Back to Details

oh-distributed-security-design-review

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Code Review Skill for OpenHarmony Distributed System Security

Code Review Skill for OpenHarmony Distributed System Security

Overview

Overview

本技能提供OpenHarmony分布式业务安全代码检视的专业指导,包含18条安全设计规则和对应的检视要点。当检视分布式系统代码安全性时,在通用网络安全规则基础上,使用这些规则进行加强检视。
This skill provides professional guidance for security code review of OpenHarmony distributed services, including 18 security design rules and corresponding review points. When reviewing the security of distributed system code, use these rules to enhance the review based on general cybersecurity rules.

Trigger Phrases

Trigger Phrases

  • "检视代码安全实现"
  • "代码安全审查"
  • "安全代码review"
  • "检查这段代码的安全性"
  • "review分布式代码安全"
  • "OpenHarmony安全检视"
  • "Review code security implementation"
  • "Code security audit"
  • "Security code review"
  • "Check the security of this code"
  • "Review distributed code security"
  • "OpenHarmony security review"

Code Review Workflow

Code Review Workflow

Step 1: Understand the Code Context

Step 1: Understand the Code Context

首先理解代码的业务场景和所在模块:
  1. 识别关键模块: 确定代码是否涉及以下模块
    • 分布式设备管理
    • 分布式软总线
    • 其他需要分布式能力的模块
  2. 识别业务类型: 判断是否涉及以下安全敏感业务
    • 设备间认证和授权
    • 用户敏感数据传输
    • 跨设备状态机管理
    • 可信关系管理
    • 硬件资源访问
  3. 确定角色: 识别代码是主体侧(客户端)还是客体侧(服务端)
First, understand the business scenario and module of the code:
  1. Identify key modules: Determine whether the code involves the following modules
    • Distributed device management
    • Distributed soft bus
    • Other modules requiring distributed capabilities
  2. Identify business types: Determine whether it involves the following security-sensitive businesses
    • Inter-device authentication and authorization
    • User sensitive data transmission
    • Cross-device state machine management
    • Trusted relationship management
    • Hardware resource access
  3. Determine roles: Identify whether the code is on the subject side (client) or object side (server)

Step 2: Load Security Rules

Step 2: Load Security Rules

根据代码涉及的业务类型,加载security_rules.md中对应的规则:
快速索引关键词:
  • 跨设备传输 → Rules 3, 8, 15, 17
  • 状态机 → Rule 2
  • 授权/鉴权 → Rules 1, 5, 6, 8, 12
  • PIN码/秘钥 → Rules 3, 8, 9, 10
  • 资源申请 → Rule 4
  • 权限配置 → Rules 7, 13
  • 开关标记 → Rule 14
  • 用户切换 → Rule 16
  • 兼容代码 → Rule 18
Based on the business type involved in the code, load the corresponding rules from security_rules.md:
Quick index keywords:
  • Cross-device transmission → Rules 3, 8, 15, 17
  • State machine → Rule 2
  • Authorization/authentication → Rules 1, 5, 6, 8, 12
  • PIN code/secret key → Rules 3, 8, 9, 10
  • Resource application → Rule 4
  • Permission configuration → Rules 7, 13
  • Switch flag → Rule 14
  • User switching → Rule 16
  • Compatibility code → Rule 18

Step 3: Review Against Security Rules

Step 3: Review Against Security Rules

对每个适用的安全规则,执行以下检视:
  1. 定位相关代码: 使用Grep搜索关键模式
    Grep patterns examples:
- "auth", "authorize", "permission" for authorization checks
- "PIN", "secret", "key" for sensitive data
- "state", "status" for state machine
- "random", "generate" for secret generation
  2. 检查实现细节:
    • 对照规则中的Check points逐项检查
    • 查找潜在的违规模式
    • 识别缺失的安全措施
  3. 记录发现:
    • 标记违规代码位置 (file:line)
    • 说明违反的具体规则
    • 提供修复建议
For each applicable security rule, perform the following reviews:
  1. Locate relevant code: Use Grep to search for key patterns
    Grep patterns examples:
- "auth", "authorize", "permission" for authorization checks
- "PIN", "secret", "key" for sensitive data
- "state", "status" for state machine
- "random", "generate" for secret generation
  2. Check implementation details:
    • Check item by item against the check points in the rules
    • Look for potential violation patterns
    • Identify missing security measures
  3. Record findings:
    • Mark the location of violating code (file:line)
    • Specify the specific rule violated
    • Provide repair suggestions

Step 4: Apply General Security Best Practices

Step 4: Apply General Security Best Practices

除了OpenHarmony特定规则外,还需检查通用安全实践:
  1. 输入验证: 所有外部输入是否经过验证
  2. 错误处理: 敏感操作是否有适当的错误处理
  3. 日志安全: 是否记录了敏感信息
  4. 资源管理: 是否有资源泄漏风险
In addition to OpenHarmony-specific rules, general security practices should also be checked:
  1. Input validation: Whether all external inputs are validated
  2. Error handling: Whether sensitive operations have appropriate error handling
  3. Log security: Whether sensitive information is logged
  4. Resource management: Whether there is a risk of resource leakage

Step 5: Generate Review Report

Step 5: Generate Review Report

生成结构化的安全检视报告,包含:
  1. 执行摘要: 发现的严重安全问题数量和等级
  2. 违规清单: 按严重程度排序的违规项
  3. 规则映射: 每个问题对应的安全规则
  4. 修复建议: 具体的代码修改建议
Generate a structured security review report including:
  1. Executive Summary: Number and severity level of critical security issues found
  2. Violation List: Violations sorted by severity
  3. Rule Mapping: Security rules corresponding to each issue
  4. Repair Suggestions: Specific code modification suggestions

Common Violation Patterns

Common Violation Patterns

Pattern 1: Client-controlled Authorization (违反规则1)

Pattern 1: Client-controlled Authorization (Violates Rule 1)

Bad Example:
cpp
// 客体侧直接使用主体侧传入的标志控制弹框
void handleAuthRequest(bool showPopup) {
    if (!showPopup) {
        // 直接跳过授权弹框
        grantAccess();
    }
}
Correct Approach:
cpp
// 客体侧独立决策是否需要授权
void handleAuthRequest() {
    if (isSystemBusinessAndRegistered()) {
        // 已注册的免授权业务
        grantAccess();
    } else {
        // 默认必须弹框
        showAuthorizationDialog();
    }
}
Bad Example:
cpp
// The object side directly uses the flag passed from the subject side to control the pop-up dialog
void handleAuthRequest(bool showPopup) {
    if (!showPopup) {
        // Skip the authorization pop-up directly
        grantAccess();
    }
}
Correct Approach:
cpp
// The object side independently decides whether authorization is required
void handleAuthRequest() {
    if (isSystemBusinessAndRegistered()) {
        // Registered business exempt from authorization
        grantAccess();
    } else {
        // Pop-up is required by default
        showAuthorizationDialog();
    }
}

Pattern 2: Plaintext Sensitive Data (违反规则3)

Pattern 2: Plaintext Sensitive Data (Violates Rule 3)

Bad Example:
cpp
// 明文传输PIN码
message.pin_code = userPin;
sendToRemote(message);
Correct Approach:
cpp
// 加密后传输
encryptedPin = encryptPin(userPin, sessionKey);
message.encrypted_pin = encryptedPin;
sendToRemote(message);
Bad Example:
cpp
// Transmit PIN code in plaintext
message.pin_code = userPin;
sendToRemote(message);
Correct Approach:
cpp
// Transmit after encryption
encryptedPin = encryptPin(userPin, sessionKey);
message.encrypted_pin = encryptedPin;
sendToRemote(message);

Pattern 3: Custom Trust Verification (违反规则8)

Pattern 3: Custom Trust Verification (Violates Rule 8)

Bad Example:
cpp
// 自行比对账号信息判断可信关系
bool isTrusted() {
    return localAccount == remoteAccount;
}
Correct Approach:
cpp
// 依赖HiChain查询
bool isTrusted() {
    CredentialType type = HiChain.queryCredentialType(remoteDevice);
    return type == CredentialType.SAME_ACCOUNT;
}
Bad Example:
cpp
// Judge trusted relationship by comparing account information directly
bool isTrusted() {
    return localAccount == remoteAccount;
}
Correct Approach:
cpp
// Rely on HiChain query
bool isTrusted() {
    CredentialType type = HiChain.queryCredentialType(remoteDevice);
    return type == CredentialType.SAME_ACCOUNT;
}

Pattern 4: Insecure Switch Defaults (违反规则14)

Pattern 4: Insecure Switch Defaults (Violates Rule 14)

Bad Example:
cpp
// 默认值放通
bool enableSecurityCheck = true;  // 默认启用
Correct Approach:
cpp
// 默认值禁用
bool enableSecurityCheck = false;  // 默认禁用,需显式启用
Bad Example:
cpp
// Default to allow
bool enableSecurityCheck = true;  // Enabled by default
Correct Approach:
cpp
// Default to disable
bool enableSecurityCheck = false;  // Disabled by default, need explicit enabling

Security Rule Categories

Security Rule Categories

1. Authorization & Authentication

1. Authorization & Authentication

  • Rule 1: Object-side Authorization Control
  • Rule 5: Anti-Brute Force Protection
  • Rule 6: Server-side Security Logic
  • Rule 12: Sensitive Data Authorization and Audit
  • Rule 1: Object-side Authorization Control
  • Rule 5: Anti-Brute Force Protection
  • Rule 6: Server-side Security Logic
  • Rule 12: Sensitive Data Authorization and Audit

2. Data Protection

2. Data Protection

  • Rule 3: No Plaintext Sensitive Data Transmission
  • Rule 10: Secure Random Secrets
  • Rule 17: Business-level Key Isolation
  • Rule 3: No Plaintext Sensitive Data Transmission
  • Rule 10: Secure Random Secrets
  • Rule 17: Business-level Key Isolation

3. Trust Management

3. Trust Management

  • Rule 7: Trusted Relationship Lifecycle Minimization
  • Rule 8: Trusted Relationship Verification
  • Rule 9: Trusted Relationship Persistence Timing
  • Rule 15: Device Legitimacy Verification
  • Rule 16: User Isolation for Distributed Trust
  • Rule 7: Trusted Relationship Lifecycle Minimization
  • Rule 8: Trusted Relationship Verification
  • Rule 9: Trusted Relationship Persistence Timing
  • Rule 15: Device Legitimacy Verification
  • Rule 16: User Isolation for Distributed Trust

4. State Machine & Process Control

4. State Machine & Process Control

  • Rule 2: State Machine Context Validation
  • Rule 2: State Machine Context Validation

5. Resource Management

5. Resource Management

  • Rule 4: Resource Access Parameter Validation
  • Rule 11: Resource Cleanup
  • Rule 13: Minimal Permission Configuration
  • Rule 4: Resource Access Parameter Validation
  • Rule 11: Resource Cleanup
  • Rule 13: Minimal Permission Configuration

6. Code Quality

6. Code Quality

  • Rule 14: Secure Switch Default Values
  • Rule 18: Legacy Protocol Cleanup
  • Rule 14: Secure Switch Default Values
  • Rule 18: Legacy Protocol Cleanup

Example Review Session

Example Review Session

User request: "检视这段分布式设备管理代码的安全性"
Review process:
  1. Load security rules → Read security_rules.md
  2. Identify relevant rules → Rules 1, 2, 7, 8, 9, 11 (设备管理相关)
  3. Search code patterns → Grep for authorization, trust, state machine
  4. Check each rule:
    • ✓ Rule 1: 授权流程是否在客体侧独立控制
    • ✗ Rule 2: 发现状态机未校验上下文
    • ✓ Rule 7: 可信关系生命周期管理正确
    • ✗ Rule 8: 发现自定义可信判断逻辑
  5. Generate report → 列出违规点和修复建议
User request: "Review the security of this distributed device management code"
Review process:
  1. Load security rules → Read security_rules.md
  2. Identify relevant rules → Rules 1, 2, 7, 8, 9, 11 (related to device management)
  3. Search code patterns → Grep for authorization, trust, state machine
  4. Check each rule:
    • ✓ Rule 1: Whether the authorization process is independently controlled on the object side
    • ✗ Rule 2: Found that the state machine does not validate the context
    • ✓ Rule 7: Trusted relationship lifecycle management is correct
    • ✗ Rule 8: Found custom trust judgment logic
  5. Generate report → List violations and repair suggestions

Tips

Tips

  1. Start with keywords: 使用security_rules.md中的关键词快速定位可疑代码
  2. Check both sides: 分布式业务需要同时检查主体侧和客体侧代码
  3. Verify complete flows: 跟踪完整的业务流程,不要只检查单个函数
  4. Consider edge cases: 检查错误处理、超时、重试等边界场景
  5. Review logging: 确保日志中不泄露敏感信息
  1. Start with keywords: Use keywords in security_rules.md to quickly locate suspicious code
  2. Check both sides: Distributed services require checking both subject-side and object-side code
  3. Verify complete flows: Track the complete business process, do not only check individual functions
  4. Consider edge cases: Check edge scenarios such as error handling, timeouts, and retries
  5. Review logging: Ensure that sensitive information is not leaked in logs

Resources

Resources

  • Detailed Rules: See security_rules.md for complete rule descriptions and check points
  • Quick Reference: Use keyword mapping at the end of security_rules.md for fast rule lookup
  • Detailed Rules: See security_rules.md for complete rule descriptions and check points
  • Quick Reference: Use keyword mapping at the end of security_rules.md for fast rule lookup