Code as Risk

https://twitter.com/tackline/status/757562488363843584

https://twitter.com/NativeWired/status/828939258475999232

https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/

if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
Mike Bland
"Goto Fail, Heartbleed, and Unit Testing Culture"
https://martinfowler.com/articles/testing-culture.html

network code()
{
switch (line) {
case THING1:
doit1();
break;
case THING2:
if (x == STUFF) {
do_first_stuff();
if (y == OTHER_STUFF)
break;
do_later_stuff();
} /* coder meant to break to here... */
initialize_modes_pointer();
break;
default:
processing();
} /* ...but actually broke to here! */
use_modes_pointer(); /* leaving the modes_pointer uninitialized */
}
Peter van der Linden
Expert C Programming

Most of our systems are much
more complicated than can be
considered healthy, and are too
messy and chaotic to be used
in comfort and confidence.
Edsger W Dijkstra

There are standard precautions that can help
reduce risk in complex software systems.
This includes the definition of a good
software architecture based on a clean
separation of concerns, data hiding,
modularity, well-defined interfaces, and
strong fault-protection mechanisms.
Gerard J Holzmann
http://cacm.acm.org/magazines/2014/2/171689-mars-code/fulltext

code, noun
▪ a set of instructions for a computer
▪ a computer program, or a portion thereof
▪ a system of words, figures or symbols used to represent others,
especially for the purposes of secrecy
▪ a set of conventions or principles governing behaviour or activity in
a particular domain
Concise Oxford English Dictionary ∙ Oxford English Dictionary ∙ Merriam-Webster's Collegiate Dictionary

risk, noun
▪ a situation involving exposure to danger
▪ the chance or hazard of commercial loss
▪ product of the consequence and probability of a hazardous event or
phenomenon
▪ exposure to a proposition of which one is uncertain
Concise Oxford English Dictionary ∙ Oxford English Dictionary ∙ Wikipedia ∙ "Defining Risk" by Glen A Holton

https://twitter.com/kcpeppe/status/15473004648

Avoiding complexity
reduces bugs.
Linus Torvalds

Avoiding complexity
reduces vulnerabilities.

Functional
Operational
Developmental

Connection * CreateServerConnection()
{
// Declarations
char buffer[1024];
std::string cfgAddress;
unsigned long address;
std::string cfgPort;
unsigned short port;
Connection * result;
// Get address and check that its OK (throw an exception if its not)
cfgAddress = ConfigurationManager::Instance().GetValue("address");
if (cfgAddress.empty())
{
sprintf(buffer, "Configuration value missing: %s", "address");
Log::Instance().Write(buffer);
throw ConnectionException(buffer);
}
// Convert adress to bytes and check that its OK (throw an exception if its not)
address = inet_addr(cfgAddress.data());
if (address == -1)
{
sprintf(buffer, "Invalid address: %s", cfgAddress.data());
}
// Get port and check that its OK (throw an exception if its not)
cfgPort = ConfigurationManager::Instance().GetValue("port");
if (cfgPort.empty())
{
sprintf(buffer, "Configuration value missing: %s", "port");
}
// Convert port too bytes
port = htons(atoi(cfgPort.data()));
// Creation connection and check that its OK (throw an exception if its not)
result = new Connection(address, port);
if (!result || !result->IsOK())
{
sprintf(buffer, "Failed to connect: %s:%s", cfgAddress.data(), cfgPort.data());
}
// Return the connection
return result;
}

{
// Declarations
char buffer[1024];
...
}

{
...
{
}
...
}

{
...
if (address == -1)
{
}
...
}

{
...
{
}
...
}

{
...
...
}

{
...
{
}
...
}

{
...
return result;
}

{
// Declarations
...
...
...
...
...
...
...
}

{
// Declarations
...
// Get address and check that it's OK (throw an exception if it's not)
...
// Convert address to bytes and check that it's OK (throw an exception if it's not)
...
// Get port and check that it's OK (throw an exception if it's not)
...
// Convert port to bytes
...
// Creation connection and check that it's OK (throw an exception if it's not)
...
...
}

{
...
...
...
...
...
...
...
}

{
char buffer[1024];
{
}
if (address == -1)
{
}
{
}
{
}
return result;
}

{
char buffer[1024];
std::string cfgAddress = ConfigurationManager::Instance().GetValue("address");
{
}
unsigned long address = inet_addr(cfgAddress.data());
if (address == -1)
{
}
std::string cfgPort = ConfigurationManager::Instance().GetValue("port");
{
}
unsigned short port = htons(atoi(cfgPort.data()));
Connection * result = new Connection(address, port);
{
}
return result;
}

{
char buffer[1024];
auto cfgAddress = ConfigurationManager::Instance().GetValue("address");
{
}
auto address = inet_addr(cfgAddress.data());
if (address == -1)
{
}
auto cfgPort = ConfigurationManager::Instance().GetValue("port");
{
}
auto port = htons(atoi(cfgPort.data()));
{
}
return result;
}

{
...
{
}
return result;
}

{
...
if (!result->IsOK())
{
}
return result;
}

std::auto_ptr<Connection> CreateServerConnection()
{
...
std::auto_ptr<Connection> result(new Connection(address, port));
{
}
return result;
}

std::unique_ptr<Connection> CreateServerConnection()
{
...
auto result = std::make_unique<Connection>(address, port);
{
}
return result;
}

{
...
{
}
return result.release();
}

{
char buffer[1024];
{
}
auto address = inet_addr(cfgAddress.data());
if (address == -1)
{
}
{
}
auto port = htons(atoi(cfgPort.data()));
{
}
}

{
char buffer[1024];
{
}
auto address = inet_addr(cfgAddress.c_str());
if (address == -1)
{
sprintf(buffer, "Invalid address: %s", cfgAddress.c_str());
}
{
}
auto port = htons(atoi(cfgPort.c_str()));
{
sprintf(buffer, "Failed to connect: %s:%s", cfgAddress.c_str(), cfgPort.c_str());
}
}

{
char buffer[1024];
{
}
if (address == -1)
{
sprintf(buffer, "Invalid address: %s", cfgAddress.c_str());
}
{
}
auto port = htons(stoi(cfgPort));
{
sprintf(buffer, "Failed to connect: %s:%s", cfgAddress.c_str(), cfgPort.c_str());
}
}

{
char buffer[1024];
{
snprintf(buffer, sizeof buffer, "Configuration value missing: %s", "address");
}
if (address == -1)
{
snprintf(buffer, sizeof buffer, "Invalid address: %s", cfgAddress.c_str());
}
{
snprintf(buffer, sizeof buffer, "Configuration value missing: %s", "port");
}
{
snprintf(buffer, sizeof buffer, "Failed to connect: %s:%s", cfgAddress.c_str(), cfgPort.c_str());
}
}

{
char buffer[1024];
...
{
snprintf(buffer, sizeof buffer, "Configuration value missing: %s", "address");
}
...
if (address == -1)
{
snprintf(buffer, sizeof buffer, "Invalid address: %s", cfgAddress.c_str());
}
...
}

{
...
{
std::stringstream buffer;
buffer << "Configuration value missing: " << "address";
Log::Instance().Write(buffer.str());
throw ConnectionException(buffer.str());
}
...
if (address == -1)
{
std::stringstream buffer;
buffer << "Invalid address: " << cfgAddress;
Log::Instance().Write(buffer.str());
throw ConnectionException(buffer.str());
}
...
}

{
...
{
static const char * logMessage = "Configuration value missing: address";
Log::Instance().Write(logMessage);
throw ConnectionException(logMessage);
}
...
if (address == -1)
{
auto logMessage = "Invalid address: " + cfgAddress;
}
...
}

{
{
static const char * logMessage = "Configuration value missing: address";
}
if (address == -1)
{
auto logMessage = "Invalid address: " + cfgAddress;
}
{
static const char * logMessage = "Configuration value missing: port");
}
{
auto logMessage = "Failed to connect: " + cfgAddress + ":" + cfgPort;
}
}

{
{
FailedToConnect("Configuration value missing: address");
}
if (address == -1)
{
FailedToConnect("Invalid address: " + cfgAddress);
}
{
FailedToConnect("Configuration value missing: port");
}
{
FailedToConnect("Failed to connect: " + cfgAddress + ":" + cfgPort);
}
}

{
if (address == -1)
}

std::unique_ptr<Connection> CreateServerConnection()
{
if (address == -1)
return result;
}

std::unique_ptr<Connection> ConnectToServer()
{
if (address == -1)
return result;
}

{
auto cfgAddress = ConfigurationManager::Instance().ValueOf("address");
if (address == -1)
auto cfgPort = ConfigurationManager::Instance().ValueOf("port");
return result;
}

{
auto cfgAddress = Configuration::Instance().ValueOf("address");
if (address == -1)
auto cfgPort = Configuration::Instance().ValueOf("port");
return result;
}

Early Detection of
Configuration Errors to
Reduce Failure Damage
https://www.usenix.org/system/files/conference/osdi16/osdi16-xu.pdf

Our study shows that many of today’s
mature, widely used software systems
are subject to latent configuration
errors in their critically important
configurations.

One root cause is that many (14.0%–
93.2%) of these configurations do not
have any special code for checking
the correctness of their settings at the
system’s initialization time.

std::unique_ptr<Connection> ConnectToServer(
const std::string & cfgAddress, const std::string & cfgPort)
{
if (address == -1)
return result;
}

Be conservative in what you
do, be liberal in what you
accept from others.
Postel's law

Be conservative in what you
do, be conservative in what
you accept from others.

std::unique_ptr<Connection> ConnectToServer(in_addr_t address, in_port_t port)
{
FailedToConnect(address, port);
return result;
}

std::unique_ptr<Connection> ConnectToServer(in_addr_t address, in_port_t port)
{
return std::make_unique<Connection>(address, port);
}

Remember that there
is no code faster than
no code.
Taligent's Guide to Designing Programs

Remember that there
is no code more
secure than no code.

http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

function leftpad (str, len, ch) {
str = String(str);
var i = -1;
if (!ch && ch !== 0) ch = ' ';
len = len - str.length;
while (++i < len) {
str = ch + str;
}
return str;
}

var cache = [
'',
' ',
' ',
' ',
' ',
' ',
' ',
' ',
' ',
' '
];
function leftPad (str, len, ch) {
// convert `str` to `string`
str = str + '';
// `len` is the `pad`'s length now
len = len - str.length;
// doesn't need to pad
if (len <= 0) return str;
// `ch` defaults to `' '`
if (!ch && ch !== 0) ch = ' ';
// convert `ch` to `string`
ch = ch + '';
// cache common use cases
if (ch === ' ' && len < 10) return cache[len] + str;
// `pad` starts with an empty string
var pad = '';
// loop
while (true) {
// add `ch` to `pad` if `len` is odd
if (len & 1) pad += ch;
// divide `len` by 2, ditch the remainder
len >>= 1;
// "double" the `ch` so this operation count grows logarithmically on `len`
// each time `ch` is "doubled", the `len` would need to be "doubled" too
// similar to finding a value in binary search tree, hence O(log(n))
if (len) ch += ch;
// `len` is 0, exit the loop
else break;
}
// pad `str`!
return pad + str;
}

I have yet to see any problem,
however complicated, which,
when you looked at it in the
right way, did not become still
more complicated.
Anderson's Law

https://twitter.com/seldo/status/712414400808755200

function leftpad (str, len, ch) {
somethingWickedThisWayComes()
return _leftpad(str, len, ch);
}

Architectural decisions tend to
concentrate upon identifying and
controlling the seams in a system,
which are described in terms of
interfaces and mechanisms.
Grady Booch

As mankind relies more and more on the
software that controls the computers that
in turn guide society, it becomes crucial
that people control absolutely the
programs and the processes by which they
are produced, throughout the useful life of
the program.
Meir M Lehman
"Programs, Life Cycles, and Laws of Software Evolution"

Goto Fail, Heartbleed,
and Unit Testing Culture
Mike Bland
https://martinfowler.com/articles/testing-culture.html

Code as Risk

Code as Risk

More Related Content

What's hot

Similar to Code as Risk

More from Kevlin Henney

Recently uploaded

Code as Risk