Secure Coding

We have seen various vulnerabilities that are triggered by bugs in C programs such as overflowing an array or printing a string directly, without the “%s” format string.

It is thus important to write programs that are not vulnerable, but languages such as C are subtle and it is hard to write secure programs without following rules or recommendations.

The SEI CERT C Coding Standard

The SEI CERT C Coding Standard of the Carnegie Mellon University is an important resource that provides rules and recommendation from the security coding community.

  • Rules are meant to provide normative requirements for code;
  • Recommendations are meant to provide guidance to improve the safety, reliability, and security of software systems. A violation of a recommendation does not necessarily indicate the presence of a defect in the code.

Risk Assessment

Each guideline in the CERT C Coding Standard contains a risk assessment section that attempts to provide software developers with an indication of the potential consequences of not addressing a particular rule or recommendation in their code (along with some indication of expected remediation costs).

Each rule and recommendation has an assigned priority. Three values are assigned for each rule on a scale of 1 to 3 for severity, likelihood, and remediation cost.

Severity

How serious are the consequences of the rule being ignored?

Value

Meaning

Examples of Vulnerability

1 Low Denial-of-service attack, abnormal termination
2 Medium Data integrity violation, unintentional information disclosure
3 High Run arbitrary code

Likelihood

How likely is it that a flaw introduced by violating the rule can lead to an exploitable vulnerability?

Value

Meaning

1 Unlikely
2 Probable
3 Likely

Remediation Cost

How expensive is it to comply with the rule?

Value

Meaning

Detection

Correction

1 High Manual Manual
2 Medium Automatic Manual
3 Low Automatic Automatic

Priorities and Levels

The three values are then multiplied together for each rule. This product provides a measure that can be used in prioritizing the application of the rules. The products range from 1 to 27, although only the following 10 distinct values are possible: 1, 2, 3, 4, 6, 8, 9, 12, 18, and 27. Rules and recommendations with a priority in the range of 1 to 4 are Level 3 rules, 6 to 9 are Level 2 , and 12 to 27 are Level 1 .

The following picture provides possible interpretations of the priorities and levels:

Examples

We show a few examples of rules and recommendations.

Rule 06. Arrays (ARR): “Do not form or use out-of-bounds pointers or array subscripts”. This rules states that you should never let array indexes go out of boundaries: it is crucial that indexes are always checked. For example:

Is not compliant as a negative index would correspond to a memory address before the array. It is necessary to fix the code by also checking that the index is non-negative:

This particular rule is evaluated as follows:

Severity

Likelihood

Remediation Cost

Priority

Level

High Likely High P9 L2

Rule 07. Characters and Strings (STR): “Guarantee that storage for strings has sufficient space for character data and the null terminator”. The following example is a classic off-by-one problem:

It might happen that the terminating ‘\0’ is stored out of the array boundaries. Code should be fixed as follows:

This particular rule is evaluated as follows:

Severity

Likelihood

Remediation Cost

Priority

Level

High Likely Medium P18 L1

Rule 07. Characters and Strings (STR): “Do not pass a non-null-terminated character sequence to a library function that expects a string”. The following example contradicts this rule and another one:

String initialization does not have space for the terminating ‘\0’. It does not overflow but the string is ill-terminated. Code should be fixed as follows:

This particular rule is evaluated as follows:

Severity

Likelihood

Remediation Cost

Priority

Level

High Probable Medium P12 L1

Rec. 07. Characters and Strings (STR): “Use the bounds-checking interfaces for string manipulation”. There exist bound-checking functions for string manipulations such as strlcpy and strlcat.

The following code does not follow the recommendation:

Clearly there could be a buffer overflow if msg plus prefix and suffix are bigger than buf. The code can be fixed by adopting the strlcpy and strlcat functions. They return the length of the string that was supposed to be built but truncate the string so that it fits the buffer, including the terminating ‘\0’.

This particular recommendation is evaluated as follows:

Severity

Likelihood

Remediation Cost

Priority

Level

High Probable Medium P12 L1

Rule 09. Input Output (FIO): “Exclude user input from format strings”. User input in a format string can trigger a format string vulnerability.

The following code does not follow the rule:

The code constructs string msg that is finally printed with fprintf as a format string. Since msg depends on user input this might trigger a format string vulnerability. A compliant version follows:

This particular rule is evaluated as follows:

Severity

Likelihood

Remediation Cost

Priority

Level

High Likely Medium P18 L1

Rule 10. Environment (ENV): “Do not call system()”. Use of the system() function can result in exploitable vulnerabilities, for example:

  • When passing an unsanitized or improperly sanitized command string originating from a tainted source
  • If a command is specified without a path name and the command processor path name resolution mechanism is accessible to an attacker
  • If a relative path to an executable is specified and control over the current working directory is accessible to an attacker
  • If the specified executable program can be spoofed by an attacker

Example:

An attacker could manipulate the value of the HOME environment variable such that this program can remove any file named .config anywhere on the system. A compliant version follows:

This particular rule is evaluated as follows:

Severity

Likelihood

Remediation Cost

Priority

Level

High Probably Medium P12 L1

Exercise

Analyse the compliance to rules and recommendations of the following program and rewrite it to make it compliant: