Verified Super Clean Code

[JohnGC]

Hi,

The first bullet point on OpenCPN website's about page; https://opencpn.org/OpenCPN/info/about.html

is this, "Verified Super Clean Code".

There are plenty of opinions and books on the subject of "clean code" but I'm not aware that there is a formal standard as such.

What does it mean in the context of OpenCPN? And how is it "verified"?

I'm interested because I've been asked to give a talk on OpenCPN (I'm an enthusiastic user) and I'd like to discuss OpenCPN's fitness for purpose. The main argument in favour is the active nature of OpenCPN's development, the number of satisfied users and the swift fixes to bugs. But I'd also like to explore whatever is behind the verified super clean code claim.

Many thanks,

John

[bdbcat]

John...


In our context, this means that the code has been checked and verified by:
https://www.virustotal.com


From the Wikipedia:
"VirusTotal aggregates many antivirus products and online scan engines[4][5] to check for viruses that the user's own antivirus may have missed, or to verify against any false positives.[6] Files up to 550 MB can be uploaded to the website, or sent via email (max. 32MB). Anti-virus software vendors can receive copies of files that were flagged by other scans but passed by their own engine, to help improve their software and, by extension, VirusTotal's own capability. Users can also scan suspect URLs and search through the VirusTotal dataset. VirusTotal for dynamic analysis of malware uses Cuckoo sandbox.[7] VirusTotal was selected by PC World as one of the best 100 products of 2007.[8]"


Thanks for supporting OpenCPN.
If you send us details on your talk, perhaps we can make a news item about for the website...


Dave

[JohnGC]

Hi Dave,

Thanks for the quick reply.

What you say makes sense and I'd been thinking along different lines. To an embedded programmer such as myself, "clean code" is a bit of a catch all phrase for clearly written, tested, version controlled and documented code. Often it includes a "style" standard.

For OpenCPN "clean" means free of malware; also a very good thing!

The talk isn't until February 2020, it will only be 15 minutes introduction to OpenCPN plus a hands-on demo table during the tea-breaks.

Cheers,

John

[CarCode]

Quote:

Originally Posted by bdbcat

John...
In our context, this means that the code has been checked and verified by:
https://www.virustotal.com
From the Wikipedia:
"VirusTotal aggregates many antivirus products and online scan engines[4][5] to check for viruses that the user's own antivirus may have missed, or to verify against any false positives.[6] Files up to 550 MB can be uploaded to the website, or sent via email (max. 32MB). Anti-virus software vendors can receive copies of files that were flagged by other scans but passed by their own engine, to help improve their software and, by extension, VirusTotal's own capability. Users can also scan suspect URLs and search through the VirusTotal dataset. VirusTotal for dynamic analysis of malware uses Cuckoo sandbox.[7] VirusTotal was selected by PC World as one of the best 100 products of 2007.[8]"
Thanks for supporting OpenCPN.
If you send us details on your talk, perhaps we can make a news item about for the website...
Dave

This statement is extremly misleading!
OpenCPN might connect by itself to the internet and can be infected with malware without knowledge of the user. VirusTotal might have been a nice product in 2007 (see above) but now we are in 2019! Wake up guys and stopp dreaming. Depending which type of operating system OpenCPN is running it is an open hole with several weak points like dead code, memory leaks and other things. Connected to the internet and running OpenCPN your computer might be captured!

[transmitterdan]

Quote:

Originally Posted by CarCode

This statement is extremly misleading!
OpenCPN might connect by itself to the internet and can be infected with malware without knowledge of the user. VirusTotal might have been a nice product in 2007 (see above) but now we are in 2019! Wake up guys and stopp dreaming. Depending which type of operating system OpenCPN is running it is an open hole with several weak points like dead code, memory leaks and other things. Connected to the internet and running OpenCPN your computer might be captured!

The code is open source and you can easily read it therefore you should be able to point to a specific example of such vulnerability. More importantly if you find such vulnerability you can submit a correction to github.

But I already know you have found no such vulnerability because you have not made any attempt to offer a solution to the github source code.

[seandepagnier]

I would look for anywhere opencpn downloads code then executes it, such as upgrading the software. Do any plugins do this? It would be possible to use man in middle attack here maybe.

[transmitterdan]

Quote:

Originally Posted by boat_alexandra

I would look for anywhere opencpn downloads code then executes it, such as upgrading the software. Do any plugins do this? It would be possible to use man in middle attack here maybe.

The simplest vector would be a malicious DLL placed in the plugins folder. It would be possible to convince O to load and execute a malicious DLL. But O doesn’t have a plugin downloader/installer.

[stevead]

Given that OpenCPN is an “open” system, meaning that it accepts unverified data from many sources, I don’t think anyone could assert that OpenCPN is “secure”.

In addition to it’s ability to load a plugin which may or may not be “safe”, it accepts data from freely downloaded charts, icons, NMEA inputs any of which could be crafted to exploit vulnerabilities such as buffer overflows etc.

I doubt if anyone has developed a threat model, implemented mitigations or adopted secure coding standards, let alone undertake penetration testing for OpenCPN.

[CarCode]

Quote:

Originally Posted by stevead

Given that OpenCPN is an “open” system, meaning that it accepts unverified data from many sources, I don’t think anyone could assert that OpenCPN is “secure”.

In addition to it’s ability to load a plugin which may or may not be “safe”, it accepts data from freely downloaded charts, icons, NMEA inputs any of which could be crafted to exploit vulnerabilities such as buffer overflows etc.

I doubt if anyone has developed a threat model, implemented mitigations or adopted secure coding standards, let alone undertake penetration testing for OpenCPN.

Correct!
The only way to be secure don't connect to an internet network while running OpenCPN.