WHITE PAPER How To Write Secure Code In C - Perforce

WHITE PAPERHow to Write Secure Code in CIntroductionSoftware security is a top concern today. You can’t risk any security vulnerabilities —particularly if you’re developing software for embedded systems. And that meansyour code needs to be secure and free of coding errors.www.perforce.com Copyright Perforce Software, Inc. All trademarks and registeredtrademarks are the property of their respective owners.

WHITE PAPERHow to Write Secure Code in CWhen you think about software security, youprobably think about passwords and accesscontrol. Or viruses, spoofing, and phishing attacks.For example:char buff[10];buff[10] ‘a’;These are common security concerns. And security features, such data encryption and authentication protocols, mitigate these vulnerabilities.But even if you’ve implemented these securityfeatures, software can remain vulnerable.Here, an array of 10 bytes (index 0 to 9) is declared.But the program then attempts to write a character one byte beyond the array’s boundary. If thememory neighboring the array is used later in theprogram, then it will lead to unexpected behavior.To ensure secure software, you need to start atthe source — the code level. Otherwise, codingerrors will compromise your program.This is bad enough. And it can get worse. A bufferoverflow can allow a hacker to take control ofa system.Coding Errors Compromise SecurityThe Software Engineering Institute (SEI)estimates that up to 90% of reported securityincidents result from exploiting vulnerabilities insoftware code or design. And these vulnerabilities allow hackers to access private data or takeunauthorized control of a system.So, a simple coding error can lead to a hackingthreat. A hacker could take control of yourcomputer, your home automation device, yourhome entertainment device, or your car. Worsestill, a hacker could even take control of a nuclearpower plant.EXAMPLE OF A SECURITY VULNERABILITY:BUFFER OVERFLOW IN CTo illustrate how this might happen, let’s look atjust one example. Buffer overflow is a commonsecurity vulnerability in C programming.What Is Buffer Overflow?Buffer overflow occurs when data is writtenoutside the boundary of the allocated memory.www.perforce.comHow Buffer Overflow Invites HackersHackers can use buffer overflow errors to causea program to crash, corrupt the data, or simplysteal information.When a program runs, it uses an area of memoryreferred to as the ‘stack’. Variables within thescope of the currently executing function will bestored on the stack. The address of the functioncall will also be stored to allow return statementsto return to the correct location.When the function returns to the calling function,the program execution continues from where itleft off. So, if the return address on the stack ismodified to point to some alternative maliciousinstructions, then those instructions will beexecuted when the function returns.If the program is receiving data — and there isno check in place to ensure that the input buffercannot overflow — then it will be possible todesign an input, or ‘payload’, that contains mali- Copyright Perforce Software, Inc. All trademarks and registeredtrademarks are the property of their respective owners.

WHITE PAPERHow to Write Secure Code in Ccious code. This overflows the input buffer andoverwrites the return address on the stack withthe address of the malicious code.PREVENTING SECURITY VULNERABILITIESIS CRITICALPreventing security vulnerabilities — such as buffer overflow — is critical. And this can be doneby making sure the code itself is written withoutexploitable gaps.After all, putting stronger locks on your front door isno use if the windows are left open. So, to improvesecurity, you’ll need to ensure secure code.4 Ways to Ensure Secure Code in CWriting secure code is important. And when it comesto C programming, there are four key sources ofinformation to help you ensure secure code.1. CWEYou can identify security weaknesses from theCommon Weakness Enumeration (CWE).What Is CWE?CWE is a community-developed list of commonsoftware security weaknesses in C. It’s maintainedby the MITRE Corporation. This list can be usedas a baseline for weakness identification, mitigation, and prevention.The top 25 list also adds a small set of the mosteffective ‘Monster Mitigations’. This helps developers reduce or eliminate entire groups of thetop 25 weaknesses. It also helps with many of theother 800 weaknesses that are documented in theCWE list.CWE focuses on stopping vulnerabilities atthe source. This is done by educating designers,programmers, and testers on how to eliminatecommon mistakes — before software is evenshipped.2. CERT CYou can apply the CERT C coding standard toyour code.What Is CERT C?The CERT C coding standard is published bythe CERT Division at the Software EngineeringInstitute (SEI). SEI is a research and developmentcenter operated by Carnegie Mellon University.It’s primarily funded by the U.S. Departmentof Defense and the Department of HomelandSecurity.CERT C Security RulesSecure coding experts continually develop theCERT C guidelines on a wiki.Each guideline consists of:CWE’s List of Software Security WeaknessesThe CWE list prioritizes weaknesses. The top 25entries are prioritized using input from more thantwo dozen different organizations. They evaluateeach weakness based on frequency and importance. Many of the weaknesses (in C programs)listed in CWE relate to buffer overflow.www.perforce.com A titleA descriptionAn example of non-compliant codeExamples of compliant solutionsThe guidelines cover coding and implementationerrors, as well as low-level design errors. The aim Copyright Perforce Software, Inc. All trademarks and registeredtrademarks are the property of their respective owners.

WHITE PAPERHow to Write Secure Code in Cis to eliminate in secure coding practices andundefined behaviors that can lead to vulnerabilities.CERT C defines avulnerability as:A set of conditions thatallows an attacker to violatean explicit or implicitsecurity policy.The defect may be minor. This means it doesn’taffect the performance or results producedby the software. But it nevertheless may beexploited by an attack. And that results in asignificant security breach.RECOMMENDED READINGSecure Coding in C and C by Robert SeacordAn essential resource for all C developers.3. ISO/IEC TS 17961:2013 “C SECURE”You can apply the ISO/IEC TS 17961:2013 “CSecure” coding rules.What Is ISO/IEC TS 17961:2013?ISO/IEC TS 17961:2013 establishes a set ofcoding rules. These rules enable static codeanalyzers to diagnose insecure code beyond therequirements of the language standard.www.perforce.comC Secure Coding RulesISO/IEC TS 179671:2013 includes rules forsecure coding in C. It also includes examples foreach rule.The purpose of C Secure is to specify securecoding rules that can be automatically enforced.These can be used to detect security flaws in Cprogramming. To be considered a security flaw, asoftware bug must be triggerable by the actions ofa malicious user or attacker.Analyzers that implement these rules must beable to effectively discover secure coding errors— without generating excessive false positives.4. MISRA CYou can also use MISRA to ensure secure codingin C.What Is MISRA?MISRA provides best practice guidelines forthe development of safety-related systems. Its Ccoding standards have been widely adopted acrossmany industries.MISRA C Security RulesMISRA C:2012 Amendment 1 was published in2016. It provides additional security guidelinesfor C programming, including new rules anddirectives. It also includes examples of compliantand non-compliant code.These guidelines can be used to prevent codingerrors that lead to safety issues and securityvulnerabilities. Copyright Perforce Software, Inc. All trademarks and registeredtrademarks are the property of their respective owners.

WHITE PAPERHow to Write Secure Code in CWhy MISRA C Security Rules AreIdeal for Embedded SystemsMISRA C security rules are ideal for embeddedsystems. That’s because MISRA C security is onpar with that of other secure coding standardsfor C. Plus, MISRA C is trusted across embeddedsystems industries. And it’s a go-to coding standard in the automotive industry.EXAMPLE OF A MISRA C SECURITY RULEMISRA C security rules can prevent coding errorsand security weaknesses, such as buffer overflow.Here’s an example of a MISRA C security rule:MISRA C Rule 18.1“A pointer resulting fromarithmetic on a pointer operand shall address an elementof the same array as thatpointer operand.”This rule does the same thing as the followingCERT C rule.ARR30-C“Do not form or use out-ofbounds pointers or arraysubscripts.”And both relate to multiple CWE weaknesses inC, one of which is:www.perforce.comCWE-119: ImproperRestriction of Operationswithin the Bounds of aMemory Buffer“The software performs operations on a memory buffer,but it can read from or writeto a memory location thatis outside of the intendedboundary of the buffer.”Following either the MISRA C rule or the CERTrule will ensure secure code — and avoid common weaknesses in CWE. This is because writingto an out-of-range pointer (or pointer operand)could result in a buffer overflow — and vulnerable code. Reading from an out-of-range pointer(or pointer operand) could accidentally revealinformation to hackers.So, by ensuring these rules are followed, you’llavoid serious coding errors. You can enforceMISRA and CERT rules by using a static codeanalyzer, such as Helix QAC.COMPARING MISRA C AND OTHER STANDARDSThis is why the MISRA C coding standard is alsoideal for environments where software securityhas more emphasis than safety.In fact, MISRA has published two addenda to theMISRA C:2012 standard to help developers mapMISRA rules to the C Secure and CERT C standards. Copyright Perforce Software, Inc. All trademarks and registeredtrademarks are the property of their respective owners.