of the topic. This time we take a fairly detailed look at attackers’ motivations, methods and the ways to deter most attacks from succeeding. This blog post is aimed primarily at anyone who have specific reverse engineering or tampering related risks in their systems, for example related to processing licenses, valuable content or media, proprietary algorithms or financial transactions.

Why would anyone want to hack my software?

“We’re not Facebook or handle ultra-sensitive data – why would anyone want to hack us?” It is easy to think that our application does not attract attackers to take the effort to reverse engineer the software.

However, there are several reasons why attackers might want to target any application. Here are the most common motivations.

Circumventing a licensing check

This is one of the most common targets. The attacker tries to disable the logic that checks for a valid license in order to be able to use the application without limitations. The usual way to achieve this is by modifying the application binary.

Extracting secret keys or passwords

Applications often contain embedded information which is used to encrypt the data stored in the application, enable protected communication for example with a cloud backend, or enable the application to use other resources that require authentication. By carefully analysing the application binary, it is easy to locate and extract the secret keys or passwords, if they are not protected.

Understanding how a proprietary algorithm works

Many applications contain implementations of algorithms that have intellectual property value. These may be developed by the company developing the application, or parts of the application that are licensed from other developers. If the algorithm code is not obfuscated in any way, the pseudo-code of the algorithm can be easily extracted from the application binary.

Finding open vulnerabilities that can be exploited to attack running systems

Many applications use third party modules (code, libraries, other assets) either directly or indirectly. Any such modules can have vulnerabilities. Further, updating such modules, especially in embedded applications, may not be straightforward. Obtaining knowledge of such vulnerabilities can be used to attack other systems that use the same modules.

Changing the application’s operation

Sometimes the attackers aim to change the behavior of the application, but only very slightly, so that the changed application is virtually not distinguishable from the original application. For example, consider an application used for financial transactions, used by consumers or businesses. If an attacker is able to distribute a slightly altered version that is able to manipulate a recipient’s bank account number, it is possible to gain significant monetary benefit in a short time before anyone notices the attack.

Changing the device operation or configuration

Physical devices depend more and more on the device software, such as firmware or special applications. Because of this, the configuration of devices is often done purely with software. For example, a high power variant of an engine may be just a locked configuration in the engine controller software. In this kind of scenario, the attacker aims to perform “feature unlock attack” by targeting to modify the controller software.

Making and distributing an application version that crashes or jams

Sometimes the attacker’s target is not to directly benefit from modifying the application. Instead, the target may be simply to cause harm to the services related to the application. For example, an application that crashes every time a certain operation is performed may cause significant monetary losses or bad reputation for the related services.

How attackers think – Popular hacking methods explained 

To protect your application against various kinds of attacks, it is useful to first think like an attacker. Try to think of the obvious ways to attack specifically against your application and the different motivations an attacker might have.

Even more importantly, think out of the box: what would be the unlikely but still possible attack against your application? Also, put yourself in different user roles and try to identify the ways to attack from the viewpoint of each responsibility actor of your application. The actors typically operate over trust boundaries and that may then reveal execution paths or data flow which initially do not seem likely or possible.

Static binary analysis

Probably the most common way to attack an application is static binary analysis. It is often easy to obtain the actual binary. Tools to analyse the binary are available either free or with a reasonable cost. Tools allow parsing and extracting the various parts of the binary with a single click. There is no need for the attacker to write custom code for every target platform or architecture.

A typical application binary contains multiple types of sections. They can be roughly categorized as sections containing code, sections containing static data such as strings and sections containing runtime data. Out of these, the code and static data sections are the most interesting for the static analysis context.

Static data sections, such as a string section, usually contain the data that can be considered as application assets. It is deceptively easy to think that data embedded as strings is protected from attackers. That is not the case. In the worst case, the string data may contain even passwords or application’s secrets in plain format. If they are un-encrypted or un-obfuscated, extracting the string values is as easy as reading a book.

The code section contains all of the application logic. Disassembler tools can easily resolve the pseudo code structure, call hierarchy, local and global variable references and other similar information. But even an average-sized application will contain lots of binary code. So, the aim of the attacker is not to resolve every line of code. Instead, the aim is to identify the relevant parts of code to be used as the target for the attack.

For example, a few hundred instructions containing a license check logic is an attractive target for an attack. It does not require very special knowledge to break the license check. At the very minimum, modifying one single instruction may be enough.

Capture from Hopper disassembler tool demonstrating the control flow capabilities

Dynamic binary analysis

If an application is using the typical first level of protection, the code obfuscation, static binary analysis may not be enough to reveal the secrets. The typical next step is dynamic binary analysis. This means basically analysing the application operation in runtime: collecting all the possible data from code execution and memory usage and analysing the execution paths that can’t be revealed with static analysis.

There is a wide range of tools available for dynamic analysis. The free or low-cost tools provide the basic capability for disassembling and debugging an application. But there are also high-end tools, such as IDA Pro, which are built with loads of tools for analysing the target binaries.

A crucial element of dynamic binary analysis is to also understand the attack context. The typical attack context is so-called “whitebox attack context”. It means that the attacker has full access to the target application, to the application binary and to the execution environment. In practice this means that the attacker is able to control every aspect of application execution when trying to break it or steal its secrets.

Why is the attack context so important? Because it drives the assumptions what the developer can do about possible attacks and how they affect your application. Once again, it is easy to assume that “as my application is running in environment X, attack type Y is not applicable”. But very often, usually due to the resourcefulness of the attacker, the attack context ends up being the whitebox attack which means that the assumptions done in the design phase are the ones which eventually leave the application vulnerable. For example, developer may think that if an application is running in an embedded device, an attacker has no meaningful access to it. But in reality, attacker could gain access to device firmware, remove the software protection in the firmware, and then attack the application directly.

Another important concept is so-called “code lifting”. Code lifting refers to the scenario where the target application can be lifted for example to a simulator environment where the attacker has full capability to control the code execution or monitor the memory usage – even kernel memory. This is often paired with the white-box attack context. First the attacker gain access to the target application binary, and then moves it to another execution environment.

Methods to protect applications and devices against hacking

In the first blog post, we presented some basic methods for protection of your application, such as using static linking instead of dynamic linking, and making sure that the symbol stripping is enabled when generating the final application binary. But when there is a need for more comprehensive protection, there are additional methods for protecting applications against various kinds of attacks.

These methods can be roughly divided to four categories:

• Obfuscation
• Anti-tampering
• Anti-debugging
• Whitebox cryptography

Obfuscation

The purpose of code obfuscation is to mainly prevent static analysis. Typical ways to perform code obfuscation is adding obfuscation of the strings used in the application, encrypting the static data sections of the binary so that they are decrypted when the application starts, and adding artificial code structures or execution paths which cannot be resolved with static analysis.

An example of code obfuscation would be a case where a code block is paired with a parallel “copy block” and the execution of the two blocks is controlled with a conditional branch with specific characteristics. The branch logic should be deterministic so that the developer can trust that the code is executed correctly, but static analysis can’t deduce the runtime behavior.

Just like static analysis is the first way to perform an attack, it is also the first level of defense. For example, a high-quality disassembler may be able to see partially through the obfuscation patterns. Also, the quality of modern compilers poses a problem. Fake code blocks may be wiped away by code optimization and hence decrease the quality of obfuscation.

Anti-tampering

The purpose of anti-tampering is to protect the application against dynamic analysis. While there are various approaches on how to implement anti-tampering, the basic idea is that the original application binary is modified to include additional code that does runtime checking of the binary. Such code snippets monitor specific areas of the binary to check if the area is modified and perform counteraction if a modification is detected.

Applying anti-tampering is very much application and execution environment specific. For example, there is a tradeoff between how much code modification checks can be used vs. the performance of the application. Also, the target architecture plays a major role: an approach that works well in certain environment may not protect the application in a different environment.

This also means that adding anti-tamper protection is much more tedious that adding basic code obfuscation. While code obfuscation can be usually applied at the compiler frontend level, anti-tampering has a dependency to compiler backend and architecture-specific parts.

Anti-debugging

The purpose of anti-debugging is simply trying to prevent the attacker from performing code lifting and running the application in a simulator or a similar environment with a debugger. Being able to use a debugger is often a big aid for the attacker as it enables the attacker to stop code execution and monitor the application memory space and registers at any point of time.

The usual approach for implementing anti-debugging is trying to detect the debugger process and preventing it from hooking the target application. The big challenge is that the attacker may try to attach the debugger at any point of application execution. It is not enough to only perform such check when the application is starting, for example. Resolving this challenge is not trivial. Detailed knowledge about the debugger behavior is required, and the anti-debugging logic must be built to protect from all possible ways to utilize the debugger.

Whitebox cryptography

Whereas code or string obfuscation tries to obfuscate the static application data, it does not distinguish security critical data from other static data. Hence, any application containing data such as cryptographic keys needs to have a solution for protecting these critical assets. It may prove to be very difficult to protect the keys only, but there is an alternative solution: whitebox cryptography.

The target of whitebox cryptography is to be able to protect the cryptographic keys even in an environment subjected to a whitebox type of an attack. The usual approach to implement whitebox cryptography is to integrate the key for a cryptographic algorithm as part of the algorithm implementation itself. That means, the key becomes an inseparable part of the algorithm implementation.

The benefit here is that instead of using the cryptographic key in an application, it is possible to use whitebox implementation of the algorithm directly, and no keys are exposed to the attacker.  For example, one of the most commonly used cryptographic algorithms is AES algorithm. It has been a target for wide academic research from whitebox cryptography perspective, and it is also an essential algorithm to have in the product feature set for whitebox cryptography vendors.

Example case: INSIDE Secure tools
INSIDE Secure is an example of a state-of-the-art code protection tool vendor. Their Code Protection toolset can be run on a Qt application to both obfuscate the binary and static data including string, and make the Qt application self-protecting against tampering, irrespective of the integrity of the environment.

This makes it very hard to circumvent licensing checks, find out sensitive IPR, or breach the application integrity when processing financially valuable transactions.

Summary

A successful protection of an application is always a sum of its parts. As a developer, if you neglect one area, you will leave your application vulnerable to certain kind of attacks. Consequently, serious application protection is something that a normal developer should not try to implement by himself. There are a number of high quality tools available for just this purpose. Just go and pick the right one for you – and remember that a commercial license of Qt allows using these means of protecting your application or a device.

Can we help you?

Intopalo is a Qt Service Partner that specializes in software security. If you are not sure where to start, we are more than happy to give you a hand and guide you to the right direction. Visit Intopalo website for more information.

The post Protecting a Qt Application or a Device Against Hacking, Part 2 appeared first on Qt Blog.

Many new features were added to Qt 3D in the 5.10 release. One of them is the support for sprite sheets as provided by QSpriteGrid and QSpriteSheet and their respective QML items.

One way of animating things is to switch between many different versions of the same object at different points in time, like the flip books we all enjoyed as kids. If you flip fast enough, you get the illusion of animation.

In the context of OpenGL and Qt 3D, images are simply textures and are very commonly used to add details to 3d models. The naive approach to animating texture would be to use lots of them. However, switching textures has a very high cost so traditionally modellers will use texture atlases, where all the images are arranged into a single texture. This does complicate modelling slightly as the original texture coordinates need to be modified to point to the portion of the atlas that now contains the relevant image.

In effect, sprite sheets are simplified atlases that take care of this for you. They are commonly used in 2d or 2.5d applications to animate effects or characters.

Building Sprite Sheets

Simple sprite sheets are just regular grids of images.

However, as with general atlases, all individual images need not be the same size or be arranged in a grid. In that case, individual sprites need to be specified by their bounding rectangle within the texture.

There's a number of applications that can be used to create them. Blender can output steps in animations to a sprite sheet. TexturePacker can also be used to assemble pre-existing images.

Texture Transforms

In the simplest case, a sprite will be mapped on to planar surfaces, a simple rectangle. When applying textures to a surface, you of course need to provide texture coordinates, mapping points to pixels in the texture. In the case of the PlanarMesh, precomputed texture coordinates will map to textures such as it covers the entirety of the surface.

However, if the source texture is a sprite sheet, then the texture coordinates do not work any more as we want to cover the specific sprite, not the entire sheet.

One thing you do NOT want to do is replace the texture coordinates every time you want to change sprite.

In effect, texture coordinates need to be:

• scaled to cover the range of a sprite cell
• offset to specify the right origin

This transformation can easily be encoded in a 3x3 matrix which is applied to texture coordinates in the vertex shader. In order to support this, QTextureLoader has been extended with a textureTransform parameter which is passed to the shader as a uniform.

Putting it all together

A sprite sheet is conceptually very simple in Qt 3D. It has:

• a list of "areas", one for each sprite
• a current sprite index in that list
• an input texture to pick sprites from
• a 3x3 texture transform matrix which is updated every time the current index changes

So simple animations can be achieved by changing the current sprite index and binding the texture transform to the matching property in the QTextureLoader instance.

Sprite Grids

QSpriteGrid is used when sprites are arranged in regular grid.

Entity {

    PlaneMesh {
        id: mesh
    }

    TextureMaterial {
        id: material
        texture: TextureLoader {
            id: textureLoader
            source: "spritegrid.png"
            mirrored: false
        }
        textureTransform: spriteGrid.textureTransform
    }

    SpriteGrid {
        id: spriteGrid
        rows: 2; columns: 6
        texture: textureLoader
    }

    components: [ mesh, material ]
}

Images in the grid are assumed to be arranged in row major order. So currentIndex must remain between 0 and rows * columns.
The texture property points to the image containing the sprites. The current index, number of rows and columns and the actual size of the texture are all used to compute the texture transform.

Sprite Sheets

QSpriteSheet is used when the sprites are not all the same size and/or are not organised in a grid. You then need specify the extent of each sprite.

Entity {

    PlaneMesh {
        id: mesh
    }

    TextureMaterial {
        id: material
        texture: TextureLoader {
            id: textureLoader
            source: "spritegrid.png"
            mirrored: false
        }
        textureTransform: spriteGrid.textureTransform
    }

    SpriteSheet {
        id: spriteSheet
        texture: textureLoader

        SpriteItem { x:    0; y:   0; width: 250; height: 172 }
        SpriteItem { x:  276; y:   0; width: 250; height: 172 }
        SpriteItem { x:  550; y:   0; width: 250; height: 172 }
        //...
    }

    components: [ mesh, material ]
}

The currentIndex must remain between 0 and the number to QSpriteItem children.

Example

[video width="1014" height="758" mp4="https://www.kdab.com/wp-content/uploads/stories/qt3dexplosion.mp4"][/video]

In this example, we use a sprite grid which contains frames of an explosion. A timer is used to change the current index. While the animation runs, the object is faded out.

Looking straight on, you see a rather nice effect. The illusion becomes clear when you look at it sideways and see the plane on which the texture is mapped.

Notes:

• In the general 3d case, it is common to combine sprite sheets with billboards in order to keep the plane aligned with the screen. This can normally easily be done in the shaders.
• QSpriteSheet doesn't currently support rotated sprites.
• QTextureMaterial does not currently support alpha blending, so transparent portions of the textures will appear black. This can worked around by building a custom material and will be fixed in 5.11.
• One of the problems with putting all the images in one texture is that you get quickly limited by the maximum texture size. For bigger images, a more modern approach may be to use QTexture2DArray. However, in this case all images need to be the same size. But the only limit then would be the maximum texture size and the amount of texture memory available...

 continue reading

The post New in Qt 5.10: Texture Based Animations in Qt 3D appeared first on KDAB.

We are happy to announce the release of Qt IFW 3.0.4.

3.0.4 is a bug fix release, here are some of the fixes:

• Add possibility to skip proxy with –no-proxy -option
• Fix infinite wait if downloadable package is missing
• Avoid admin query popup with –checkupdates -option
• Fixed Mkdir operation in uninstall

The full list of bug fixes can be found from ChangeLog.

Precompiled binaries for the Installer Framework can be downloaded from Qt Online Installer, sources and binaries can be found also in download.qt.io (open source) or in your Qt Account.

The post Qt Installer Framework 3.0.4 Released appeared first on Qt Blog.

KDAB is sponsoring ACCU, the foremost annual conference in the UK for people interested primarily, but not just, in C++ and C. See the program here.

We're offering registrants to ACCU 10% off any KDAB training in 2018. Sign up!

and Meet us there.

Find out more about KDAB's C++ services, C++ modernization and C++ Training.

continue reading

The post KDAB at ACCU appeared first on KDAB.

We are happy to announce the release of Qt Creator 4.6.0!

C++ Support

C++ is changing a lot these days, and to catch up with these developments we upgraded the backend for the Clang based code model from Clang 3.9 to 5.0. This enables support for many C++17 features that were not available in Clang 3.9. Since the ClangCodeModel plugin is not enabled by default, you have to make sure to enable it in Help>About Plugins (Qt Creator>About Plugins on macOS), to benefit from this upgrade.

In the animation above you see our new integration of Clang-Tidy and Clazy warnings into the diagnostic messages in the C++ editor. Since some checks can be time consuming, and other checks can produce false positives to varying degrees, they are not enabled by default. To enable them go to Options>C++>Code Model>Clang Code Model Warnings, create a copy of one of the presets, and choose the checks that you want to be performed.

If you enable the Clang code model, that is now also used for the informational tooltips on symbols in the editor. They now resolve auto to the actual type and show template parameters for template types. They show the first or the \brief paragraph of a documentation comment, too.

We also added separate highlighting of function definitions and fixed some issues with saving header files on Windows while Clang has a grip on them.

Navigation

We added 3 more filters to Locator. Type “b” to jump to a bookmark, filtering on file name and notes. The other two are not directly related to navigation but nevertheless useful.
The filter “t” triggers an item from the main menu. You can either use the display name of the item to locate it, or parts of the menu path leading to it. For example “t sess expe” could be used to trigger the menu item File>Sessions>Experimental Something.
Use “=” to evaluate simple ECMAScript (JavaScript) expressions. You have all functionality from the ECMA-262 specification at your disposal, and for convenience, we also added the functions from the Math object as global functions (so you can write “max(1, 2)” instead of “Math.max(1, 2)”).

We continued the work on the File System navigation pane that we started with 4.5. It now offers breadcrumbs for the file path at the top, and we added actions for adding, removing, and renaming files to its context menu.

Model Editor

Thanks to Jochen, the original contributor, the model editor received a big update in this release. First of all we removed the experimental state and made it available by default. We cleaned up the UI a bit, adding the zoom actions to the editor tool bar, and moving the export actions to the File menu. You can export only selected elements or the whole diagram to images. The editor now supports text alignment and multi-line object names. A wider range of panes now supports drag & drop of items.

There have been many more improvements all over Qt Creator. Please have a look at our changelog for a more detailed overview.

Get Qt Creator 4.6

The opensource version is available on the Qt download page, and you find commercially licensed packages on the Qt Account Portal. Qt Creator 4.6 is also available as an update in the online installer. Please post issues in our bug tracker. You can also find us on IRC on #qt-creator on chat.freenode.net, and on the Qt Creator mailing list.

The post Qt Creator 4.6.0 released appeared first on Qt Blog.

Embedded World, the leading exhibition for the international embedded community, just had its 16th edition and is still growing, with more than 1000 exhibitors and over 32,000 visitors from 78 countries in 2018.

Software was more central to the exhibition than ever before, so it’s no wonder this is KDAB’s 8th year in a row exhibiting.

What we showed

At our booth you could see a wide range of client showcases, as well as our C++ and Qt tools, Hotspot, Clazy and GammaRay. And good news! If your device doesn't have a GPU, it's now easier than ever to build a fluid user-interface with Qt Quick on such hardware, as demonstrated by the i.MX6 ULL demo we premiered during Embedded World.

There was a lot of interest in our services around Qt and our Intro to Qt whitepaper. But there was also a notable increase in demand for C++ modernization, due to the evolution of the C++ language reaching a wider part of the embedded community.

Read more and download the C++ modernization brochure.

Read more and download our Intro to Qt whitepaper.

If you couldn't join us, find out more about our demos here.

Next year at Embedded World

According to the organizers, more than 97% of this year’s visitors already confirmed they will come again in 2019, so don’t miss the next edition and the opportunity to stop at our booth to see the latest C++/Qt/OpenGL innovations.

Save the dates for Embedded World 2019: 26-28 February, in Nuremberg, Germany.

We sure won’t miss it!

 continue reading

The post KDAB at Embedded World 2018 appeared first on KDAB.