Monday, March 19, 2012

Is Object Oriented C 'old-school' or the best way to attack hardware?

This comment by Igor Soumenkov of Kaspersky Lab on the Security List struck me as odd in the discussion of the Duqu Worm:

"All the conclusions above indicate a rather professional team of developers, which appear to be reusing older code written by top "old school" developers. Such techniques are normally seen in professional software and almost never in today's malware. Once again, these indicate that Duqu, just like Stuxnet, is a "one of a kind" piece of malware which stands out like a gem from the large mass of "dumb" malicious program we normally see."

What Mr. Soumenkov is commenting on is the use of Object Oriented C (OOC) techniques in the Duqu Worm. The Duqu Worm looks for information that could be useful in attacking industrial control systems. The part I find odd is the comment makes me think the people working to decode Duqu have no experience in the Embedded System space, where OOC techniques are common (they did not recognize the technique, and to their credit asked the Internet Community for help in identifying the technique). To me it just makes sense that to attack hardware you'd have people with hardware experience writing the attack. Why does that make such code 'old-school'? Continuing Mr. Soumenkov comment:

Having spoken to some of the people who prefer such techniques, they gave two main reasons for it:

  1. They don't trust C++ compilers; these are usually people who started programming in the old days, when assembler was the top choice. C was a direct evolutionary step over assembler and quickly became a standard. When C++ was published, many old school programmers referred to stay away from it because of distrust in memory allocation and other obscure language features which cause indirect execution of code (for instance, constructors).
  2. Extreme portability. Once again, in the old days (10-12 years ago) C++ was not entirely standardized and it was possible to have C++ code that would compile with MSVC but would not compile with (say) Watcom C++. If you wanted to go for extreme portability and target every existing platform out there, you'd go with C.

Both reasons appear indicate the code was written by a team of experienced, "old-school" developers.

...The event-driven architecture was developed as a part of the Duqu Framework or its OO C extension...

There are these Object Oriented C frame works, among others I'm sure:

SOO being particularly similar to the OOC framework used in Duqu but created to late to be the one used in Duqu.

So is your Embedded System code 'old-school' because it is Event Driven Object Oriented C, or your code is that way because that makes for efficient embedded code that is easy to maintain and adapt quickly?