uspto standards coding secure c++
TRANSCRIPT
-
8/12/2019 Uspto Standards Coding Secure c++
1/44
-
8/12/2019 Uspto Standards Coding Secure c++
2/44
C"ange#Version $umberDate o%
C"ange
Sections
C"angedDescrition
'erson (ntering
C"ange
Created by OCIO Securityand SDMG Standards
Divsion
6 Dec 2007 All Initial Submission Pam Woodall andob ro!n
Table of Contents
D"A#$%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&
Secure C'' Codin( %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&Standards ) Guidelines%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&
$able o* Contents%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2
& Introduction %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+
&%& Secure C'' Codin( Practices%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%+&%2 Strin( Mani,ulation%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%6
&%2%& C'' std--strin(%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%6
&%& "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.02 /ISOI1C 3ISOI1C% ISOI1C 4 Second edition &5&250& Pro(rammin( lan(ua(es C%
International Or(aniation *or Standardiation8 &%/ISOI1C 439oint $ec:nical Committee ISOI1C
9$CI; International Or(aniation *or Standardiation; and International 1lectrotec:nical Commission%Pro(rammin( 3=ie(a8 9o:n )
Messier8 Matt% Secure Pro(rammin( Coo?boo? *or C and C''- "eci,es *or Cry,to(ra,:y8
Aut:entication8 @et!or?in(8 In,ut =alidation ) More% Sebasto,ol8 CA- O"eilly8 200> BIS@- 05+65
00>.5>%Pearson 1ducation8 Inc% Co,yri(:t%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.0
&%2%2 *(etsB and (etssB%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%42%& "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.0
> /ISOI1C 3ISOI1C% ISOI1C 4 Second edition &5&250& Pro(rammin( lan(ua(es C%International Or(aniation *or Standardiation8 &%/ISOI1C 0.3ISOI1C% ISOI1C WD$" 2.7>&
S,eci*ication *or Secure C memc,ysB and memmovesB%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&0
>%& "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.0
. /ISOI1C 3ISOI1C% ISOI1C 4 Second edition &5&250& Pro(rammin( lan(ua(es C%
International Or(aniation *or Standardiation8 &%/ISOI1C 0.3ISOI1C% ISOI1C WD$" 2.7>&S,eci*ication *or Secure C
&%2%6 @on51Eecutable Stac?s %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&>
&%2%7 Stac?(a, %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&>&%2%4 "untime ounds C:ec?ers %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&.
&%2% Canaries %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&+
-
8/12/2019 Uspto Standards Coding Secure c++
3/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
&%2%&0 Stac? Smas:in( Protector BProPolice %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&+&%2%&& 8 2000% er?eley8 CA- HS1@I Association8 2000%/ulba 003ulba ) Jil>r% y,assin(
Stac?Guard and Stac?S:iel BPrac?8 =olume 0Ea Issue 0E>4 0+%0&%2000 0E0+/0E&03%:tt,-!!!%,:rac?%or(,:rac?+6 ,+650E0+ B2000%/Co!an 43Co!an8 C%; Pu8 C%- Maier8 D%; Kinton8
K%; Wal,ole8 9%; a??e8 P%; eattie8 S%; Grier8 A%; Wa(le8 P%; ) L:an(8 % FStac?(uard- Automatic
ada,tive detection and ,revention o* bu**er5over*lo! attac?s8 6>577% Proceedin(s o* t:e Sevent:
HS1@I Security Sym,osium% San Antonio8 $8 9anuary 26528 &4% er?eley8 CA- HS1@IAssociation8 &4%/Co!an 003Co!an8 Cris,in; Wa(le8 Perry; Pu8 Calton; eattie8 Steve; ) Wal,ole8
9onat:an% Fu**er Over*lo!s- Attac?s and De*enses *or t:e =ulnerability o* t:e Decade8 &&5&2%
Proceedin(s o* t:e DA"PA In*ormation Survivability Con*erence and 1E,osition BDISC1N00% KiltonKead Island8 SC8 9anuary 2+5278 2000%
:tt,-!!!%o,enbsd%or(,a,erscs!0>m(,0000&%:tml/1to: 0.31to:8 Kiroa?i ) oda8 J% Protectin(*rom stac?5smas:in( attac?s% :tt,- !!!%researc:%ibm%comtrl,roectssecurityss,main%:tml B200.%
/9ones 739ones8 "ic:ard W% M% ) Jelley8 Paul K% 9% Fac?!ards5com,atible bounds c:ec?in( *or
arrays and ,ointers in C ,ro(rams8 &>526% Proceedin(s o* t:e $:ird International Wor?s:o, onAutomatic Debu((in( BAAD1HGN7% 3Wilander8 9% ) Jam?ar8 M% FA Com,arison o*
Publicly Available $ools *or Dynamic u**er Over*lo! Prevention8 &.5&62% Proceedin(s o* t:e &0t:
@et!or? and Distributed System Security Sym,osium% San Die(o8 Cali*ornia8 #ebruary 6578 200>%"eston8 =A- Internet Society8 200>% :tt,-!!!%ida%liu%seQo:!i
researc:,ublications,a,erndss200>o:n!ilander%,d*%Pearson 1ducation8 Inc% Co,yri(:t%%%%%%%%%%%%%%.2
&%2%&2 Sa*eStr%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&7
+%& "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.>&%2%&> strc,ysB and strcatsB%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%&
+%2 "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.>
&%2%&. strc,yB and strcatB%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2&
+%> "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.>&%2%&+ O,enSDs strlc,yB and strlcatB%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%22
+%. "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.>&%2%&6 strnc,ysB and strncatsB%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%2>
+%+ "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.>
&%2%&7 strnc,yB and strncatB%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%26
+%6 "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.>&%2%&4 Strsa*e%:%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%27
Pa(e > o* ..
-
8/12/2019 Uspto Standards Coding Secure c++
4/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
+%7 "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.>+%4 "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%..
2 Dynamic Memory Mana(ement%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%>0
2%& Guard Pa(es%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%>&+% "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%..
2%2 Kea, Inte(rity Detection%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%>2
+%&0 "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%..2%> @ull Pointers%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%>>
+%&& "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%..
2%. P:?malloc%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%>.
+%&2 "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%..2%+ "andomiation%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%>6
+%&> "e*erences %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%..
Pa(e . o* ..
-
8/12/2019 Uspto Standards Coding Secure c++
5/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
1 ntroduction
A,,lication Code de*ects are a ,rimary cause o* commonly eE,loited so*t!are vulnerabilities% A numbero* security eE,erts :ave analyed t:ousands o* vulnerability re,orts8 and determined t:at most
a,,lication vulnerabilities stem *rom a relatively small number o* common codin( errors% y identi*yin(insecure codin( ,ractices and develo,in( secure alternatives8 develo,ers can ta?e ,ractical ste,s to
reduce or eliminate vulnerabilities in t:e SD
-
8/12/2019 Uspto Standards Coding Secure c++
6/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
!arnin( is su,er*luous can im,rove t:e security o* your de,loyed so*t!are system% Com,ilers can also,rovide o,tions t:at in*luence runtime settin(s8 suc: as t:e GS *la( in Microso*t =isual Studio%
Hnderstandin( available com,iler o,tions and ma?in( in*ormed decisions about !:ic: o,tions to use
and !:ic: to omit can :el, eliminate vulnerabilities and miti(ate a(ainst runtime eE,loitation o*undiscovered or unresolved vulnerabilities% An eEam,le o* t:e use o* com,iler c:ec?s to miti(ate
a(ainst inte(er vulnerabilities is described in Com,iler C:ec?s% 1Eam,les o* usin( ot:er static and
dynamic analysis tools to discover and miti(ate vulnerabilities are described in"untime Analysis $oolsand Kea, Inte(rity Detection%
Miti(ation strate(ies are described8 includin( security8 ,er*ormance8 availability8 ease o* use8 and ot:er
?no!n Ruality attributes% We do not attem,t to describe t:e conditions under !:ic: one miti(ation
strate(y is ,re*erred to anot:er% Instead8 !e assume t:at you Bt:e customer o* t:e in*ormation ?no!!:at your reRuirements and constraints are and can ma?e an a,,ro,riate selection based on your
analysis o* t:is in*ormation and t:e in*ormation contained in t:e re*erenced resources%
1. String )aniulation
1..1 C++ std**string
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
C'' ,ro(rammers :ave t:e o,tion o* usin( t:e standard std--strin( class de*ined in ISOI1C &.442% $:estd--strin( (enerally ,rotects a(ainst bu**er over*lo!%
Deeloment Conte,t
Strin( mani,ulation
Tec"nolog- Conte,t
C''8 H@I8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:ebe:avior o* t:e ,ro(ram%
Ris
Standard C strin( mani,ulation *unctions are ,rone to ,ro(rammer mista?es t:at can result in bu**er
over*lo! vulnerabilities%
Descrition
Pa(e 6 o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/278.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/311.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/311.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/311.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/302.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/278.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/311.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/302.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.html -
8/12/2019 Uspto Standards Coding Secure c++
7/44
-
8/12/2019 Uspto Standards Coding Secure c++
8/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
reac:ed and t:e remainder o* c:aracters in t:e in,ut stream are consumed by t:e nextcall to t:eeEtractor o,erator%
C'' ,ro(rammers :ave t:e o,tion o* usin( t:e standard std--strin( class de*ined in ISOI1C &.442
/ISOI1C 43% $:e std--strin( class is t:e c:ar instantiation o* t:e std--basicstrin( tem,late class8 and it
uses a dynamic a,,roac: to strin(s in t:at memory is allocated as reRuiredmeanin( t:at in all cases8sieB TZ ca,acityB% $:e std--strin( class is convenient because t:e lan(ua(e su,,orts t:e class directly%
Also8 many eEistin( libraries already use t:is class8 !:ic: sim,li*ies inte(ration%
#i(ure > s:o!s anot:er solution to eEtractin( c:aracters *rom cin into a strin(8 usin( std--strin( insteado* a c:aracter array% $:is ,ro(ram is sim,le8 ele(ant8 :andles bu**er over*lo!s and strin( truncation8 and
be:aves in a ,redictable *as:ion%
Figure . (,tracting c"aracters %rom cin into a std**string obect
& include TiostreamU
include Tstrin(U usin( names,ace std;
int mainB V
+ strin( str; cin UU str;
cout TT str &- TT str TT endl;
X
$:e std--strin( (enerally ,rotects a(ainst bu**er over*lo!8 but t:ere are still situations in !:ic:,ro(rammin( errors can lead to bu**er over*lo!s% W:ile C'' (enerally t:ro!s an outo*ran(e
eEce,tion !:en an o,eration re*erences memory outside t:e bounds o* t:e strin(8 t:e subscri,t o,erator
/3 B!:ic: does not ,er*orm bounds c:ec?in( does not /=ie(a 0>3%
Anot:er ,roblem occurs !:en convertin( std--strin( obects to C5style strin(s% I* you use strin(--cstrBto do t:e conversion8 you (et a ,ro,erly null5terminated C5style strin(% Ko!ever8 i* you use
strin(--dataB8 !:ic: !rites t:e strin( directly into an array Breturnin( a ,ointer to t:e array8 you (et a
bu**er t:at is not null terminated% $:e only di**erence bet!een cstrB and dataB is t:at cstrB adds atrailin( null byte%
#inally8 many eEistin( C'' ,ro(rams and libraries :ave t:eir o!n strin( classes% $o use t:ese libraries8
you may :ave to use t:ese strin( ty,es or constantly convert bac? and *ort:% Suc: libraries are o*
varyin( Ruality !:en it comes to security% It is (enerally best to use t:e standard library B!:en ,ossibleor to understand t:e semantics o* t:e selected library% Generally s,ea?in(8 libraries s:ould be evaluated
based on :o! easy or com,leE t:ey are to use8 t:e ty,e o* errors t:at can be made8 :o! easy t:ese errors
are to ma?e8 and !:at t:e ,otential conseRuences may be% i
1.. %gets23 and gets4s23
Pa(e 4 o* ..
-
8/12/2019 Uspto Standards Coding Secure c++
9/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
"obert C% Seacord8 So*t!are 1n(ineerin( Institute /vita3
$:e (etsB *unction is a common source o* bu**er over*lo! vulnerabilities and s:ould never be used% $:e
*(etsB and (etssB *unctions eac: o**er a more secure solution%
Deeloment Conte,t
"eadin( strin(s *rom standard in,ut
Tec"nolog- Conte,t
C8 H@I8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess%
Ris
$:e (etsB *unction is a common source o* bu**er over*lo! vulnerabilities and s:ould never be used%
Pro(rams runnin( !it: elevated ,rivile(es8 includin( ,ro(rams t:at are out!ard *acin(8 can be used *or,rivile(e escalation or to launc: a remote s:ell%
Descrition
$:ere are t!o alternative *unctions t:at can be used- *(etsB and (etssB% #i(ure & s:o!s :o! all t:ree
*unctions are used%
$:e *(etsB *unction is de*ined in C /ISOI1C 3 and :as similar be:avior to (etsB % $:e *(etsB*unction acce,ts t!o additional ar(uments- t:e number o* c:aracters to read and an in,ut stream% y
s,eci*yin( stdin as t:e stream8 *(etsB can be used to simulate t:e be:avior o* (etsB 8 as s:o!n in lines
65&0 o* #i(ure &% $:e *(etsB *unction8 :o!ever8 retains t:e ne!5line c:aracter8 !:ic: means t:at t:e
*unction cannot be used as a direct re,lacement *or (etsB%
$:e *(etsB *unction reads at most one less t:an t:e number o* c:aracters s,eci*ied *rom t:e stream into
an array% @o additional c:aracters are read a*ter a ne!5line c:aracter or a*ter end5o*5*ile% A null
c:aracter is !ritten immediately a*ter t:e last c:aracter read into t:e array% $:e C standard does notde*ine :o! *(etsB be:aves i* t:e number o* c:aracters to read is s,eci*ied as ero or i* t:e ,ointer to t:e
c:aracter array to be !ritten to is a null%
$:e (etssB *unction is de*ined by ISOI1C WD$" 2.7>& to ,rovide a com,atible version o* (etsB
t:at is less ,rone to bu**er over*lo!% $:is *unction is closer to a direct re,lacement *or t:e (etsB*unction in t:at it reads only *rom t:e stream ,ointed to by stdin% $:e (etsB *unction8 :o!ever8 acce,ts
an additional ar(ument o* rsiet% I* t:is ar(ument is eRual to ero or (reater t:an "SIL1MA or i* t:e
,ointer to t:e c:aracter array to be !ritten to is a null8 t:en t:ere is dia(nosed unde*ined be:avior8 and
Pa(e o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/274.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/274.html -
8/12/2019 Uspto Standards Coding Secure c++
10/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
no in,ut is ,er*ormed and t:e c:aracter array is not modi*ied% Ot:er!ise8 t:e *unction reads8 at most8 oneless t:an t:e number o* c:aracters s,eci*ied8 and a null c:aracter is !ritten immediately a*ter t:e last
c:aracter read into t:e array%
-
8/12/2019 Uspto Standards Coding Secure c++
11/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
Deeloment Conte,t
Co,yin( c:aracters *rom one memory location to anot:er%
Tec"nolog- Conte,t
C''8 C8 H@I8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
$:e memc,yB and memmoveB *unctions are a source o* bu**er over*lo! vulnerabilities%
Descrition
Substitutin( t:e memc,ysB and memmovesB *unctions *or t:e memc,yB and memmoveB
*unctions can :el, (uard a(ainst so*t!are vulnerabilities% $:e memc,ysB and memmovesB*unctions de*ined in ISOI1C WD$" 2.7>& are similar to t:e corres,ondin( memc,yB and
memmoveB *unctions but ,rovide some additional sa*e(uards% $:ese *unctions :ave an additional
ar(ument t:at s,eci*ies t:e maEimum sie o* t:e destination8 and t:ey also include a return value t:at
indicates !:et:er t:e o,eration !as success*ul% A return value o* ero indicates t:at t:e o,erationsucceeded% A non5ero return value indicates t:at t:e o,eration *ailed because it !as dia(nosed to :ave
an unde*ined be:avior due to an invalid in,ut ar(ument%
$:e memc,ysB and memmovesB *unctions !ill be dia(nosed to :ave an unde*ined be:avior i*eit:er t:e source or destination ,ointer is null8 i* t:e s,eci*ied number o* c:aracters to co,y or move is
(reater t:an t:e maEimum sie o* t:e destination bu**er8 or t:e number o* c:aracters to co,y or move or
t:e maEimum sie o* t:e destination bu**er is (reater t:an "SIL1MA %&Additionally8 t:e
memc,ysB *unction !ill be dia(nosed to :ave an unde*ined be:avior i* t:e memory re(ions o* t:eobects overla,%
I* t:e o,eration is dia(nosed to :ave an unde*ined be:avior8 eros !ill be stored in t:e *irst c:aracters o*
t:e destination i* t:e destination ,ointer is not eRual to null and t:e sie o* t:e destination bu**er is less
t:an or eRual to "SIL1MA %
$:e memc,ysB *unction :as better ,er*ormance t:an t:e memmovesB but :as additional ris?s% $:ere
is no security related reason to ,re*er memc,ysB to memmovesB%
$:e memc,ysB and memmovesB *unctions are used to co,y c:aracters *rom one memory location
to anot:er% $:e !memc,ysB and !memmovesB *unctions are used to co,y !ide c:aracters%iii
Pa(e && o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/303.html#N10107%23N10107https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/303.html#N10107%23N10107 -
8/12/2019 Uspto Standards Coding Secure c++
12/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
1.. Runtime 'rotection
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
$:ere are a number o* runtime solutions t:at can detect stac? corru,tion and bu**er overruns or (uard
a(ainst attac?s% $:ese solutions ty,ically terminate t:e ,ro(ram !:en an anomaly is detected8
,reventin( t:e eEecution o* arbitrary code%
Deeloment Conte,t
Pro(ram runtime c:ec?s and ,rotection tec:niRues t:at can be used to detect stac? corru,tion and bu**er
overruns or (uard a(ainst attac?s
Tec"nolog- Conte,t
C8 H@I8 WI@>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
Pro(rammin( errors can result in bu**er over*lo! vulnerabilities%
Descrition
$:ere are a number o* runtime solutions t:at can detect stac? corru,tion and bu**er overruns or (uarda(ainst attac?s% $:ese solutions ty,ically terminate t:e ,ro(ram !:en an anomaly is detected8
,reventin( t:e eEecution o* arbitrary code% $:ey are not e**ective at sto,,in( denial5o*5service BDoS
attac?s unless t:e ,ro(ram also includes restart ,rocessin( t:at is initiated !:en t:e ,ro(ram terminates8!:ic: !ould limit t:e e**ectiveness o* t:e attac?%
"untime ,rotection strate(ies s:ould not be used as a substitute *or eliminatin( t:e source o* t:e
vulnerability8 as t:ese solutions are o*ten ine**ective% $:ere are o*ten many !ays to eE,loit a
vulnerability8 and many runtime ,rotection sc:emes only eliminate a subset o* t:ese% "untime ,rotectionstrate(ies may be em,loyed as ,art o* a de*ense5in5de,t: strate(y to miti(ate undetected vulnerabilities
but s:ould not be solely relied on as a so*t!are assurance strate(y%
Several runtime solutions are described neEt%
Pa(e &2 o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.html -
8/12/2019 Uspto Standards Coding Secure c++
13/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
1..7 Comiler8Generated Runtime C"ecs
Microso*t =isual C'' ,rovides native runtime c:ec?s to catc: common runtime errors suc: as stac?
,ointer corru,tion and overruns o* local arrays% $:e GS o,tion enables canaries and ,er*orms somestac? reor(aniation to ,revent common eE,loits% =isual C'' also ,rovides a runtimec:ec?s ,ra(ma
t:at disables or restores t:e "$C settin(s%&
Stac 'ointer Corrution. Stac? ,ointer veri*ication detects stac? ,ointer corru,tion% Stac? ,ointercorru,tion can be caused by a callin( convention mismatc:% #or eEam,le8 usin( a *unction ,ointer8 you
call a *unction in a D
-
8/12/2019 Uspto Standards Coding Secure c++
14/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
$:is tec:niRue (ives a disadvanta(e to t:e attac?er !:ile !astin( at most & ,a(e o* real memory% $:ismiti(ation can be easily added to
-
8/12/2019 Uspto Standards Coding Secure c++
15/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
develo,ed by Wilander and Jam?ar *or evaluatin( dynamic bu**er over*lo! detectors /Wilander 0>38even !:en o,timied to c:ec? only *or over*lo!s in strin(s%
C"1D :as been mer(ed into t:e latest 9ones and Jelly c:ec?er *or GCC >%>%&8 !:ic: is currently
maintained by Kerman ten ru((e%
1..= Canaries
Canaries are anot:er mec:anism used to eliminate stac? smas:in( attac?s% Instead o* ,er*ormin(
(eneralied bounds c:ec?in(8 canaries are used to ,rotect t:e return address on t:e stac? *rom seRuential!rites t:rou(: memory B*or eEam,le8 resultin( *rom a strc,yB% Canaries consist o* a :ard5to5insert or
:ard5to5s,oo* value !ritten to an address belo! t:e section o* t:e stac? bein( ,rotected% A seRuential
!rite !ould t:ere*ore need to over!rite t:is value on t:e !ay to t:e ,rotected re(ion% $:e canary isinitialied immediately a*ter t:e return address is saved and c:ec?ed immediately be*ore t:e return
address is accessed%
A :ard5to5insert or terminator canary consists o* *our di**erent strin( terminators BC"8 25bit secret random number t:at c:an(es eac: time t:e
,ro(ram is eEecuted% $:is a,,roac: !or?s !ell as lon( as t:e canary remains a secret%
Canaries are im,lemented in Stac?Guard /Co!an 43% =arious Stac?Guard versions :ave been used
!it: GCC *or ImmuniE OS 6%28 7%08 and 7'% "ed Kat 7%> !ill mer(e Stac?Guard > into t:e GCC >%Emainline com,iler% Canaries :ave also been used in ProPolice and Microso*tNs =isual C'' %@et%
Canaries are use*ul only a(ainst eE,loits t:at over*lo! a bu**er on t:e stac? and attem,t to over!rite t:e
stac? ,ointer or ot:er ,rotected re(ion% Canaries do not ,rotect a(ainst eE,loits t:at modi*y variables8
data ,ointers8 or *unction ,ointers% Canaries do not ,revent bu**er over*lo!s *rom occurrin( in anylocation8 includin( t:e stac? se(ment%
In *act8 neit:er t:e terminator nor random canary o**ers com,lete ,rotection a(ainst eE,loits t:at
over!rite t:e return address% 1E,loits t:at !rite *our bytes directly to t:e location o* t:e return address
on t:e stac? can de*eat terminator and random canaries /ulba 003% $o solve t:ese direct access eE,loits8Stac?Guard added "andom O" canaries /Wa(le 0>3 t:at O" t:e return address !it: t:e canary%
A(ain8 t:is !or?s !ell as lon( as t:e canary remains a secret%
1..10 Stac Smas"ing 'rotector 2'ro'olice3
A ,o,ular miti(ation a,,roac: derived *rom Stac?Guard is t:e GCC Stac? Smas:in( Protector BSSP8
also ?no!n as ProPolice /1to: 0.3% SSP is a GCC eEtension *or ,rotectin( a,,lications !ritten in C
*rom t:e most common *orms o* stac? bu**er over*lo! eE,loits and is im,lemented as an intermediatelan(ua(e translator o* GCC% SSP ,rovides bu**er over*lo! detection and t:e variable reorderin( to avoid
t:e corru,tion o* ,ointers% S,eci*ically8 SSP
Pa(e &+ o* ..
http://web.inter.nl.net/hcc/Haj.Ten.Bruggehttp://web.inter.nl.net/hcc/Haj.Ten.Brugge -
8/12/2019 Uspto Standards Coding Secure c++
16/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
reorders local variables to ,lace bu**ers a*ter ,ointers to avoid t:e corru,tion o* ,ointers t:at
could be used to *urt:er corru,t arbitrary memory locations
co,ies ,ointers in *unction ar(uments to an area ,recedin( local variable bu**ers to ,revent t:e
corru,tion o* ,ointers t:at could be used to *urt:er corru,t arbitrary memory locations
omits instrumentation code *rom *unctions t:at contain c:aracter arrays to decrease t:e
,er*ormance over:ead
$:e SSP *eature is enabled usin( (cc o,tions% $:e 5*stac?5,rotector and 5*no5stac?5,rotector o,tions
res,ectively enable and disable stac? smas:in( ,rotection% $:e 5*stac?5,rotector5all and 5*no5stac?5
,rotector5all o,tions enable and disable t:e ,rotection o* every *unction8 not ust t:e *unctions !it:c:aracter arrays%
SSP !or?s by introducin( a (uard variable to ,revent c:an(es to t:e ar(uments8 return address8 and
,revious *rame ,ointer% Given t:e source code o* a *unction8 a ,re,rocessin( ste, inserts code *ra(ments
into a,,ro,riate locations as *ollo!s-
Declaration o* local variables
volatile int (uard;
1ntry ,oint
(uard Z (uardvalue;
1Eit ,oint
i* B(uard ]Z (uardvalue V
Y out,ut error lo( Y Y :alt eEecution Y
X
A random number is used as t:e (uard value at t:e initialiation time o* t:e a,,lication8 ,reventin(
discovery by a non5,rivile(ed user% SSP also ,rovides a sa*er stac? structure8 as s:o!n in #i(ure 2%
Figure . SS' sa%e %rame structure
Pa(e &6 o* ..
-
8/12/2019 Uspto Standards Coding Secure c++
17/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
$:is structure establis:es t:e *ollo!in( constraints-
-
8/12/2019 Uspto Standards Coding Secure c++
18/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
$:e C Strin(
-
8/12/2019 Uspto Standards Coding Secure c++
19/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
$:e Sa*eStr API can :el, trac? trusted and untrusted data in t:e style o* PerlNs taint mode% A develo,ercan use t:is mec:anism to mar? strin(s ori(inatin( *rom untrusted sources as suc:% Strin(s t:at :ave
been c:ec?ed *or ,otentially malicious in,ut could subseRuently be mar?ed as trusted% W:en modi*yin(
a strin(8 t:e trusted ,ro,erty o* t:at strin( is set to untrusted i* any o* t:e o,erands are untrusted%W:en creatin( a ne! strin( *rom o,erations on ot:er strin(s8 t:e ne! strin( is mar?ed as trusted only i*
all t:e strin(s t:at in*luence its value are trusted%
$:e trust ,ro,erty !ill not ,ro,erly ,ro,a(ate i* t:e Sa*eStr API is circumvented% $:e Sa*eStr API doesnot currently ,rovide any routines t:at c:ec? t:e trusted *la(% Ko!ever8 you can eE,licitly c:ec? t:e *la(
yoursel* as s:o!n in #i(ure &%
Figure 1. Trusted and untrusted data in Sa%eStr&% int sa*ersystemBsa*estrt cmd V
2% i* B]sa*estristrustedBcmd V
>% ,rint*BHntrusted data in sa*ersystem]\n;.% abortB;
+% X
6% return systemBBc:ar Ycmd;7% X
1rror :andlin( in Sa*eStr is ,er*ormed usin( 2
Attacs
Pa(e & o* ..
http://www.zork.org/xxlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttp://www.zork.org/xxlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.html -
8/12/2019 Uspto Standards Coding Secure c++
20/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:ebe:avior o* t:e ,ro(ram%
Ris
$:e strc,yB and strcatB *unctions are a source o* bu**er over*lo! vulnerabilities%
Descrition
$:e strc,ysB and strcatsB *unctions are de*ined in ISOI1C WD$" 2.7>& as a close re,lacement *orstrc,yB and strcatB% $:ese *unctions :ave an additional ar(ument t:at s,eci*ies t:e maEimum sie o* t:e
destination and also include a return value t:at indicates !:et:er t:e o,eration !as success*ul%
$:e strc,ysB *unction is similar to strc,yB i* a constraint violation does not occur% In t:is case8 t:e
strc,ysB *unction co,ies c:aracters *rom t:e source strin( to t:e destination c:aracter array u, to andincludin( t:e terminatin( null c:aracter and t:en returns ero to indicate success%
$:e strc,ysB *unction only succeeds !:en t:e source strin( can be *ully co,ied to t:e destination
!it:out over*lo!in( t:e destination bu**er% I* eit:er t:e source or destination ,ointers are null or i* t:e
maEimum len(t: o* t:e destination bu**er is eRual to ero8 (reater t:an "SIL1MA8&or less t:an oreRual to t:e len(t: o* t:e source strin(8 t:en a constraint violation occurs and t:e o,eration returns a
non5ero value% Additionally8 t:e strc,ysB *unction !ill result in a constraint violation i* t:e memory
re(ions o* t:e obects overla,% I* a constraint violation occurs8 a ero is stored in t:e *irst c:aracter o* t:edestination i* t:e destination ,ointer is not eRual to null and t:e sie o* t:e destination bu**er is (reater
t:an ero and less t:an or eRual to "SIL1MA%
$:e strcatsB *unction a,,ends t:e c:aracters o* t:e source strin(8 u, to and includin( t:e null
c:aracter8 to t:e end o* t:e destination strin(% $:e initial c:aracter *rom t:e source strin( over!rites t:enull c:aracter at t:e end o* t:e destination strin(%
$:e strcatsB *unction returns ero on success% A constraint violation !ill occur and t:e o,eration !ill
return a non5ero value i*
eit:er Ba t:e source or destination ,ointer is null or t:e maEimum len(t: o* t:e destination
bu**er is eRual to ero or (reater t:an "SIL1MA or Bb t:e destination strin( is already *ull or
t:ere is not enou(: room to *ully a,,end t:e source strin(
t:e memory re(ions o* t:e obects overla,
I* a constraint violation occurs8 a ero is stored in t:e *irst c:aracter o* t:e destination i* t:e destination
,ointer is not eRual to null and t:e sie o* t:e destination bu**er is (reater t:an ero and less t:an oreRual to "SIL1MA%
$:e strc,ysB and strcatsB *unctions can still result in a bu**er over*lo! i* t:e maEimum len(t: o* t:e
destination bu**er is incorrectly s,eci*ied%vi
Pa(e 20 o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/314.html#N10102%23N10102https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/314.html#N10102%23N10102https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/314.html#N10102%23N10102 -
8/12/2019 Uspto Standards Coding Secure c++
21/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
1..1 strc-23 and strcat23
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
$:e strc,yB and strcatB *unctions :ave been villainied as a maor source o* bu**er over*lo!s8 and t:ereare many miti(ation strate(ies t:at ,rovide more secure variants o* t:ese *unctions% Ko!ever8 not all
a,,lications o* strc,yB are *la!ed%
Deeloment Conte,t
Co,yin( and concatenatin( c:aracter strin(s
Tec"nolog- Conte,t
C8 H@I8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
$:e strc,yB and strcatB *unctions are a source o* bu**er over*lo! vulnerabilities%
Descrition
$:e strc,yB and strcatB *unctions :ave been villainied as a maor source o* bu**er over*lo!s8 and t:ere
are many miti(ation strate(ies Bsuc: as strc,ysB and strcatsB t:at ,rovide more secure variants o*
t:ese *unctions% Ko!ever8 not all a,,lications o* strc,yB are *la!ed% #or eEam,le8 assumin( source :asbeen ,ro,erly validated8 it is o*ten ,ossible to dynamically allocate t:e reRuired s,ace as *ollo!s-
dest Z Bc:ar YmallocBstrlenBsource ' &;
i* Bdest V
strc,yBdest8 source;X
else V Y Kandle memory allocation error Y
^X
$:ere are also ot:er cases !:ere it is clear t:at t:ere is no ,otential *or !ritin( beyond t:e array bounds%
Pa(e 2& o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.html -
8/12/2019 Uspto Standards Coding Secure c++
22/44
-
8/12/2019 Uspto Standards Coding Secure c++
23/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
$o :el, ,revent !ritin( outside t:e bounds o* t:e array8 t:e strlc,yB and strlcatB *unctions acce,t t:e*ull sie o* t:e destination strin( as a sie ,arameter% #or statically allocated bu**ers8 t:is value is easily
com,uted at com,ile time usin( t:e sieo*B o,erator%
ot: *unctions (uarantee t:at t:e destination strin( is null terminated *or all non5ero5len(t: bu**ers to
,revent null5termination errors%
$:e strlc,yB and strlcatB *unctions return t:e total len(t: o* t:e strin( created% #or strlc,yB t:at is
sim,ly t:e len(t: o* t:e source; *or strlcatB it is t:e len(t: o* t:e destination Bbe*ore concatenation ,lus
t:e len(t: o* t:e source% $o c:ec? *or truncation8 t:e ,ro(rammer need only veri*y t:at t:e return valueis less t:an t:e sie ,arameter% I* t:e resultin( strin( is truncated8 t:e ,ro(rammer no! ?no!s t:e
number o* bytes needed to store t:e entire strin( and may reallocate and reco,y% $:is :el,s ,revent
errors resultin( *rom an unintentional loss o* data%
@eit:er strlc,yB nor strlcatB ero5*ills its destination strin(s Bot:er t:an t:e com,ulsory null byte toterminate t:e strin(% $:is results in ,er*ormance close to t:at o* strc,yB and muc: better t:an strnc,yB
/ISOI1C 3% $able & s:o!s t:e ela,sed time reRuired to co,y t:e strin( t:is is ust a test &000 times
into a &02. byte bu**er /Miller 3%
Table 1. 'er%ormance in seconds
CPH #unction $ime Bsec%
m?64 strc,yB 0%&>7
m?64 strnc,yB 0%.6.
m?64 strlc,yB 0%&.0
al,:a strc,yB 0%0&4
al,:a strnc,yB 0%&00
al,:a strlc,yB 0%020
Hn*ortunately8 strlc,yB and strlcatB are not universally available in t:e standard libraries o* H@Isystems% ot: *unctions are de*ined in strin(%: *or many H@I variants8 includin( O,enSD and
Solaris8 but not *or G@H o* ..
-
8/12/2019 Uspto Standards Coding Secure c++
24/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
$:e strnc,yB and strncatB *unctions are a source o* bu**er over*lo! vulnerabilities% $:e strnc,ysB and
strncatsB *unctions are de*ined in ISOI1C $" 2.7>& as dro,5in re,lacements *or strnc,yB and
strncatB%
Deeloment Conte,t
Co,yin( and concatenatin( c:aracter strin(s
Tec"nolog- Conte,t
C8 H@I8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:ebe:avior o* t:e ,ro(ram%
Ris
$:e strnc,yB and strncatB *unctions are a source o* bu**er over*lo! vulnerabilities%
Descrition
$:e strnc,ysB and strncatsB *unctions are de*ined in ISOI1C WD$" 2.7>& as dro,5in re,lacements*or strnc,yB and strncatB%
$:e strnc,ysB *unction co,ies not more t:an a s,eci*ied number o* successive c:aracters Bc:aracters
t:at *ollo! a null c:aracter are not co,ied *rom a source strin( to a destination c:aracter array% I* no
null c:aracter !as co,ied8 t:e last c:aracter o* t:e destination c:aracter array is set to a null c:aracter%
$:e strnc,ysB *unction returns ero to indicate success% I* a constraint violation occurs8 strnc,ysBreturns a non5ero value and sets t:e destination strin( to t:e null strin( i* t:e destination ,ointer is not
eRual to null and t:e sie o* t:e destination bu**er is (reater t:an ero and less t:an or eRual to
"SIL1MA%&
A constraint violation occurs i*
eit:er Ba t:e source or destination ,ointer is null or Bb t:e maEimum sie o* t:e destination
strin( is ero or (reater t:an "SIL1MA
Pa(e 2. o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/317.html#N10105%23N10105https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/317.html#N10105%23N10105 -
8/12/2019 Uspto Standards Coding Secure c++
25/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
t:e s,eci*ied number o* c:aracters to be co,ied eEceeds "SIL1MA
t:e memory re(ions o* t:e obects overla,
A strnc,ysB o,eration can actually succeed !:en t:e number o* c:aracters s,eci*ied to be co,ied
eEceeds t:e maEimum len(t: o* t:e destination strin( as lon( as t:e actual source strin( is s:orter t:an
t:e maEimum len(t: o* t:e destination strin(% I* t:e number o* c:aracters to co,y is (reater t:an or eRual
to t:e maEimum sie o* t:e destination strin( and t:e source strin( is lon(er t:an t:e destination bu**er8t:e o,eration !ill *ail%
Figure 1. Samle use o% strnc-4s23 %unction
&% c:ar src&/&003 Z :ello;
2% c:ar src2/73 Z V(8o8o8d8b8y8eX;>% c:ar dst&/638 dst2/+38 dst>/+3;
.% int r&8 r28 r>;
+% r& Z strnc,ysBdst&8 68 src&8 &00;6% r2 Z strnc,ysBdst28 +8 src28 7;
7% r> Z strnc,ysBdst>8 +8 src28 .;
Hsers o* t:ese *unctions are less li?ely to introduce a security *la! because t:e sie o* t:e destination
bu**er and t:e maEimum number o* c:aracters to a,,end must be s,eci*ied% $:e strncatsB *unction alsoensures null termination o* t:e destination strin(% #or eEam,le8 t:e *irst call to strnc,ysB on line + o*
t:e sam,le ,ro(ram s:o!n in #i(ure & assi(ns t:e value ero to r& and t:e seRuence :ello\0 to dst&% $:e
second call on line 6 assi(ns a non5ero value to r2 and t:e seRuence \0 to dst2% $:e t:ird call on line 7assi(ns t:e value ero to r> and t:e seRuence (ood\0 to dst>% I* strnc,yB :ad been used instead o*
strnc,ysB8 a bu**er over*lo! !ould :ave occurred durin( t:e eEecution o* line 6%
$:e strncatsB *unction a,,ends not more t:an a s,eci*ied number o* successive c:aracters Bc:aracters
t:at *ollo! a null c:aracter are not co,ied *rom a source strin( to a destination c:aracter array% $:einitial c:aracter *rom t:e source strin( over!rites t:e null c:aracter at t:e end o* t:e destination array% I*
no null c:aracter !as co,ied *rom t:e source strin(8 a null c:aracter is !ritten at t:e end o* t:e a,,ended
strin(%
$:e strncatsB *unction *ails and returns a non5ero value Bindicatin( an unde*ined be:avior i* any o*t:e *ollo!in( occurs-
eit:er Ba t:e source or destination ,ointer is null or Bb t:e maEimum len(t: o* t:e destination
bu**er is eRual to ero or (reater t:an "SIL1MA or t:e memory re(ions o* t:e obects overla,
t:e destination strin( is already *ull
t:ere is not enou(: room to *ully a,,end t:e source strin(
Pa(e 2+ o* ..
-
8/12/2019 Uspto Standards Coding Secure c++
26/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
I* a constraint violation occurs8 t:e destination strin( !ill be set to null i* t:e destination ,ointer is noteRual to null and t:e sie o* t:e destination bu**er is (reater t:an ero and less t:an or eRual to
"SIL1MA%
$:e strnc,ysB and strncatsB *unctions are still ca,able o* over*lo!in( a bu**er i* t:e maEimum len(t:
o* t:e destination bu**er and number o* c:aracters to co,y are incorrectly s,eci*ied% iE
1..1! strnc-23 and strncat23
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
$:e standard C library includes *unctions t:at are desi(ned to ,revent bu**er over*lo!s8 ,articularly
strnc,yB and strncatB% $:ese universally available *unctions discard data lar(er t:an t:e s,eci*ied
len(t:8 re(ardless o* !:et:er it *its into t:e bu**er% $:ese *unctions are de,recated *or ne! Windo!scode because t:ey are *reRuently used incorrectly%
Deeloment Conte,t
Co,yin( and concatenatin( c:aracter strin(s
Tec"nolog- Conte,t
C8 H@I8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:ebe:avior o* t:e ,ro(ram%
Ris
Im,ro,er use o* t:e strnc,yB and strncatB *unctions can result in bu**er over*lo! vulnerabilities%
Descrition
$:e standard C library includes *unctions t:at are desi(ned to ,revent bu**er over*lo!s8 ,articularlystrnc,yB and strncatB% $:ese universally available *unctions discard data lar(er t:an t:e s,eci*ied
len(t:8 re(ardless o* !:et:er it *its into t:e bu**er% $:ese *unctions are de,recated *or ne! Windo!s
code because t:ey are *reRuently used incorrectly%
$:e strnc,yB library *unction ,er*orms a similar *unction to strc,yB but allo!s a maEimum sie to bes,eci*ied-
Pa(e 26 o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.html -
8/12/2019 Uspto Standards Coding Secure c++
27/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
strnc,yBdest8 source8 destsie 5 &;dest/destsie 5 &3 Z N\0N;
$:e strcatB *unction concatenates a strin( to t:e end o* a bu**er%
-
8/12/2019 Uspto Standards Coding Secure c++
28/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
Strin( mani,ulation
Tec"nolog- Conte,t
CC''8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
Standard C strin( mani,ulation *unctions are ,rone to ,ro(rammer mista?es t:at can result in bu**er
over*lo! vulnerabilities%
Descrition
Microso*t ,rovides a set o* sa*er strin( :andlin( *unctions *or t:e C ,ro(rammin( lan(ua(e called
Strsa*e%: /MSD@ 0+3% $:ere is also ntstrsa*e%: *or ?ernel mode code% $:ese *unctions are intended tore,lace t:eir built5in CC'' counter,arts8 as !ell as any le(acy Microso*t5s,eci*ic strin( :andin(
*unctions%
$:ese *unctions su,,ort bot: A@SI and Hnicode c:aracters8 al!ays return a status code8 and reRuire t:at
t:e ,ro(rammer al!ays s,eci*ies t:e sie o* t:e destination bu**er% Se,arate *unctions are ,rovided t:atallo! t:e ,ro(rammer to s,eci*y t:e sie o* t:e destination bu**er usin( eit:er c:aracter or byte counts%
$:e Microso*t Strsa*e library *unctions (uarantee t:at all strin(s are null terminated Beven i* t:ey are
truncated and t:at a !rite does not occur ,ast t:e end o* t:e destination bu**er% $:is is all true and t:ese*unctions are sa*e as lon( as t:e ,ro(rammer in,uts t:e actual startin( address o* t:e destination bu**er
and correct len(t:% $:us care still must be ta?en !:en usin( t:ese *unctions%
#i(ure & s:o!s an eEam,le ,ro(ram t:at ,er*orms a secure strin( co,y on line 4 and a secure strin(
concatenation on line &&%
Figure 1. )icroso%t Strsa%e e,amle
&% include TStrsa*e%:U
2% int tmainBint ar(c8 $CKA"Y ar(v/3
>% V
.% c:ar MyStrin(/&243;+% K"1SH
-
8/12/2019 Uspto Standards Coding Secure c++
29/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
% eEitB5&;&0% X
&&% "esZStrin(CbCatBMyStrin(8sieo*BMyStrin(8ar(v/03;
&2% i* B"es ]Z SOJ V&>% ,rint*BStrin(CbCat #ailed- [s\n8 MyStrin(;
&.% eEitB5&;
&+% X&6% ,rint*B[s\n8 MyStrin(;
&7% return 0;
&4% X
It is also im,ortant to remember t:at t:e Strsa*e *unctions8 suc: as Strin(Cc:Co,yB and Strin(Cc:CatB8do not :ave t:e same semantics as t:e Microso*t C"$ *unctions strnc,ysB and strncatsB% W:en
strncatsB detects an error it sets t:e destination strin( to a null strin(8 !:ile Strin(Cc:CatB *ills t:e
destination !it: as muc: data as ,ossible and t:en null terminates t:e strin(% Ei
=str
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
=str is a strin( library o,timied to !or? !it: readvB!ritevB *or in,utout,ut% #or eEam,le8 you can
readvB data to t:e end o* t:e strin( and !ritevB data *rom t:e be(innin( o* t:e strin( !it:out allocatin(
or movin( memory% $:is also allo!s t:e library to !or? !it: data containin( multi,le ero bytes%
Deeloment Conte,t
Strin( in,ut and out,ut
Tec"nolog- Conte,t
C8 H@I
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
C5style strin( in,ut and out,ut *unctions are ,rone to ,ro(rammer mista?es t:at can result in bu**er
over*lo! vulnerabilities%
Descrition
Pa(e 2 o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.html -
8/12/2019 Uspto Standards Coding Secure c++
30/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
=str is a strin( library o,timied to !or? !it: readvB!ritevB *or in,utout,ut /Antill 0+3% #or eEam,le8you can readvB data to t:e end o* t:e strin( and !ritevB data *rom t:e be(innin( o* t:e strin( !it:out
allocatin( or movin( memory% $:is also allo!s t:e library to !or? !it: data containin( multi,le ero
bytes%
#i(ure & s:o!s a sim,le eEam,le o* a ,ro(ram t:at uses =str to ,rint out Kello World% $:e library isinitialied on line 4 o* t:is eEam,le% $:e call to t:e vstrdu,cstrbu*B *unction on line creates a vstr
*rom a C5style strin( literal% $:e strin( is t:en out,ut to t:e user usin( t:e vstrsc!rite*d B *unction
on line &2% $:is call to t:e vstrsc!rite*d B *unction !rites t:e contents o* t:e s& vstr to S$DOH$%
-
8/12/2019 Uspto Standards Coding Secure c++
31/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
.1 Guard 'ages
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
Automatic allocation o* additional inaccessible memory durin( memory allocation o,erations is a
tec:niRue *or miti(atin( a(ainst eE,loitation o* :ea, bu**er over*lo!s% $:ese (uard ,a(es are unma,,ed
,a(es ,laced bet!een all memory allocations o* one ,a(e or lar(er% $:e (uard ,a(e causes ase(mentation *ault u,on any access%
Deeloment Conte,t
Dynamic memory mana(ement
Tec"nolog- Conte,t
C''8 C8 H@I8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
Standard C dynamic memory mana(ement *unctions suc: as malloc()8 calloc()8 reallocB8 and
free() /ISOI1C 3 are ,rone to ,ro(rammer mista?es t:at can lead to vulnerabilities resultin( *rom
bu**er over*lo! in t:e :ea,8 !ritin( to already *reed memory8 and *reein( t:e same memory multi,letimes Be%(%8 double5*ree vulnerabilities%
Descri,tion
Automatic allocation o* additional inaccessible memory durin( memory allocation o,erations is a
tec:niRue *or miti(atin( a(ainst eE,loitation o* :ea, bu**er over*lo!s% $:ese (uard ,a(es are unma,,ed,a(es ,laced bet!een all allocations o* memory t:at are t:e sie o* one ,a(e or lar(er% $:e (uard ,a(e
causes a se(mentation *ault u,on any access% As a result8 any attem,t by an attac?er to over!rite
adacent memory in t:e course o* eE,loitin( a bu**er over*lo! causes t:e vulnerable ,ro(ram toterminate rat:er t:an continue eEecution o* t:e attac?er5su,,lied code% Guard ,a(es are im,lemented by
a number o* systems and tools8 includin( O,enSD8 1lectric #ence8 and A,,lication =eri*ier Beac: o*
!:ic: is discussed *urt:er in t:is content area%
Guard ,a(es :ave a :i(: de(ree o* over:ead because t:ey *ra(ment t:e ?ernelNs memory ma, and canincrease t:e amount o* virtual s,ace considerably% $:eir e**ectiveness de,ends on t:e sie and ,attern o*
allocations; t:ey are o*ten more e**ective as a debu((in( *acility t:an an o,erational security measure% Eiii
Pa(e >& o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.html -
8/12/2019 Uspto Standards Coding Secure c++
32/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
. ?ea @ntegrit- Detection
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
$:is article describes a system to ,rotect t:e (libc :ea, by ma?in( modi*ications to t:e c:un? structure
and mana(ement *unctions%
Deeloment Conte,t
Dynamic memory mana(ement
Tec"nolog- Conte,t
C8 (libc8 GCC8 dlmalloc
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
Standard C dynamic memory mana(ement *unctions suc: as mallocB 8 callocB 8 reallocB 8 and *reeB/ISOI1C 3 are ,rone to ,ro(rammer mista?es t:at can lead to vulnerabilities resultin( *rom bu**er
over*lo! in t:e :ea,8 !ritin( to already *reed memory8 and *reein( t:e same memory multi,le times
Be%(%8 double5*ree vulnerabilities%
Descrition
"obertson and collea(ues devised a system to ,rotect t:e (libc :ea, by ma?in( modi*ications to t:e
c:un? structure and mana(ement *unctions /"obertson 0>3%
Figure 1. )odi%ied memor- c"un structure
&% struct mallocc:un? V
2% I@$1"@A% I@$1"@A
-
8/12/2019 Uspto Standards Coding Secure c++
33/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
c:ec?sum seed value is stored in t:e :ea,ma(ic static variable% $:is variable is initialied durin(,rocess startu, !it: a random value8 !:ic: is t:en ,rotected a(ainst *urt:er !rites by m,rotectB%&
$:e :ea, ,rotection system also au(ments t:e :ea, mana(ement *unctions !it: code to mana(e and
c:ec? eac: c:un?Ns canary% $:e canary in a ne!ly allocated c:un? is initialied to a c:ec?sum t:at
includes its memory location and sie *ields and is seeded !it: t:e (lobal value o* :ea,ma(ic% W:ena c:un? is returned by a call to *reeB8 t:e c:un?Ns canary is c:ec?ed a(ainst t:e c:ec?sum calculated
!:en t:e c:un? !as allocated% I* t:e c:ec?sums do not matc:8 an eEce,tion is raised and t:e ,rocess is
aborted%Eiv
. $ull 'ointers
Daniel Pla?os:8 So*t!are 1n(ineerin( Institute /vita3
One obvious tec:niRue to reduce vulnerabilities in C and C'' ,ro(rams is to set t:e ,ointer to null a*ter
t:e call to *reeB :as com,leted%
Deeloment Conte,t
Dynamic memory mana(ement
Tec"nolog- Conte,t
C8 H@I8 Win>2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
Standard C dynamic memory mana(ement *unctions suc: as mallocB 8 callocB 8 reallocB8 and *reeB/ISOI1C 3 are ,rone to ,ro(rammer mista?es t:at can lead to vulnerabilities resultin( *rom bu**er
over*lo! in t:e :ea,8 !ritin( to already *reed memory8 and *reein( t:e same memory multi,le times
Be%(%8 double5*ree vulnerabilities%
Descrition
One obvious tec:niRue to reduce vulnerabilities in C and C'' ,ro(rams is to set t:e ,ointer to null a*ter
t:e call to *reeB :as com,leted% Dan(lin( ,ointers B,ointers to already *reed memory can result in
!ritin( to *reed memory and double5*ree vulnerabilities% Any attem,t to dere*erence t:e ,ointer !ill
Pa(e >> o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/302.html#N100F6%23N100F6https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/articles/knowledge/coding/302.html#N100F6%23N100F6https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/268.html -
8/12/2019 Uspto Standards Coding Secure c++
34/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
result in a *ault8 !:ic: increases t:e li?eli:ood t:at t:e error !ill be detected durin( im,lementation andtest% Also8 i* t:e ,ointer is set to null8 t:e memory can be *reed multi,le times !it:out conseRuence%
W:ile settin( t:e ,ointer to null s:ould si(ni*icantly reduce vulnerabilities resultin( *rom !ritin( to
*reed memory and double5*ree vulnerabilities8 it cannot ,revent t:em !:en multi,le ,ointers all
re*erence t:e same data structure% Hn*ortunately8 memory mana(ement in C and C' must be ,er*ormed!it: (reat care% Ev
. '"malloc
"obert C% Seacord8 So*t!are 1n(ineerin( Institute /vita3
P:?malloc is an alternative dynamic memory mana(ement *unction t:at !as by !ritten by Poul5
Kennin( Jam, *or #reeSD in &+5&6 and subseRuently ada,ted by a number o* o,eratin( systems8includin( @etSD8 O,enSD8 and several
-
8/12/2019 Uspto Standards Coding Secure c++
35/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
determine !:et:er a ,ointer ,assed to *reeB or reallocB is valid !it:out dere*erencin( it% P:?malloccannot detect i* a !ron( Bbut valid ,ointer is ,assed8 but can detect all ,ointers t:at !ere not returned
by mallocB or reallocB% ecause ,:?malloc can determine !:et:er a ,ointer is allocated or *ree8 it
detects all double5*ree errors% #or un,rivile(ed ,rocesses8 t:ese errors are treated as !arnin(s8 meanin(t:at t:e ,rocess can survive !it:out any dan(er to t:e malloc data structures% Ko!ever8 enablin( t:e FA
or Fabort o,tion causes t:ese !arnin(s to be treated as errors% An error is terminal and results in a call
to abortB% Some con*i(urable o,tions *or ,:?malloc t:at :ave security im,lications are s:o!n in $able&%
Table 1. '"malloc otions
#la( Descri,tion
A FAbort% mallocB !ill core dum, t:e ,rocess rat:er t:an tolerate *ailure% $:e core *ile !ill re,resentt:e time o* *ailure rat:er t:an !:en t:e @H+ o* ..
http://www.kb.cert.org/vuls/id/650937http://www.kb.cert.org/vuls/id/650937 -
8/12/2019 Uspto Standards Coding Secure c++
36/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
t:e symbolic lin? etcmalloc%con*
t:e environment variable MA2
Attacs
Attac?er eEecutes arbitrary code on mac:ine !it: ,ermissions o* com,romised ,rocess or c:an(es t:e
be:avior o* t:e ,ro(ram%
Ris
Standard C dynamic memory mana(ement *unctions suc: as mallocB8 callocB8 and *reeB /ISOI1C 3
are ,rone to ,ro(rammer mista?es t:at can lead to vulnerabilities resultin( *rom bu**er over*lo! in t:e:ea,8 !ritin( to already *reed memory8 and *reein( t:e same memory multi,le times Be%(%8 double5*ree
vulnerabilities%
Descrition
"andomiation !or?s on t:e ,rinci,le t:at it is :arder to :it a movin( tar(et% Addresses o* memoryallocated by mallocB are *airly ,redictable% "andomiin( t:e addresses o* bloc?s o* memory returned by
t:e memory mana(er can ma?e it more di**icult to eE,loit a :ea,5based vulnerability%
"andomiin( memory addresses can occur in multi,le locations% #or bot: t:e Windo!s and H@I
o,eratin( systems8 t:e memory mana(er reRuests memory ,a(es *rom t:e o,eratin( system8 !:ic: are
Pa(e >6 o* ..
https://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/274.htmlhttps://buildsecurityin.us-cert.gov/daisy/bsi/about_us/authors/274.html -
8/12/2019 Uspto Standards Coding Secure c++
37/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
t:en bro?en u, into small c:un?s and mana(ed as reRuired by t:e a,,lication ,rocess% It is ,ossible torandomie bot: t:e ,a(es returned by t:e o,eratin( system and t:e addresses o* c:un?s returned by t:e
memory mana(er%
$:e O,enSD ?ernel8 *or eEam,le8 uses mma,B to allocate or ma, additional memory ,a(es% $:e
mma,B *unction !ill return a random address eac: time an allocation is ,er*ormed8 as lon( as t:eMAP#I1D *la( is not s,eci*ied% $:e mallocB *unction can also be con*i(ured to return random
c:un?s%
$:e result is t:at eac: time a ,ro(ram is run8 it eE:ibits di**erent address s,ace be:avior8 t:erebyma?in( it :arder *or an attac?er to (uess t:e location o* memory structures t:at must be over!ritten to
eE,loit a vulnerability%
ecause randomiation can ma?e debu((in( di**icult8 it can usually be enabled or disabled at runtime%
Also8 randomiation adds an un,redictable8 but o*ten si(ni*icant8 ,er*ormance over:ead% Evii
Pa(e >7 o* ..
-
8/12/2019 Uspto Standards Coding Secure c++
38/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
C++ inherits a host of opportunities for type violations from C and adds a few of its own.
` arne Stroustru,8 A rationale *or semantically en:anced library lan(ua(es
00% Pre,rocessor BP"1
0&% Declarations BDC% Inte(ers BI@$
0.% #loatin( Point Arit:metic B#4 o* ..
https://www.securecoding.cert.org/confluence/display/cplusplus/00.+Preprocessor+(PRE)https://www.securecoding.cert.org/confluence/display/cplusplus/01.+Declarations+(DCL)https://www.securecoding.cert.org/confluence/display/cplusplus/02.+Expressions+(EXP)https://www.securecoding.cert.org/confluence/display/cplusplus/03.+Integers+(INT)https://www.securecoding.cert.org/confluence/display/cplusplus/04.+Floating+Point+Arithmetic+(FLP)https://www.securecoding.cert.org/confluence/display/cplusplus/05.+Arrays+(ARR)https://www.securecoding.cert.org/confluence/display/cplusplus/06.+Dangling+Pointers+(DAN)https://www.securecoding.cert.org/confluence/display/cplusplus/00.+Preprocessor+(PRE)https://www.securecoding.cert.org/confluence/display/cplusplus/01.+Declarations+(DCL)https://www.securecoding.cert.org/confluence/display/cplusplus/02.+Expressions+(EXP)https://www.securecoding.cert.org/confluence/display/cplusplus/03.+Integers+(INT)https://www.securecoding.cert.org/confluence/display/cplusplus/04.+Floating+Point+Arithmetic+(FLP)https://www.securecoding.cert.org/confluence/display/cplusplus/05.+Arrays+(ARR)https://www.securecoding.cert.org/confluence/display/cplusplus/06.+Dangling+Pointers+(DAN) -
8/12/2019 Uspto Standards Coding Secure c++
39/44
DRAFT C++ Coding StandardsVersion 0.1
Secure Coding and Design StandardsMarch 18, 2014
07% 1rrors and 1Ece,tions B1""
04% "esource Mana(ement B"1S
0% Obect Orientation BO9
&0% asic Strin( Class BSC
&&% @ull5$erminated yte Strin(s BS$"
&2% =ectors B=1C
&>% S$< BS$
-
8/12/2019 Uspto Standards Coding Secure c++
40/44
iReferences
2 "S#$%C &&'S#$%C. ISO/IEC 9899 Second edition 1999-12-01Programming languages C. nternationa( #rgani)ation *orStandardi)ation, 1&&&."S#$%C &8'oint Technica( CoitteeS#$%C TC- nternationa( #rgani)ation *or Standardi)ation-and nternationa( %(ectrotechnica( Coission. ProgrammingLanguages C++. ene/a, Sit)er(and S#$%C, 1&&8."Viega0'Viega, ohn 3 Messier, Matt. Secure ProgrammingCoo!oo "or C and C++#$eci%es "or Cr&%togra%'&(
)ut'entication( *etoring( In%ut ,alidation .ore.Seasto5o(, CA #6Rei((7, 200 S9: 0;.'earson(ducationB @nc. Co-rig"t
$:is material is eEcer,ted *rom Secure Coding in C and C++8 by "obert C% Seacord8 co,yri(:t 2006
by Pearson 1ducation8 Inc%8 ,ublis:ed as a C1"$boo? in t:e S1I Series in So*t!are 1n(ineerin(% All
ri(:ts reserved% It is re,rinted !it: ,ermission and may not be *urt:er re,roduced or distributed !it:out
t:e ,rior !ritten consent o* Pearson 1ducation8 Inc%
iiReferences
"S#$%C &&'S#$%C. ISO/IEC 9899 Second edition 1999-12-01
Programming languages C. nternationa( #rgani)ation *orStandardi)ation, 1&&&."S#$%C 04'S#$%C. ISO/IEC $2341 S%eci"ication "or Secure C Li!rar& 5unctions.nternationa( #rgani)ation *or Standardi)ation, 2004.'earson(ducationB @nc. Co-rig"t
$:is material is eEcer,ted *rom Secure Coding in C and C++8 by "obert C% Seacord8 co,yri(:t 2006by Pearson 1ducation8 Inc%8 ,ublis:ed as a C1"$boo? in t:e S1I Series in So*t!are 1n(ineerin(% All
ri(:ts reserved% It is re,rinted !it: ,ermission and may not be *urt:er re,roduced or distributed !it:out
t:e ,rior !ritten consent o* Pearson 1ducation8 Inc%
iiiReferences
-
8/12/2019 Uspto Standards Coding Secure c++
41/44
4 "S#$%C &&'S#$%C. ISO/IEC 9899 Second edition 1999-12-01Programming languages C. nternationa( #rgani)ation *orStandardi)ation, 1&&&."S#$%C 04'S#$%C. ISO/IEC $2341 S%eci"ication "or Secure C Li!rar& 5unctions.
nternationa( #rgani)ation *or Standardi)ation, 2004.'earson(ducationB @nc. Co-rig"t
$:is material is eEcer,ted *rom Secure Coding in C and C++8 by "obert C% Seacord8 co,yri(:t 2006
by Pearson 1ducation8 Inc%8 ,ublis:ed as a C1"$boo? in t:e S1I Series in So*t!are 1n(ineerin(% Allri(:ts reserved% It is re,rinted !it: ,ermission and may not be *urt:er re,roduced or distributed !it:out
t:e ,rior !ritten consent o* Pearson 1ducation8 Inc%
iv References
-
8/12/2019 Uspto Standards Coding Secure c++
42/44
7
-
8/12/2019 Uspto Standards Coding Secure c++
43/44
the #CC &e$elo!ers Su%%it. 9tta/aB 9ntarioB CanadaB )a- 78!B
00.Kilander 0KilanderB H. & JamarB ). A Comarison o%
'ublicl- Aailable Tools %or D-namic
-
8/12/2019 Uspto Standards Coding Secure c++
44/44
/ISOI1C 3ISOI1C%ISO/IEC ! Second edition "#"$#%" &rogramming languages ' C% International Or(aniation
*or Standardiation8 &%/MSD@ 0+3Microso*t Cor,% 5sing the Strsafe.h 0unctionsB200+%
xii References/ISOI1C 3ISOI1C%ISO/IEC ! Second edition "#"$#%" &rogramming languages ' C% International Or(aniation
*or Standardiation8 &%/Antill 0+3Antill8 9ames% 7str documentation ## overview% :tt,-!!!%and%or(vstr B200+%
xiii References/ISOI1C 3ISOI1C%ISO/IEC ! Second edition "#"$#%" &rogramming (anguages ' C% International Or(aniation
*or Standardiation8 &%
xiv References/ISOI1C 3ISOI1C%ISO/IEC ! Second edition "#"$#%" &rogramming languages ' C% International Or(aniation*or Standardiation8 &%/"obertson 0>3"obertson8 William; Jrue(el8 C:risto,:er; Mut8 Darren; ) =aleur8 #redri?%
"un5time Detection o* Kea,5based Over*lo!s8 +&560%&roceedings of the "th (arge Installation Systems 6dministration
Conference% San Die(o8 CA8 October 26`>&8 200>% er?eley8 CA- HS1@I Association8 200>%
xv References
/ISOI1C 3ISOI1C%ISO/IEC ! Second edition "#"$#%" &rogramming languages ' C% International Or(aniation*or Standardiation8 &%
xvi References/ISOI1C 3ISOI1C%ISO/IEC ! Second edition "#"$#%" &rogramming languages ' C% International Or(aniation*or Standardiation8 &%/Smas:in( 0+38S 9eap Smashing% :tt,-t:c%or(rootdocseE,loit!ritin(SD5:ea,5
smas:in(%tEt B200+%/Jam, 43Jam,8 Poul5Kennin(% FMallocB> revisited8 &>5&4% 5SE1I2 "! 6nnual ,echnical
Conference: Invited ,al3s and 0reenix ,rac3% @e! Orleans8