Results 1 to 2 of 2

Thread: Android Operating System: One Potential Vulnerability per 4000 Lines of C++ Code

  1. #1

    Post Android Operating System: One Potential Vulnerability per 4000 Lines of C++ Code

    For many years, Andrey Karpov has been publishing articles on code quality, and bugs reviews of open source projects. For example, he is the author of such publications as "42 recommendations on programming" and "27 000 Errors in the Tizen Operating System".

    Recently, the open source Android operating system has become of interest for him. He researched that part of the operating system code, which is written in the C and C++ languages. After that he came to a conclusion, which always takes place after such research: human error is always possible. By using the PVS-Studio tool, it becomes possible to detect at least one security defect (potential vulnerability) per 4000 lines of code.

    Android code is of high quality and is well tested. However, no matter how carefully people wrote and tested the code, the probability that the error will be unnoticed is very high. Static and dynamic code analysis tools can cover for developers. In this case, the PVS-Studio SAST static analysis tool for applications security was used to find defects.

    Sure, no matter which supporting tools you use, there is no guarantee that errors and vulnerabilities will not remain in the code. However, their number can be significantly reduced even at the code writing stage.

    Qt Code:
    1. Let's see the example of one security defect found in the Android code.
    2. static void FwdLockGlue_InitializeRoundKeys() {
    3. unsigned char keyEncryptionKey[KEY_SIZE];
    4. ....
    5. memset(keyEncryptionKey, 0, KEY_SIZE); // Zero out key data.
    6. }
    To copy to clipboard, switch view to plain text mode 

    An array keyEncryptionKey is created on the stack and stores private information. At the end of the function, a developer wants to fill this array with zeros so that it would not accidentally get somewhere, where it should not. The following article tells about the way the information can get somewhere, where is shouldn't be: "Overwriting memory - why?".

    To fill an array storing private information with zeros a developer uses the memset function. The comment "Zero out key data" confirms that we understand everything correctly.

    A potential vulnerability lies in the fact that with very high probability the compiler will remove the function call to memset when building the release-version. Once the buffer after a call to memset is not used, the function call to memset is superfluous in terms of the compiler.

    We have before us a classic security defect, classified according to the Common Weakness Enumeration as CWE-14: Compiler Removal of Code to Clear Buffers. The less of such errors - the more difficult it is to find and exploit the vulnerability in the system. In other words, the smaller is the number of CWE-bugs in code, the less of them can become CVE under certain circumstances.

    If you are interested in this topic, we suggest to get acquainted with the full text of the article by Andrey Karpov: We Checked the Android Source Code by PVS-Studio, or Nothing is Perfect

    Enjoy the reading!

  2. #2
    Join Date
    Dec 2017
    Qt products

    Default Re: Android Operating System: One Potential Vulnerability per 4000 Lines of C++ Code

    I'm glad I've found this. It's the missing half I needed. I gather all the bloggers like Andrey to make the greatest news feed from the developers of this skill and level. And I've noticed a tendency. There's an enormous number of bloggers and developers like Andrey from Russia. The one I've found just few days a go is Sergey Shalom, check out his page Though he gives a bit different perspective on the subject. The spotlight there is more on a enterprenerual side of development. Hope it helps!

Similar Threads

  1. Replies: 1
    Last Post: 12th September 2014, 21:07
  2. Replies: 8
    Last Post: 21st March 2011, 13:40
  3. Locating a driver on the operating system
    By schall_l in forum Qt Programming
    Replies: 2
    Last Post: 15th July 2008, 10:19
  4. QMainWindow in AIX operating system
    By Vani in forum Qt Programming
    Replies: 3
    Last Post: 14th June 2008, 20:50
  5. How to know the operating system?
    By Dark_Tower in forum Newbie
    Replies: 4
    Last Post: 4th May 2006, 21:41

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
Digia, Qt and their respective logos are trademarks of Digia Plc in Finland and/or other countries worldwide.