Commentary on “How to Get to the President's Cottage at Five in the Morning”

    It would be strange to search for errors in programs and at the same time go past this article .

    I want to leave a number of comments. Their main point is that this does not look like scary bookmarks. This code reminds me more of some kind of test prototype, rather than a finished application. So maybe not everything is as scary as the author presents in the article. Firstly, the code contains an error and random numbers are always used. In reality, this was hardly passed in the process of testing the system. And secondly, there is such a thing as "certification of programs." And the above code snippet is the first candidate for discovery.

    My skepticism about the magnitude of the threat


    It so happened that just a few days ago I told my colleagues about an example of a bookmark in which the rand () function was used. I don’t remember where the discussion started, but in his process I gave examples that the primitive search of all the random function sometimes makes sense and there is no need to laugh at it. I read or saw a presentation that provided an example.

    A bookmark was found in the software of one of the banks. After some time, one of the functions began to return random values. Apparently, the author decided to leave the bomb in case he was fired from the company or something like that. During the audit of the code, this tab was found. As I understand it, the code was timely corrected, and the author of this creation got what he deserved.

    According to the law of meanness, I could not find this article or presentation to refer to it. I know that I definitely read something like that, but I don’t remember at all when and where. Therefore, I apologize, but I can not give a link to proof.

    And I told all this to my colleagues to clarify that even such a simple action as viewing all the places in the program where certain functions are used is not such a pointless exercise. It’s clear that a bookmark can be hidden so cunningly that no one will find it. Nevertheless, even such a simple method sometimes gives a useful result when we are dealing not with the cunning special services department, but simply with a short-sighted programmer.

    So, remembering the recent discussion with colleagues and reading the article " How to get to the president's dacha at five in the morning", I realized that I have something to say. In my opinion, all this is more suitable not for the raw unfinished code than for insidious and terrible ideas.

    The first one. It seems more like a prototype than a complete solution


    To get started, consider this piece of code:

    unsigned short Hours, Minutes;
    ....
    bool hungrytest = Hours && Hours > 5 && Hours < 6 &&
                      Minutes > 0 && Minutes < 30;
    ....
    CreatePoint_(post, advangle,
                 hungrytest ? PureDataRFZY_[posrt].r_fr : random(100));
    

    The author of the article is probably not very familiar with the C ++ language or was not careful enough. In fact, there is no system vulnerability in the morning from 5.01 to 5.29. For that matter, the system is vulnerable around the clock.

    The expression is spelled incorrectly. Note that the 'Hours' variable is an integer type. This means that no matter what value is stored in the Hours variable, the condition "Hours> 5 && Hours <6" is always false.

    This means that the variable 'hungrytest' is always set to 'false'. And as a result, the random (100) function is called regardless of the current time.

    If this code refers to serious functionality, then this is unlikely to be missed at the testing stage and the project acceptance stage. It seems to me that with the help of this code they wanted to test something, and then just forgot to fix it or rewrite it. And while the program is working on some test data generated randomly.

    This and other cited code fragments in my opinion say that this is some kind of unfinished prototype. Of course, I have too little data, but the feeling is just that.

    For example, the warning "NPP OJSC ... did not pay for the development ....". As for me, this kind of protection just in case, inserted into a prototype issued to someone "to try."

    The hard network address 192.168.88.88 is most likely made for debugging convenience. Etc. Or this piece of code was simply not yet completed at that time.

    Perhaps the author of the article is too dramatic. All this is more reminiscent of the fact that these source codes relate to a project that was in a state of development at that time and therefore is crammed with old props and stubs.

    The second one. Similar programs are supposed to be certified.


    Responsible software is certified. I know little about this area, but I know that certification exists and the code with explicit bookmarks will not pass it.

    To search for vulnerabilities and bookmarks, there is a corresponding toolkit. These are specialized static code analyzers focused on finding places in the program that may pose a security risk. As I understand it, the disadvantage of such tools is a large number of false positives. But there's nothing to be done. You have to look at working with dangerous functions such as scanf (), etc.

    By the way, this distinguishes similar tools from classical code analyzers, such as for example our PVS-Studio. We orient PVS-Studio to regularly search for new errors. And certification tools are not suitable for such a regime due to the large amount of information issued. Therefore, as I understand it, it is customary to apply them to the code of an already completed software project.

    Such companies as Echelon ( AK-VS ), Positive Technologies and so on are engaged in the development of such tools in our country .

    Including these tools will point to sections of code where functions such as rand (), random () and so on are used. This is clearly done, since I managed to find a bookmark in the banking software, which I mentioned at the very beginning of the article.

    So I don’t think that we are dealing with a commissioned code. He obviously would not have been certified. And if this code is not certified, then perhaps we are dealing with a non-critical system.

    Conclusion


    The article “How to Get to the President’s Cottage at Five in the Morning” turned out to be very interesting. I express my gratitude to the author. The article raised an interesting topic: can we trust the systems responsible for security.

    The bookmarks described in the article do not seem to me significant, since in my opinion they exist due to the fact that this is just incomplete code. Although of course I have little data to draw definitive conclusions.

    On the other hand, the described bookmarks show well how important it is to audit the software and subject it to certification. And the glory of God, in the case of important programs, such certification is carried out.

    Also popular now: