top of page
Writer's pictureVlad

'UN'-clean Code: The root that defined the cause

Updated: Apr 14, 2018

Our world revolves in a principle of equality. Nature has its way in maintaining balance. Without equilibrium, there would be turmoil that will blasts out humanity. It is in this balance, that makes us. It's what makes you, you. And as well me, me. In mathematics, term 'equation' is equality of two sides. We'll find certain variable that could be unknown, that will serve as the missing piece on making this concept equal. In physics, the concept of time and space are relative proportional with each other.



Software is a component that drives our industry today. Consumer's tasks would be better and productivity would be impeccable, as it would reach to a far better heights. With the concept of AI and automation marking our tech today, humanity would further rely on machines as time goes. Data will be more open, as the emergence of cloud hits the market. Social media will still grow, a new form might be on its way. The more resources we gain, the more we become progressive. Technology's still an infant.


But growth on this man's craft, would mean higher risks in data security. Data is software,software is data. Everything flows through data. Data are cells on each and every application structure. Transmission, storage, process. Data are transmitted, stored and processed. Tampering any of these triad,could cause chaos on any computer software.


Secure?

#Secure, for years that word conveys me every single day. What does it really mean, to me? For you? We say that a certain system is secure if it works the way it is supposed to. Perfect is an overstatement, Precise could be a better fit for this word. We then say that a system is secure, if it precisely behaves the way it is intended. A software is a compilation of instructions. Instructions that is a bond between the program and the programmer. A bond that is made up and strengthened by a language understood by machines. The interaction between these two entities would depend on how strong a programmer's code is. Security delves into system's structure. It will always start on how it is built.


No such thing as a Perfect System

But is there really such thing as 'perfect'. Is there really a perfect system? One that can't be compromised,hard as a rock. No lags, no bugs, just as smooth as silk. Well as a starter, softwares are created by humans. Humans are technically not utopian. If humans are not perfect, we can create a fallacy that systems are not 'perfect'. All systems are vulnerable, anyone can break any systems. No matter how much protection you apply on your perimeter. There will always be bad guys, who'll infiltrate what a developer have worked hard for. For one main goal on each and every attacker's mind; outsmart the maker and steal data and wealth of the consumers.


Is it the developer's fault? Is it the admin's fault for not patching? Is it the cyberOps, for a blind detection? To whoever it might be? Hackers will always hack. They will always be hungry for more threats available on your system. Hackers will do whatever it takes. They are highly sophisticated type of humans, a new generation thief. But the dilemma never ends on what supposed to be the norm. Systems will always be vulnerable for attack. The code structure, the architecture, the software engineering, these 3 mixes when combined will create an enzyme that will better up the security. A stronger code structure could make it hard for an attacker to exploit dev's craft.



A Sinful Code


A clean code would always come into its focal point. A well organized and 'consistent' code would surely affect the system's overall complexity. Complexity hides bugs and could lead to a security vulnerabilities. Thus, with these vulnerabilties once an attacker knew about it, he could find ways on breaking in your system. One small flaw could lead to one big hole on your application.


Let's go and check on Ferry. Ferry is an application developer who doesn't appreciate much secure coding. Ferry has all the plans, the requirements are all in tact. He enjoyed the first half of his development, as everything's well out planned. No bugs, just a well compiled and clean code. But as time progress, and his code architecture would later become complicated as a jigsaw. His well architectured code later become like a spaghetti twirled on a fork ready to be eaten. Codebase has grown its size and Ferry doesn't have the consistency of secure and clean coding, as with these it would help the system be more readable and maintainable. This has become one of the developer's greatest headache, the bigger the system, the bigger the chunk of code, the higher rate of bugs and the rise of more security vulnerabilities.


Ferry's shortcomings:

* Did not catch exceptions well: Something went wrong as Ferry tried to run and test his application, and he doesn't know how to correct it. He then just closed the application and did not handle the exceptions. This could lead an application to be unstable. An unstable application could lead to an exploit.


Here's Ferry's defective code in C++:


void Sample(int count)

{

...some code here..


func_call()


..another instructions...

}


Ferry has become more confident on his structure, thus he forgot to insert and implement a try and catch() method(in C++). He could've...


void Sample(int count)

{


try{

...some code here..


func_call()


..another instructions...

}

catch{

cout << "Error on " << e;

}

}

With the revised code above, Ferry would know what happened with his algorithm and spot the bug. This is because this function will first execute instructions on try, and when something went wrong special construct catch will do its job. As catch will tell Ferry to which part of his program the flaw could be, giving him the chance to correct it. If only Ferry implement this he would've:


1. A more efficient code structure

2. Will utilized predective pipelining

3. Error handling will be alot easier and cleaner


* Concatenation of strings on a function call to database


Ferry doesn't care about his code's transmission of data from a function to the database, for as long as the system flows works and data is in its place. Let's take a look on the function for privelage escalation.


Ferry's failure here is his string concatenation during the call sprintf_s. This could lead to string manipulation on the SQL statement. So if size_sq is 50 characters

long, the attacker could provide a user_id padded with '*' such that the “AND pwd=” clause is snipped from the SQL statement. Therefore,


update Username set pwd = 'xxx'

where user_id = 'ferry <plus a string of '*' padded to 50 chars>'


This will trick the system and will set a user account ferry, disregarding what the account password is.


Conclusion:


Application is 'gold' when the implication of clean code is applied. Yet, clean code does not indicate a secure system, but it does minimize the risk of attacks. Developers must always keep in mind code security and consistency as they progress on production. Developed applications are never finished, they must always keep in mind patches and version changes on the programming language applied. Script and database versions are oftentimes updated and deprecates due to security issues, a one thing that a certain programmer must have in notes. Universities and some training facilities must incorporate secure coding on their module. Clean code is not only a necessity but must be a property.

20 views0 comments

Comments


LET'S TAKE IT TO THE NEXT LEVEL!

bottom of page