Code as Risk

https://twitter.com/tackline/status/757562488363843584

https://twitter.com/NativeWired/status/828939258475999232

https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/

if ((err = ReadyHash(&SSLHashSHA1, &hashCtx)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &clientRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &serverRandom)) != 0)
goto fail;
if ((err = SSLHashSHA1.update(&hashCtx, &signedParams)) != 0)
goto fail;
goto fail;
if ((err = SSLHashSHA1.final(&hashCtx, &hashOut)) != 0)
goto fail;
Mike Bland
"Goto Fail, Heartbleed, and Unit Testing Culture"
https://martinfowler.com/articles/testing-culture.html

network code()
{
switch (line) {
case THING1:
doit1();
break;
case THING2:
if (x == STUFF) {
do_first_stuff();
if (y == OTHER_STUFF)
break;
do_later_stuff();
} /* coder meant to break to here... */
initialize_modes_pointer();
break;
default:
processing();
} /* ...but actually broke to here! */
use_modes_pointer(); /* leaving the modes_pointer uninitialized */
}
Peter van der Linden
Expert C Programming

Most of our systems are much
more complicated than can be
considered healthy, and are too
messy and chaotic to be used
in comfort and confidence.
Edsger W Dijkstra

There are standard precautions that can help
reduce risk in complex software systems.
This includes the definition of a good
software architecture based on a clean
separation of concerns, data hiding,
modularity, well-defined interfaces, and
strong fault-protection mechanisms.
Gerard J Holzmann
http://cacm.acm.org/magazines/2014/2/171689-mars-code/fulltext

code, noun
▪ a set of instructions for a computer
▪ a computer program, or a portion thereof
▪ a system of words, figures or symbols used to represent others,
especially for the purposes of secrecy
▪ a set of conventions or principles governing behaviour or activity in
a particular domain
Concise Oxford English Dictionary ∙ Oxford English Dictionary ∙ Merriam-Webster's Collegiate Dictionary

risk, noun
▪ a situation involving exposure to danger
▪ the chance or hazard of commercial loss
▪ product of the consequence and probability of a hazardous event or
phenomenon
▪ exposure to a proposition of which one is uncertain
Concise Oxford English Dictionary ∙ Oxford English Dictionary ∙ Wikipedia ∙ "Defining Risk" by Glen A Holton

https://twitter.com/kcpeppe/status/15473004648

Avoiding complexity
reduces bugs.
Linus Torvalds

Avoiding complexity
reduces vulnerabilities.

Functional
Operational
Developmental

Connection * CreateServerConnection()
{
// Declarations
char buffer[1024];
std::string cfgAddress;
unsigned long address;
std::string cfgPort;
unsigned short port;
Connection * result;
// Get address and check that its OK (throw an exception if its not)
cfgAddress = ConfigurationManager::Instance().GetValue("address");
if (cfgAddress.empty())
{
sprintf(buffer, "Configuration value missing: %s", "address");
Log::Instance().Write(buffer);
throw ConnectionException(buffer);
}
// Convert adress to bytes and check that its OK (throw an exception if its not)
address = inet_addr(cfgAddress.data());
if (address == -1)
{
sprintf(buffer, "Invalid address: %s", cfgAddress.data());
}
// Get port and check that its OK (throw an exception if its not)
cfgPort = ConfigurationManager::Instance().GetValue("port");
if (cfgPort.empty())
{
sprintf(buffer, "Configuration value missing: %s", "port");
}
// Convert port too bytes
port = htons(atoi(cfgPort.data()));
// Creation connection and check that its OK (throw an exception if its not)
result = new Connection(address, port);
if (!result || !result->IsOK())
{
sprintf(buffer, "Failed to connect: %s:%s", cfgAddress.data(), cfgPort.data());
}
// Return the connection
return result;
}

{
// Declarations
char buffer[1024];
...
}

{
...
{
}
...
}

{
...
if (address == -1)
{
}
...
}

{
...
{
}
...
}

{
...
...
}

{
...
{
}
...
}

{
...
return result;
}

{
// Declarations
...
...
...
...
...
...
...
}

{
// Declarations
...
// Get address and check that it's OK (throw an exception if it's not)
...
// Convert address to bytes and check that it's OK (throw an exception if it's not)
...
// Get port and check that it's OK (throw an exception if it's not)
...
// Convert port to bytes
...
// Creation connection and check that it's OK (throw an exception if it's not)
...
...
}

{
...
...
...
...
...
...
...
}

{
char buffer[1024];
{
}
if (address == -1)
{
}
{
}
{
}
return result;
}

{
char buffer[1024];
std::string cfgAddress = ConfigurationManager::Instance().GetValue("address");
{
}
unsigned long address = inet_addr(cfgAddress.data());
if (address == -1)
{
}
std::string cfgPort = ConfigurationManager::Instance().GetValue("port");
{
}
unsigned short port = htons(atoi(cfgPort.data()));
Connection * result = new Connection(address, port);
{
}
return result;
}

{
char buffer[1024];
auto cfgAddress = ConfigurationManager::Instance().GetValue("address");
{
}
auto address = inet_addr(cfgAddress.data());
if (address == -1)
{
}
auto cfgPort = ConfigurationManager::Instance().GetValue("port");
{
}
auto port = htons(atoi(cfgPort.data()));
{
}
return result;
}

{
...
{
}
return result;
}

{
...
if (!result->IsOK())
{
}
return result;
}

std::auto_ptr<Connection> CreateServerConnection()
{
...
std::auto_ptr<Connection> result(new Connection(address, port));
{
}
return result;
}

std::unique_ptr<Connection> CreateServerConnection()
{
...
auto result = std::make_unique<Connection>(address, port);
{
}
return result;
}

{
...
{
}
return result.release();
}

{
char buffer[1024];
{
}
auto address = inet_addr(cfgAddress.data());
if (address == -1)
{
}
{
}
auto port = htons(atoi(cfgPort.data()));
{
}
}

{
char buffer[1024];
{
}
auto address = inet_addr(cfgAddress.c_str());
if (address == -1)
{
sprintf(buffer, "Invalid address: %s", cfgAddress.c_str());
}
{
}
auto port = htons(atoi(cfgPort.c_str()));
{
sprintf(buffer, "Failed to connect: %s:%s", cfgAddress.c_str(), cfgPort.c_str());
}
}

{
char buffer[1024];
{
}
if (address == -1)
{
sprintf(buffer, "Invalid address: %s", cfgAddress.c_str());
}
{
}
auto port = htons(stoi(cfgPort));
{
sprintf(buffer, "Failed to connect: %s:%s", cfgAddress.c_str(), cfgPort.c_str());
}
}

https://xkcd.com/327/

{
char buffer[1024];
{
snprintf(buffer, sizeof buffer, "Configuration value missing: %s", "address");
}
if (address == -1)
{
snprintf(buffer, sizeof buffer, "Invalid address: %s", cfgAddress.c_str());
}
{
snprintf(buffer, sizeof buffer, "Configuration value missing: %s", "port");
}
{
snprintf(buffer, sizeof buffer, "Failed to connect: %s:%s", cfgAddress.c_str(), cfgPort.c_str());
}
}

{
char buffer[1024];
...
{
snprintf(buffer, sizeof buffer, "Configuration value missing: %s", "address");
}
...
if (address == -1)
{
snprintf(buffer, sizeof buffer, "Invalid address: %s", cfgAddress.c_str());
}
...
}

{
...
{
std::stringstream buffer;
buffer << "Configuration value missing: " << "address";
Log::Instance().Write(buffer.str());
throw ConnectionException(buffer.str());
}
...
if (address == -1)
{
std::stringstream buffer;
buffer << "Invalid address: " << cfgAddress;
Log::Instance().Write(buffer.str());
throw ConnectionException(buffer.str());
}
...
}

{
...
{
static const char * logMessage = "Configuration value missing: address";
Log::Instance().Write(logMessage);
throw ConnectionException(logMessage);
}
...
if (address == -1)
{
auto logMessage = "Invalid address: " + cfgAddress;
}
...
}

{
{
static const char * logMessage = "Configuration value missing: address";
}
if (address == -1)
{
auto logMessage = "Invalid address: " + cfgAddress;
}
{
static const char * logMessage = "Configuration value missing: port");
}
{
auto logMessage = "Failed to connect: " + cfgAddress + ":" + cfgPort;
}
}

{
{
FailedToConnect("Configuration value missing: address");
}
if (address == -1)
{
FailedToConnect("Invalid address: " + cfgAddress);
}
{
FailedToConnect("Configuration value missing: port");
}
{
FailedToConnect("Failed to connect: " + cfgAddress + ":" + cfgPort);
}
}

{
if (address == -1)
}

std::unique_ptr<Connection> CreateServerConnection()
{
if (address == -1)
return result;
}

std::unique_ptr<Connection> ConnectToServer()
{
if (address == -1)
return result;
}

{
auto cfgAddress = ConfigurationManager::Instance().ValueOf("address");
if (address == -1)
auto cfgPort = ConfigurationManager::Instance().ValueOf("port");
return result;
}

{
auto cfgAddress = Configuration::Instance().ValueOf("address");
if (address == -1)
auto cfgPort = Configuration::Instance().ValueOf("port");
return result;
}

Early Detection of
Configuration Errors to
Reduce Failure Damage
https://www.usenix.org/system/files/conference/osdi16/osdi16-xu.pdf

Our study shows that many of today’s
mature, widely used software systems
are subject to latent configuration
errors in their critically important
configurations.

One root cause is that many (14.0%–
93.2%) of these configurations do not
have any special code for checking
the correctness of their settings at the
system’s initialization time.

std::unique_ptr<Connection> ConnectToServer(
const std::string & cfgAddress, const std::string & cfgPort)
{
if (address == -1)
return result;
}

Be conservative in what you
do, be liberal in what you
accept from others.
Postel's law

Be conservative in what you
do, be conservative in what
you accept from others.

std::unique_ptr<Connection> ConnectToServer(in_addr_t address, in_port_t port)
{
FailedToConnect(address, port);
return result;
}

std::unique_ptr<Connection> ConnectToServer(in_addr_t address, in_port_t port)
{
return std::make_unique<Connection>(address, port);
}

Remember that there
is no code faster than
no code.
Taligent's Guide to Designing Programs

Remember that there
is no code more
secure than no code.

http://www.theregister.co.uk/2016/03/23/npm_left_pad_chaos/

function leftpad (str, len, ch) {
str = String(str);
var i = -1;
if (!ch && ch !== 0) ch = ' ';
len = len - str.length;
while (++i < len) {
str = ch + str;
}
return str;
}

var cache = [
'',
' ',
' ',
' ',
' ',
' ',
' ',
' ',
' ',
' '
];
function leftPad (str, len, ch) {
// convert `str` to `string`
str = str + '';
// `len` is the `pad`'s length now
len = len - str.length;
// doesn't need to pad
if (len <= 0) return str;
// `ch` defaults to `' '`
if (!ch && ch !== 0) ch = ' ';
// convert `ch` to `string`
ch = ch + '';
// cache common use cases
if (ch === ' ' && len < 10) return cache[len] + str;
// `pad` starts with an empty string
var pad = '';
// loop
while (true) {
// add `ch` to `pad` if `len` is odd
if (len & 1) pad += ch;
// divide `len` by 2, ditch the remainder
len >>= 1;
// "double" the `ch` so this operation count grows logarithmically on `len`
// each time `ch` is "doubled", the `len` would need to be "doubled" too
// similar to finding a value in binary search tree, hence O(log(n))
if (len) ch += ch;
// `len` is 0, exit the loop
else break;
}
// pad `str`!
return pad + str;
}

I have yet to see any problem,
however complicated, which,
when you looked at it in the
right way, did not become still
more complicated.
Anderson's Law

https://twitter.com/seldo/status/712414400808755200

function leftpad (str, len, ch) {
somethingWickedThisWayComes()
return _leftpad(str, len, ch);
}

Architectural decisions tend to
concentrate upon identifying and
controlling the seams in a system,
which are described in terms of
interfaces and mechanisms.
Grady Booch

As mankind relies more and more on the
software that controls the computers that
in turn guide society, it becomes crucial
that people control absolutely the
programs and the processes by which they
are produced, throughout the useful life of
the program.
Meir M Lehman
"Programs, Life Cycles, and Laws of Software Evolution"

Goto Fail, Heartbleed,
and Unit Testing Culture
Mike Bland

These bugs are as instructive as they
were devastating:They were rooted
in the same programmer optimism,
overconfidence, and haste that strike
projects of all sizes and domains.
Mike Bland

These bugs arouse my passion because I've
seen and lived the benefits of unit testing,
and this strongly-imprinted experience
compels me to reflect on how unit testing
approaches could prevent defects as high-
impact and high-profile as these SSL bugs.
Mike Bland

function leftpad(content, length, pad) {
content = String(content)
pad = String(pad || pad === 0 ? pad : ' ')[0]
var left = Math.max(length - content.length, 0)
return pad.repeat(left) + content
}

truths = {
"Padding an empty string to a length of 0 results in an empty string":
leftpad("", 0, "X") === "",
"Padding a non-empty string to a shorter length results in the same string":
leftpad("foobar", 3, "X") === "foobar",
"Padding a non-empty string to a negative length results in the same string":
leftpad("foobar", -3, "X") === "foobar",
"Padding a non-empty string to its length results in the same string":
leftpad("foobar", 6, "X") === "foobar",
"Padding to a longer length with a single character fills to the left":
leftpad("foobar", 8, "X") === "XXfoobar",
"Padding to a longer length with surplus characters fills using only first":
leftpad("foobar", 10, "XY") === "XXXXfoobar",
"Padding to a longer length with an empty string fills with space":
leftpad("foobar", 8, "") === " foobar",
"Padding to a longer length with no specified fill fills with space":
leftpad("foobar", 9) === " foobar",
"Padding to a longer length with integer 0 fills with 0":
leftpad("foobar", 7, 0) === "0foobar",
"Padding to a longer length with single-digit integer fills with digit":
"Padding to a longer length with multiple-digit integer fills with first digit":
"Padding to a longer length with negative integer fills with -":
leftpad("foobar", 8, -42) === "--foobar",
"Padding a non-string uses string representation":
leftpad(4.2, 5, 0) === "004.2",
}

toMap = object => new Map(Object.entries(object))
format = (proposition, ok) =>
proposition.fontcolor(ok ? "green" : "red") + "<br>"
present = truths =>
toMap(truths).forEach(
(ok, proposition) => write(format(proposition, ok)))
present(truths)

Padding an empty string to a length of 0 results in an empty string
Padding a non-empty string to a shorter length results in the same string
Padding a non-empty string to a negative length results in the same string
Padding a non-empty string to its length results in the same string
Padding to a longer length with a single character fills to the left
Padding to a longer length with surplus characters fills using only first
Padding to a longer length with an empty string fills with space
Padding to a longer length with no specified fill fills with space
Padding to a longer length with integer 0 fills with 0
Padding to a longer length with single-digit integer fills with digit
Padding to a longer length with multiple-digit integer fills with first digit
Padding to a longer length with negative integer fills with -
Padding a non-string uses string representation

Testing Is the
Engineering
Rigor of Software
Development
Neal Ford

POUT
TDD Test-
Driven
Development

POUT
TDD
DDT
Defect-
Driven
Testing

Simple Testing Can Prevent
Most Critical Failures
An Analysis of Production Failures in
Distributed Data-Intensive Systems
https://www.usenix.org/system/files/conference/osdi14/osdi14-paper-yuan.pdf

Almost all catastrophic failures
are the result of incorrect
handling of non-fatal errors
explicitly signalled in software.

A majority of the production
failures (77%) can be
reproduced by a unit test.

Code as Risk

More Related Content

What's hot (20)

Similar to Code as Risk (20)

More from Kevlin Henney (20)

Recently uploaded (20)

Code as Risk