Exercise from Jumping into C++ triggers trojan alert

**droseman** · 04-24-2014

Hello,

I am working through Alex's excellent book, and while doing one of the practice exercises in the 'if statement' chapter which involved modifying a given password checker program

Code:

#include <iostream>
#include <string>
using namespace std;
int main ()
{
string password;
cout << "Enter your password: " << "\n";
getline( cin, password, '\n' );
if ( password == "xyzzy" )
{
cout << "Access allowed" << "\n";
}
else
{
cout << "Bad password. Denied access!" << "\n";
// returning is a convenient way to stop the program
return 0;
}
// continue onward!
}

When I built my modified code, my Kaspersky AV program quarantined it, claiming that it contained a trojan, is it possible that some content of the code has caused this, since the original did not throw this warning?

Code:

#include<iostream>
#include<string>


int main()
{
    std::string uname;
    std::string password;


    std::cout << "Enter your username: " << "\n";
    std::getline( std::cin, uname, '\n');
    std::cout << "Enter your password: " << "\n";
    std::getline( std::cin, password, '\n');


    if(uname == "david" || password == "xyzzz")
    {
        std::cout << "Access granted Dave!" << "\n";
    }


    else if(uname == "claire" || password == "xyxyx")
    {
        std::cout << "Access granted Claire!" << "\n";
    }
    else
    {
        std::cout << "Access Denied!" << "\n";
        return 0;
    }
}

Thank you
Dave

**grumpy** · 04-24-2014

Well, yeah, it is possible your code caused it.

Security suites scan programs for code and data that is used by malicious software, and checking usernames and passwords against various strings is a pretty common action for such software - with the number of such malicious programs around, it's not terribly surprising that one uses a pattern like you have.

As you have written it (hard-coded checks of particular usernames and passwords) it looks like code that would be used to implement a simple hard-coded back door into a system. That would raise my eyebrows in a code review, even if it didn't trigger security software, since (outside learning exercises, where it is understandable) such code is rarely written for benign purposes.

On your program itself, I'd probably check that the username is correct AND they have entered the correct password in order to grant access, not one or the other.

If you're sure your program is not a problem (and looking at the code, it is not - as it stands, anyway) then configure your AV to overlook it. Bear in mind that it might still be detected as a problem on other machine.

**droseman** · 04-24-2014

Thanks for your speedy and detailed response, I can now see why this exercise might look unusual for an AV program, as you correctly pointed out, this is a learning exercise on the use of if constructions.

I would assume that in more realistic code, there would be some sort of lookup list elsewhere of allowed combinations which were checked using a loop instead of being hard-coded.

Originally Posted by grumpy

On your program itself, I'd probably check that the username is correct AND they have entered the correct password in order to grant access, not one or the other.

That's a very good point, I hadn't realised the flaw in my logic.

Dave

**Elysia** · 04-25-2014

Well, in reality, the password would most likely be stored in encrypted form in a database somewhere. The program would then run a query on the database to find the password for the given user (if such a user exists) and then encrypt the entered password and compare to the one in the database.
Of course, for programs that really require top-notch security, the program would try to ensure that both the path where the username is invalid and valid would take the same amount of clock cycles, and of course, simply say "invalid username or password." That way, a hacker cannot tell if the username is valid or not.
Sensitive information such as passwords, usernames, etc are never stored inside the executable itself. This information is stored away in some secure portion of the system that is more heavily guarded.

**whiteflags** · 04-25-2014

Of course, for programs that really require top-notch security, the program would try to ensure that both the path where the username is invalid and valid would take the same amount of clock cycles, and of course, simply say "invalid username or password." That way, a hacker cannot tell if the username is valid or not.

That sounds like a fancy way of saying that there should be only one code path in authentication. In order to "to ensure that both the path where the username is invalid and valid would take the same amount of clock cycles" doesn't that mean that you always hash the password input regardless of how valid anything else is?

**Elysia** · 04-25-2014

Originally Posted by whiteflags

...doesn't that mean that you always hash the password input regardless of how valid anything else is?

Maybe, but also consider the time it takes to search the database and comparing the passwords, and then whatever else you need to do to actually grant access. Sure, always hashing the password would probably be a good idea, but I don't think it's enough. I don't have any experience or education in such high security fields, so I cannot really say more than that.
And if you want to be even more cautious, you have to ensure that regardless of the path you take, the same amount of energy is consumed. This is important in embedded chips like SIM cards.

Thread: Exercise from Jumping into C++ triggers trojan alert

Thread Tools

Search Thread

Display

Exercise from Jumping into C++ triggers trojan alert

Similar Threads

Uart interrupt triggers after one keystroke

solution：jumping into c++ chapter 7 exercise 1 (turn numbers into English text)

Can't get rid of a Trojan

Trojan?