SAS-L archives -- September 2010, week 2 (#237)

Date:         Mon, 13 Sep 2010 15:57:23 -0700
Reply-To:     "Sprague, Webb (OFM)" <Webb.Sprague@OFM.WA.GOV>
Sender:       "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From:         "Sprague, Webb (OFM)" <Webb.Sprague@OFM.WA.GOV>
Subject:      Re: FW: [SAS-L] Detect if code has been changed in interactive
              mode
In-Reply-To:  A<201009132249.o8DKPMMW031339@willow.cc.uga.edu>
Content-Type: text/plain; charset="us-ascii"

>
> Interesting, how do you get the separated signature file?

Unix command line, something like "md5 --input=source.sas
--output=source.sig".  You would have to figure out how to do it on
windows, but I am sure there are tons of applications.

> Assuming you can generate the MD5 file after you save the
> modified source, it still does not help the interactive mode
> case, where the code is changed but not saved yet, yet it
> can be executed.

If you can't be sure of the authorship of the md5 signature, it is no
use, but that can be kept by a third party and verified independently.

And no, I don't know how to help the interactive case.

>
> On Mon, 13 Sep 2010 15:20:12 -0700, Sprague, Webb (OFM)
> <Webb.Sprague@OFM.WA.GOV> wrote:
>
> >I am not sure if it would help, but often I have seen a source code
> file
> >(say "source.sas") shipped with an MD5 hash signature in a separate
> >file.  (http://en.wikipedia.org/wiki/MD5).  If the source code
doesn't
> >match the signature you know it is altered, though you are unable to
> >determine how exactly.
> >
> >> -----Original Message-----
> >> From: SAS(r) Discussion [mailto:SAS-L@LISTSERV.UGA.EDU] On Behalf
Of
> >> Magnus Mengelbier
> >> Sent: Monday, September 13, 2010 2:22 PM
> >> To: SAS-L@LISTSERV.UGA.EDU
> >> Subject: Re: FW: [SAS-L] Detect if code has been changed in
> >interactive
> >> mode
> >>
> >> Hello Ya
> >>
> >> I have been through this discussion more than a few times. The most
> >> conservative solution is to only allow "official" outputs, e.g.
> Draft
> >> for
> >> review or Final, to be run in batch, which can be determined a few
> >> different
> >> ways.
> >>
> >> Experience from SAS Drug Development up until version 3.4, it is
> >> possible to
> >> determine if the submitted code is partial or full program. It is
> also
> >> possible to determine if the code has been modified prior to
> >execution.
> >> The
> >> approach relies on how SDD functions in the background in setting
up
> >> executions and is easy to implement.
> >>
> >> As far as I am aware, there is no sure method in other SAS
> >applications
> >> that
> >> I have experienced to avoid someone running code from a parallel
> >> editor,
> >> changed code in the program, etc. I suppose it is possible to
create
> >"a
> >> macro" that does a simple check but this can be circumvented unless
> >you
> >> control the entire outputs mechanism (read ODS statement or
> similar).
> >>
> >> I know of a few groups that use/used a "publish" macro that moved
> >> generated
> >> output to a "secure" location and thus used that as a gate for
> >ensuring
> >> that
> >> the output was generated by the goverened process and not hacked
> >> together by
> >> partial code submits.
> >>
> >> Hope this helps
> >>
> >>
> >> Magnus
> >>
> >> --
> >>
>
>______________________________________________________________________
> _
> >> Magnus Mengelbier   (mmr@limelogic.com)
> >> Limelogic Ltd
> >> www.limelogic.com
> >>
> >> On 13 September 2010 23:07, Huang, Ya <Ya.Huang@amylin.com> wrote:
> >>
> >> > Hi Richard,
> >> >
> >> > Actually, what I'm concerned is that unless a SAS code is run in
> >> batch,
> >> > there seems no way
> >> > to prevent people from running an modified SAS code and generate
> >> certain
> >> > report, then
> >> > claim the report is generated by the official version of the SAS
> >> code.
> >> >
> >> > Think about this, a validate SAS program is opened up in DM, the
> >> program
> >> > name can be obtained
> >> > from dictionary.extfiles and used in footnote to show the report
> is
> >> > generated by this
> >> > program. But actually the code is modified before running, which
> >> means that
> >> > the actually
> >> > code generated the report is not the original version. Once can
> run
> >> this
> >> > way and not to save the
> >> > modifed the code, yet show the report is generated by the code.
> >> >
> >> > If there is a way to detect the change status, we can probably
put
> >> > something is the
> >> > footnote to warn people, this report may not from the official
> >source
> >> code
> >> > version.
> >> >
> >> > Ya
> >> >
> >> >
> >> > -----Original Message-----
> >> > From: Richard DeVenezia [mailto:rdevenezia@gmail.com]
> >> > Sent: Monday, September 13, 2010 12:28 PM
> >> > To: Huang, Ya
> >> > Subject: Re: [SAS-L] Detect if code has been changed in
> interactive
> >> mode
> >> >
> >> > On Mon, Sep 13, 2010 at 12:53 PM, Ya Huang <ya.huang@amylin.com>
> >> wrote:
> >> > > Hi there,
> >> > >
> >> > > PC SAS, DM mode, is there a way we can detect the change
status,
> >> before
> >> > > the code is saved? For example, we open up a piece of source
> code,
> >> change
> >> > > a few lines of it on enhanced editor, then submit for running.
> >> > >
> >> > > Even more tricky part is to detect if the code submiited is the
> >> whole
> >> > > code or just some of the lines that highlighted? (the code is
> not
> >> > changed)
> >> >
> >> > Ya:
> >> >
> >> > If you are worried about trashing good code with bad via an
> >overwrite
> >> > (been there, done that), consider an operating system solution.
> Look
> >> > for automatic versioning, also sometimes called journaling or
> >> > generations.
> >> >
> >> > One quick out is to tag those important source codes as
read-only.
> >> >
> >> > Richard A. DeVenezia
> >> > http://www.devenezia.com
> >> >
Back to: Top of message | Previous page | Main SAS-L page
listserv.uga.edu
Enterprise Information Technology Services
The University of Georgia
listhelp@uga.edu