Synopsys Static Analysis Support for SEI CERT C Coding Standard

Size: px

Start display at page:

Download "Synopsys Static Analysis Support for SEI CERT C Coding Standard"

Sheryl Chandler
6 years ago
Views:

Synopsys Static Analysis Support for SEI CERT C Coding Standard Fully ensure the safety, reliability, and security of software written in C The SEI CERT C Coding Standard is a list of rules for

1 Synopsys Static Analysis Support for SEI CERT C Coding Standard Fully ensure the safety, reliability, and security of software written in C The SEI CERT C Coding Standard is a list of rules for writing secure code in the C programming language. It is an important milestone in introducing best practices for ensuring the safety, reliability, security, and integrity of software written in C. Notably, the standard is designed to be enforceable by software code analyzers using static analysis techniques. This greatly reduces the cost of compliance by way of automation. Adhering to coding standards is a crucial step in establishing best coding practices. This is particularly important in safety-critical, high-impact industries, such as automotive, medical, and networking. Software defects in products coming from these industries manifest themselves physically and tangibly often with lifethreatening consequences. Synopsys provides a comprehensive solution for the SEI CERT C Coding Standard. Synopsys Static Analysis (Coverity) implements the Rules category within the CERT C standard, as well as methods for managing violations and reporting on them. SEI CERT C Coding Standard (201 Edition) The SEI CERT C Coding Standard was developed specifically for the following versions of the C language: ISO/IEC 9899:2011: Information Technology Programming Languages C, rd ed. ISO/IEC 9899:2011/Cor 1:2012: Information Technology Programming Languages C Technical Corrigendum 1 These versions are commonly referred to as the C11 standard. The CERT C rules may also be applied to earlier versions of the C language, such as C99. The 201 edition of the CERT C standard contains 99 coding rules and reflects the C rules available on the CERT Secure Coding wiki as of March 0, 201. The CERT Secure Coding wiki is found here: SEI+CERT+C+Coding+Standard The SEI CERT C Coding Standard (201 Edition) may be obtained here: The CERT C wiki also documents 18 recommendations and two platform-specific annexes (POSIX and Windows). The recommendations and annexes are not part of the core secure coding standard. synopsys.com

2 coverage PRE Rules Section % coverage Supported All All DCL 8 8 EXP INT FLP ARR STR MEM FIO 1 1 ENV SIG 4 4 ERR CON MSC Supported rules Rule ARR0-C ARR2-C ARR-C ARR-C ARR8-C ARR9-C CON0-C CON1-C CON2-C CON-C CON4-C CON-C CON-C Do not form or use out-of-bounds pointers or array subscripts Ensure size arguments for variable length arrays are in a valid range Do not subtract or compare two pointers that do not refer to the same array Do not add or subtract an integer to a pointer to a non-array object Guarantee that library functions do not form invalid pointers Do not add or subtract a scaled integer to a pointer Clean up thread-specific storage Do not destroy a mutex while it is locked Prevent data races when accessing bit-fields from multiple threads Avoid race conditions when using library functions Declare objects shared between threads with appropriate storage durations Avoid deadlock by locking in a predefined order Wrap functions that can spuriously wake up in a loop

3 CON-C CON8-C CON9-C CON40-C CON41-C DCL0-C DCL1-C DCL-C DCL-C DCL8-C DCL9-C DCL40-C DCL41-C ENV0-C ENV1-C ENV2-C ENV-C ENV4-C ERR0-C ERR2-C ERR-C EXP0-C EXP2-C EXP-C EXP4-C EXP-C EXP-C EXP-C EXP9-C EXP40-C EXP42-C EXP4-C EXP44-C EXP4-C Do not call signal() in a multithreaded program Preserve thread safety and liveness when using condition variables Do not join or detach a thread that was previously joined or detached Do not refer to an atomic variable twice in an expression Wrap functions that can fail spuriously in a loop Declare objects with appropriate storage durations Declare identifiers before using them Do not declare an identifier with conflicting linkage classifications Do not declare or define a reserved identifier Use the correct syntax when declaring a flexible array member Avoid information leakage when passing a structure across a trust boundary Do not create incompatible declarations of the same function or object Do not declare variables inside a switch statement before the first case label Do not modify the object referenced by the return value of certain functions Do not rely on an environment pointer following an operation that may invalidate it All exit handlers must return normally Do not call system() Do not store pointers returned by certain functions Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure Do not rely on indeterminate values of errno Detect and handle standard library errors Do not depend on the order of evaluation for side effects Do not access a volatile object through a nonvolatile reference Do not read uninitialized memory Do not dereference null pointers Do not modify objects with temporary lifetime Do not cast pointers into more strictly aligned pointer types Call functions with the correct number and type of arguments Do not access a variable through a pointer of an incompatible type Do not modify constant objects Do not compare padding data Avoid undefined behavior when using restrict-qualified pointers Do not rely on side effects in operands to sizeof, _Alignof, or _Generic Do not perform assignments in selection statements

4 EXP4-C FIO0-C FIO2-C FIO4-C FIO-C FIO8-C FIO9-C FIO40-C FIO41-C FIO42-C FIO44-C FIO4-C FIO4-C FIO4-C FLP0-C FLP2-C FLP4-C FLP-C FLP-C INT0-C INT1-C INT2-C INT-C INT4-C INT-C INT-C MEM0-C MEM1-C MEM-C MEM4-C MEM-C MEM-C MSC0-C MSC2-C Do not use a bitwise operator with a Boolean-like operand Exclude user input from format strings Do not perform operations on devices that are only appropriate for files Distinguish between characters read from a file and EOF or WEOF Do not assume that fgets() or fgetws() returns a nonempty string when successful Do not copy a FILE object Do not alternately input and output from a stream without an intervening flush or positioning call Reset strings on fgets() or fgetws() failure Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects Close files when they are no longer needed Only use values for fsetpos() that are returned from fgetpos() Avoid TOCTOU race conditions while accessing files Do not access a closed file Use valid format strings Do not use floating-point variables as loop counters Prevent or detect domain and range errors in math functions Ensure that floating-point conversions are within range of the new type Preserve precision when converting integral values to floating-point type Do not use object representations to compare floating-point values Ensure that unsigned integer operations do not wrap Ensure that integer conversions do not result in lost or misinterpreted data Ensure that operations on signed integers do not result in overflow Ensure that division and remainder operations do not result in divide-by-zero errors Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand Use correct integer precisions Converting a pointer to integer or integer to pointer Do not access freed memory Free dynamically allocated memory when no longer needed Allocate and copy structures containing a flexible array member dynamically Only free memory allocated dynamically Allocate sufficient memory for an object Do not modify the alignment of objects by calling realloc() Do not use the rand() function for generating pseudorandom numbers Properly seed pseudorandom number generators

5 MSC-C MSC-C MSC8-C MSC9-C MSC40-C PRE0-C PRE1-C PRE2-C SIG0-C SIG1-C SIG4-C SIG-C STR0-C STR1-C STR2-C STR4-C STR-C STR8-C Do not pass invalid data to the asctime() function Ensure that control never reaches the end of a non-void function Do not treat a predefined identifier as an object if it might only be implemented as a macro Do not call va_arg() on a va_list that has an indeterminate value Do not violate constraints Do not create a universal character name through concatenation Avoid side effects in arguments to unsafe macros Do not use preprocessor directives in invocations of function-like macros Call only asynchronous-safe functions within signal handlers Do not access shared objects in signal handlers Do not call signal() from within interruptible signal handlers Do not return from a computational exception signal handler Do not attempt to modify string literals Guarantee that storage for strings has sufficient space for character data and the null terminator Do not pass a non-null-terminated character sequence to a library function that expects a string Cast characters to unsigned char before converting to larger integer sizes Arguments to character-handling functions must be representable as an unsigned char Do not confuse narrow and wide character strings and functions The Synopsys difference Synopsys offers the most comprehensive solution for building integrity security and quality into your SDLC and supply chain. We ve united leading testing technologies, automated analysis, and experts to create a robust portfolio of products and services. This portfolio enables companies to develop customized programs for detecting and remediating defects and vulnerabilities early in the development process, minimizing risk and maximizing productivity. Synopsys, a recognized leader in application security testing, is uniquely positioned to adapt and apply best practices to new technologies and trends such as IoT, DevOps, CI/CD, and the Cloud. We don t stop when the test is over. We offer onboarding and deployment assistance, targeted remediation guidance, and a variety of training solutions that empower you to optimize your investment. Whether you re just starting your journey or well on your way, our platform will help ensure the integrity of the applications that power your business. For more information go to Synopsys, Inc. 18 Berry Street, Suite 00 San Francisco, CA 9410 USA U.S. Sales: International Sales: sig-info@synopsys.com 2018 Synopsys, Inc. All rights reserved. Synopsys is a trademark of Synopsys, Inc. in the United States and other countries. A list of Synopsys trademarks is available at All other names mentioned herein are trademarks or registered trademarks of their respective owners. 01/10/18.DS_CERT_

CERT C Rules implemented in the LDRA tool suite

CERT C Rules implemented in the LDRA tool suite This section lists a snapshot of the CERT C Coding Standard guidelines in 2014 that are automatically checked by version 9.5.1 of the LDRA tool suite. Guidelines