Commentary to "How to get to the president's dacha at five in the morning"

It would be strange to search for errors in the programs and at the same time pass by this article .

I want to leave a number of comments. Their main point is that it does not look like scary bookmarks. This code reminds me more of a test prototype, rather than a ready-made application. So maybe not everything is as scary as the author presents in the article. First, the code contains an error and random numbers are always used. In reality, this was hardly passed on during the system testing. And secondly, there is such a thing as "certification programs." And the above code snippet is the first candidate for detection.

My skepticism about the magnitude of the threat

It so happened that just a few days ago I told my colleagues about the example of a bookmark in which the rand () function was used. I don’t remember where the discussion began, but in its process I gave examples that the random function sometimes makes sense in a primitive search for all and it is not necessary to laugh at it. I read or saw the presentation where the corresponding example was given.

A bookmark was found in the software of one of the banks. After some time, one of the functions started returning a random value. Apparently the author decided to leave the bomb in case he was fired from the company or something like that. During the audit of the code, this tab was found. As I understand it, the code was corrected in a timely manner, and the author of this creation received what he deserved.
')
Under the law of meanness, I could not find this article or presentation to refer to it. I know that I definitely read something like that, but I absolutely do not remember when and where. Therefore, I apologize, but I cannot give a link to proof.

And I told all this to my colleagues, in order to clarify that even such a simple action as viewing all the places in a program where certain functions are used is not such a meaningless exercise. It is clear that the bookmark can be hidden so cunningly that no one will find it. But nevertheless, even such a simple method sometimes gives a useful result when we are dealing not with a cunning department of special services, but simply with a short-sighted programmer.

So, remembering the recent discussion with colleagues and reading the article " How to get to the president's dacha at five o'clock in the morning, " I realized that I had something to say. In my opinion, all this is more appropriate for non-raw, unfinished code than for insidious and terrible designs.

The first. It looks more like a prototype, not a complete solution.

First, consider this code snippet:

unsigned short Hours, Minutes; .... bool hungrytest = Hours && Hours > 5 && Hours < 6 && Minutes > 0 && Minutes < 30; .... CreatePoint_(post, advangle, hungrytest ? PureDataRFZY_[posrt].r_fr : random(100)); 

The author of the article is probably not very familiar with C ++ language or was not attentive enough. In fact, there is no system vulnerability in the morning from 5.01 to 5.29. For that matter, the system is vulnerable around the clock.

The expression is written incorrectly. Note that the variable 'Hours' has an integer type. This means that whatever value is stored in the Hours variable, the “Hours> 5 && Hours <6” condition is always false.

This means that the variable 'hungrytest' is always assigned the value 'false'. And as a result, the function random (100) is called regardless of the current time.

If this code refers to serious functionality, then it is unlikely that it will be missed during the testing phase and the project acceptance stage. It seems to me that with the help of this code they wanted to test something, and then they simply forgot to correct or rewrite it. And while the program works on some test data generated randomly.

This and other cited code fragments in my opinion say that this is some kind of unfinished prototype. Of course, I have too little data, but the feeling is exactly that.

For example, the warning "OAO NPP ... did not pay for the development ....". As for me, that this kind of protection, just in case, is inserted into the prototype, issued to someone "to try."

The hard network address 192.168.88.88 is most likely made for debugging convenience. And so on. Or this code fragment was simply not yet written at that time.

Perhaps the author of the article is too dramatized. All this reminds more that these source codes refer to a project that was currently in a state of development and therefore stuffed with old props and plugs.

The second. Such programs are supposed to certify

Responsible software is certified. I have little knowledge of this area, but I know that certification exists and the code with explicit bookmarks will not work.

To search for vulnerabilities and bookmarks, there is a corresponding toolkit. These are specialized static code analyzers focused on finding places in a program that may pose a security risk. As I understand it, the disadvantage of such tools is a large number of false positives. But there's nothing you can do. You have to look at working with dangerous functions, such as scanf (), etc.

This, incidentally, distinguishes such tools from classical code analyzers, such as our PVS-Studio, for example. We focus PVS-Studio to regularly search for new bugs. And certification tools are not very suitable for such a regime due to the large amount of information issued. Therefore, as I understand it, they are usually applied to the code of an already completed software project.

Such companies as Echelon ( AK-VS ), Positive Technologies and so on are engaged in the development of such tools in our country.

Including these tools will point to sections of code where functions such as rand (), random (), and so on are used. This is clearly done, once I managed to find a bookmark in the banking software, which I mentioned at the very beginning of the article.

So I do not think that we are dealing with the code put into operation. He obviously would not have passed certification. And if this code is not certified, then perhaps we are dealing with a non-critical system.

Conclusion

The article "How to get to the president's dacha at five o'clock in the morning" was very interesting. I express my gratitude to the author. The article raised an interesting topic, can we trust the systems responsible for security.

The bookmarks described in the article do not seem significant to me, since in my opinion they exist due to the fact that this is just unfinished code. Although of course I have little data to make unambiguous conclusions.

On the other hand, the described tabs well show how important it is to audit the software and subject it to certification. And the glory of God, in the case of important programs, such certification is carried out.