之前与Terry一起聊天，聊到一个叫做Bee Watcher的故事，觉得挺有意思的。话说，一位农场主为了提高蜂蜜的产量，他在资深顾问的建议下，请了一位看蜂人(Bee Watcher)，看蜂人的任务就是监督蜜蜂采蜜，以此来提高产量。可是实际情况是，蜜蜂并没有因为有了看蜂人的存在而改变采蜜的方法，它们还是按部就班的从一朵花飞到另一朵花，飞来飞去忙个不停。一年下来，产量没有提高，农场主认为产量没有提高的原因，是因为看蜂人看得不够努力，于是雇了一位看看蜂人(Bee Watcher Watcher)来监督看蜂人的工作，可是，有了看看蜂人，看蜂人还是像过去一样努力地盯着蜜蜂们忙来忙去，并没有因为有了看看蜂人，看蜂人就眼晴睁得更大点。一年又过去了，蜂蜜的产量还是没有提高，分析原因，农场主得出了结论是因为看看蜂人监督看蜂人监督蜜蜂采蜜不够努力，于是他又雇了名看看看蜂人(Bee Watcher Watcher Watcher)来监督看看蜂人监督看蜂人监督蜜蜂采蜜的工作。一年又一年，越来越多的看看看…看峰人(Bee Watcher Watcher ….. Watcher)，产量还是没有提高，而生产成本却一年比一年高。

picture from The Bee Watcher - The Art of Dr. Seuss

我很喜欢这个故事，不是因为绕口令一样的角色名字，而是让我发现了身边藏着的Bee Watcher。我们制定了一个Process，期望它能极大地改善我们的研发状况，可是发现不尽如人意，原因可能是Process执行得不到位，于是，我们制定了更多的Process来确保我们的Process能更好地得到执行。这难道不是一个Bee Watcher。你发现了吗？请将更多的Bee Watcher以Comments形式告诉我吧，对我而言，这一定会是一个不错的收获。:\

My friend Simon talked with me, he would like to buy some instant coffee or ice cream in supermarket, but he found that, all of them including one ingredient is non-dairy creamer(植脂末). This ingredient is used to make the drink more smooth, it’s a replacement of milk, but it’s bad for human health. Any way, it’s better than melamine(三聚氰胺). Nowadays, you are hard to find instant coffee without non-dairy in China.

Another story what I heard there is a government department named as “temporary emergency processing center for cover of sewer well” (窨井盖临时应急处理中心) is hiring a fixed officer. And as government perspective view, this department will be always existed even the name including “temporary”, the reason is they have to alwyas handle the “temporary” & “emergency” issue. But as I know, the cover of sewer well shall be managed by municipal administration.

The third story is restrict the car to solve the traffic jam, i.e. if the last digit of your car license plate number is 1 or 9, your car will be ban on road on Monday, 2 or 8 will be ban on road on Tuesday, and so on…. This is a temporary solution for traffic jam issue, but currently, it’s becoming a final solution, it’s normal for administration department.

So we can understand from those stories, once problem happen, there will be temporary solution coming, in programming area, we called “workaround”, and there is no further analysis, and temporary solution will act as final solution, workaround will act as solution. Once there is another problem happen, there will be another temporary solution coming, or another “workaround” be used. A workaround helps to solve another workaround, and another workaround is used to solve another another workaround problem….

But why? I often ask this question to myself and my colleague. It might be caused by lazy, yes, that’s one reason. But another problem in government administration area, the temporary solution can solve some problems of employment, and there will be more position for officer ask, even it’s not needed. In software programming area as well, more workaround, more maintenance is needed, and more engineers are needed. But all of us forget one thing is find out the root cause, and fix it.

If exception has been normal, around of you use workaround solve another problem of workaround, it means the situation around of you has been worse, you need to consider quit only if you can solve it. :\

We produce telecom equipment, the equipments will be deployed as infrastructure of telecommunication, internet etc., so it required product high stability, high security. We would not like to see there will be a 911 phone call cannot be reachable since our software bug, or financial exchange be stuck since networking problem which is caused by our software bug.

I recall that one day, Erno Jeges (who is secure coding expert) told us: you have to care your code as care your baby, otherwise you don’t know what your baby will be. So that, we have to deal software security carefully: buffer overflow, print formatting, and integer overflow etc. I’m not expert in this area, but I notice that at least we have to take care of our integer variable first since C/C++ languages handle integers in a very dangerous manner since there are:

• No overflow exception
• No run-time detection if a negative integer is converted to an unsigned value
• No checks whether a larger integer value is put into a shorter variable

That’s why in our source code hides one integer number multiply by one integer number, and leads software fiery crash. Of cause, sometimes, we can rely on static analysis tool such as Klocwork, cppcheck, but not all of problems can be filtered by tool, human shall participate in the process of software creation. As these reason, programmer who is programming in C/C++ language shall be carefully deal with the calculation or convention of integer variable, and it shall be basic knowledge of C/C++ programmer. That’s why I act Longevity Monk who from A Chinese Odyssey here.

It’s time to start the puzzle game, please spot out the bomb which is hiden inside the code, let’s look at this code snippet:

1
2
3
4
5
6
7
8
9
10
11

int copy(char *src, int len)
{
    char dest[50];
    if (len > 50) {
        return -1;
    }
    memcpy(dest, src, len);
  //TODO: use dest here

  return 0;
}

Could you please tell me is there any problem if you stop here and do not plan to go through this post? Of cause, there is a big problem once assign a negative value to parameter len, for example, we assign the len is -1, the program can be executed in memcpy(dest, src, len), and -1 will be casted to unsigned value 0xffffffff, and lead the program Segmentation fault, this problem is called Signedness bug.

Okay, let’s see another code snippet here:

1
2
3
4
5
6
7
8
9
10
11
12

int append(char *str1, char *str2, unsigned int len1, unsigned int len2)
{
    char dest_buf[64];
    if ((len1 + len2) > 64) {
        return -1;
    }
    memcpy(dest_buf, str1, len1);
    memcpy(dest_buf + len1, str2, len2);
    //TODO: dest_buf usage can be added here

    return 0;
}

How about this one, is there any problem? In case of len1 is huge number, and len1+len2 can be overflow to a small number. For example, len1 = 4294967198, and len2 = 100, and then len1 + len2 = 4294967298 (0x100000002). We call this problem is Arithmetical overflow.

one more, this will be easily to spot with previous experience:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

#include <stdio.h>
#include <string.h>

int copy(char *src, int len)
{
    unsigned short s;
    char buf[80];
    s = len;
    if (s >= 80) {
        printf("string is too long!\n");
        return -1;
    }
    memcpy(buf, src, len);
    buf[len] = '\0';
    return 0;
}

If the len is 65535, the s will be 0, and lead segmentation fault during memcpy, we call it Widthness integer overflow. So here we would like to highlight the ranges of integer, we believe professional programmer can deal it well.

And now it’s time to review you owned source code, is there any same problem? Have you group the integer calculation invoking in some centralized place rather than spread everywhere of your program? Have you clearly understand using variable is 2bytes, 4bytes or 8bytes? signed or unsigned?

Be careful! :\

(Knowledge I learned from Computer Systems: A programmer’s perspective, and emphasize the mindset in secure coding course, if you forget the knowledge, hope this post can remind you pick your book up.)