With legacy code dealing with get rid of the stubborn vulnerability of the simple way-vulnerability warning-the black bar safety net

2014-09-23T00:00:00
ID MYHACK58:62201453955
Type myhack58
Reporter 佚名
Modified 2014-09-23T00:00:00

Description

It turns out that with legacy code dealing not necessarily need to spend a few days to study the obscure comment. To find and fix _ vulnerability_, developers can use simple testing tools to the problem of unraveling it.

With legacy code dealing will be more difficult, especially if the code is determined by a bit do not know the name of the programmer with a familiar language. But according to Mob Programming R Jason Kerney and Llewellyn Falco of the argument, the legacy application in the bug is that you can relatively quickly find and repair, this procedure only requires a number of fairly straightforward techniques.

“I usually have no chance to understand(legacy)code, so I have to come up with a way in don't understand the case continue to work,”Falco said.

In Orlando held at the Agile2014 of a seminar, Falco and Kerney shows they do not need too much research of the legacy code in the case of finding and patching vulnerabilities capacities. The seminar's theme is legacy code disposal, two-bit programmers to effectively with legacy code dealing than for cut Mango. Mango meat is the important code. The rest of the skin or Core. They give their technology a popular name:“peeled and diced”in.

Peeled and diced law is the principle of narrowing the focus until the To check the code is associated with a specific vulnerability directly related. Falco explained how from the outside to start the layers peeled off until the important code. Kerney showed how in the presence of suspicious code in the cut. This is the case, you can easily see where out of the question, know how to fix.

Use cases

They used a hypothetical financial applications to be demonstrated, the application to existing records the additional information from time to time produce several new records. Substantially is if“Joe”has 3 separate loans, legacy code will be for him to generate 3 separate records, each loan article. The application should have given Joe the original of that record is added to the loan.

Discussion of legacy applications assumptions are made in the Czech Republic outsourced software team to write, now this team has ceased to exist, and therefore nobody can for code explanation. In this contemplated case, there is no way you can easily access the database itself, so there is no way through the library to get to know.

It is difficult to decipher legacy code sample

The only know variable is the code executed when expected should do something, as well as the Code of the actual implementation. Falco and Kerney said, the only use of this information, they can determine the legacy code where the problem is and fix the problem.

Code separation

Stripping the Code of technical requirements Put a hard code and the important code separation. The basic plan is to put a complex method into two parts. The first part contains the hard code, The second part contains is we want to understand the code. Then put the important code analysis is taken out as the second method, other code segments treated.

[1] [2] [3] next