CERT C Rules implemented in the LDRA tool suite

Size: px

Start display at page:

Download "CERT C Rules implemented in the LDRA tool suite"

Edwin Greene
5 years ago
Views:

1 CERT C Rules implemented in the LDRA tool suite This section lists a snapshot of the CERT C Coding Standard guidelines in 2014 that are automatically checked by version of the LDRA tool suite. Guidelines Definition Total Implemented by LDRA 75 Enhanced Enforcement of rule by LDRA 47 Partially implemented by LDRA 78 Not yet implemented by LDRA 22 Deemed to be not statically analyzable by a tool 42 Total 264 CERT C PRE Guideline PRE00-C PRE01-C PRE02-C PRE03-C PRE04-C PRE05-C PRE06-C PRE07-C PRE08-C PRE09-C PRE10-C PRE11-C PRE12-C PRE13-C PRE30-C PRE31-C PRE32-C Prefer inline or static functions to function-like macros Use parentheses within macros around parameter names Macro replacement lists should be parenthesized Prefer typedefs to defines for encoding types Do not reuse a standard header file name Understand macro replacement when concatenating tokens or performing stringification Enclose header file in an inclusion guard Avoid using repeated question marks Guarantee that header filenames are unique Do not replace secure functions with less secure functions Wrap multistatement macros in a do-while loop Do not conclude macro definitions with a semicolon Do not define unsafe macros Use the Standard predefined macros to test for versions and features. Do not create a universal character name through concatenation Avoid side effects in arguments to unsafe macros Do not use preprocessor directives in invocations of function-like macros CERT C DCL Guideline DCL00-C DCL01-C DCL02-C DCL03-C DCL04-C DCL05-C Const-qualify immutable objects Do not reuse variable names in subscopes Use visually distinct identifiers Use a static assertion to test the value of a constant expression Do not declare more than one variable per declaration Use typedefs of non-pointer types only

2 DCL06-C DCL07-C DCL08-C DCL09-C DCL10-C DCL11-C DCL12-C DCL13-C DCL15-C DCL16-C DCL17-C DCL18-C DCL19C DCL20-C DCL21-C DLC22-C DCL23-C DCL30-C DCL31-C DCL36-C DCL37-C DCL38-C DCL39-C DCL40-C DCL41-C Use meaningful symbolic constants to represent literal values in program logic Include the appropriate type information in function declarators Properly encode relationships in constant definitions Declare functions that return an errno with a return type of errno_t Maintain the contract between the writer and caller of variadic functions Understand the type issues associated with variadic functions Implement abstract data types using opaque types Declare function parameters that are pointers to values not changed by the function as const Declare objects that do not need external linkage with storage-class specifier static Use "L," not "l," to indicate a long value Beware of miscompiled volatile-qualified variables Do not begin integer constants with 0 when specifying a decimal value Minimize the scope of variables and functions Explicitly specify void when a function accepts no arguments Understand the storage of compound literals Use volatile for data that cannot be cached Guarantee that mutually visible identifiers are unique Declare objects with appropriate storage durations Declare identifiers before using them Do not declare an identifier with conflicting linkage classifications Do not declare or define a reserved identifier Use the correct syntax when declaring flexible array members Avoid information leak in structure padding Do not create incompatible declarations of the same function or object Do not declare variables inside a switch statement before the first case label CERT C EXP Guideline EXP00-C EXP02-C EXP03-C EXP05-C EXP07-C EXP08-C EXP09-C Use parentheses for precedence of operation Be aware of the short-circuit behavior of the logical AND and OR operators Do not assume the size of a structure is the sum of the of the sizes of its members Do not cast away a const qualification Do not diminish the benefits of constants by assuming their values in expressions Ensure pointer arithmetic is used correctly Use sizeof to determine the size of a type or variable

3 EXP10-C EXP11-C EXP12-C EXP13-C EXP15-C EXP16-C EXP19-C EXP20-C EXP30-C EXP32-C EXP33-C EXP34-C EXP35-C EXP36-C EXP37-C EXP39-C EXP40-C EXP42-C EXP43-C EXP44-C EXP45-C EXP46-C Do not depend on the order of evaluation of subexpressions or the order in which side effects take place Do not make assumptions regarding the layout of structures with bitfields Do not ignore values returned by functions Treat relational and equality operators as if they were nonassociative Do not place a semicolon on the same line as an if, for, or while statement Do not compare function pointers to constant values Use braces for the body of an if, for, or while statement Perform explicit tests to determine success, true and false, and equality Do not depend on order of evaluation between sequence points Do not access a volatile object through a nonvolatile reference Do not read uninitialized memory Do not dereference null pointers Do not modify objects with temporary lifetime Do not cast pointers into more strictly aligned pointer types Call functions with the correct number and type of arguments Do not access a variable through a pointer of an incompatible type Do not modify constant objects Do not compare padding data Avoid undefined behaviors when using restrict-qualified pointers Do not rely on side effects in operands to sizeof, _Alignof, or _Generic Do not perform assignments in selection statements Do not use a bitwise operator with a Boolean-like operand CERT C INT Guideline INT00-C INT01-C INT02-C INT04-C INT05-C INT06-C INT07-C INT08-C INT09-C INT10-C Understand the data model used by your implementation(s) Use rsize_t or size_t for all integer values representing the size of an object Understand integer conversion rules Enforce limits on integer values originating from untrusted sources Do not use input functions to convert character data if they cannot handle all possible inputs Use strtol() or a related function to convert a string token to an integer Use only explicitly signed or unsigned char type for numeric values Verify that all integer values are in range Ensure enumeration constants map to unique values Do not assume a positive remainder when using the % operator

4 INT12-C INT13-C INT14-C INT15-C INT16-C INT17-C INT18-C INT30-C INT31-C INT32-C INT33-C INT34-C INT35-C INT36-C Do not make assumptions about the type of a plain int bit-field when used in an expression Use bitwise operators only on unsigned operands Avoid performing bitwise and arithmetic operations on the same data Use intmax_t or uintmax_t for formatted I/O on programmer-defined integer types Do not make assumptions about representation of signed integers Define integer constants in an implementation-independent manner Evaluate integer expressions in a larger size before comparing or assigning to that size Ensure that unsigned integer operations do not wrap Ensure that integer conversions do not result in lost or misinterpreted data Ensure that integer operations on signed integers do not result in an overflow Ensure that division and modulo operations do not result in divideby-zero errors Do not shift a negative number of bits or more bits than exist in the operand Use correct integer precisions Converting a pointer to integer or integer to pointer CERT C FLP Guideline FLP00-C FLP01-C FLP02-C FLP03-C FLP04-C FLP05C FLP06-C FLP07-C FLP30-C FLP32-C FLP34-C FLP36-C FLP37-C Understand the limitations of floating-point numbers Take care in rearranging floating point expressions Avoid using floating-point numbers when precise computation is needed Detect and handle floating-point errors Check floating-point inputs for exceptional values Don't use denormalized numbers Convert integers to floating point for floating-point operations Cast the return value of a function that returns a floating-point type Do not use floating-point variables as loop counters Prevent or detect domain and range errors in math functions Ensure that floating-point conversions are within range of the new type Preserve precision when converting integral values to floating-point type Do not use object representations to compare floating-point values CERT C ARR Guideline ARR00-C ARR01-C ARR02-C ARR30-C Understand how arrays work Do not apply the size of operator to a pointer when taking the size of an array Explicitly specify array bounds, even if implicitly defined by an initializer Do not form or use out-of-bounds pointers or array subscripts

5 ARR31-C ARR32-C ARR36-C ARR37-C ARR38-C ARR39-C Use consistent array notation across all source files Ensure size arguments for variable length arrays are in a valid range Do not subtract or compare two pointers that do not refer to the same array Do not add or subtract an integer to a pointer to a non-array object Guarantee that library functions do not form invalid pointers Do not add or subtract a scaled integer to a pointer CERT C STR Guideline STR00-C STR01-C STR02-C STR03-C STR04-C STR05-C STR06-C STR07-C STR09-C STR10-C STR11-C STR30-C STR31-C STR32-C STR34-C STR37-C STR38-C Represent characters using an appropriate type Adopt and implement a consistent plan for managing strings Sanitize data passed to complex subsystems Do not inadvertently truncate a null-terminated byte string Use plain char for characters in the basic character set Use pointers to const when referring to string literals Do not assume that strtok() leaves the parse string unchanged Use the bounds-checking interfaces for string manipulation Don't assume numeric values for expressions with type plain character Do not concatenate different type of string literals Do not specify the bound of a character array initialized with a string literal Do not attempt to modify string literals Guarantee that storage for strings has sufficient space for character data and the null terminator Do not pass a non-null-terminated character sequence to a library function that expects a string Cast characters to unsigned types before converting to larger integer sizes Arguments to character-handling functions must be representable as an unsigned char Do not confuse narrow and wide character strings and functions CERT C MEM Guideline MEM00-C MEM01-C MEM02-C MEM03-C MEM04-C MEM05-C MEM06-C Allocate and free memory in the same module at the same level of abstraction Store a new value in pointers immediately after free() Immediately cast the result of a memory allocation function call into a pointer to the allocated type Clear sensitive information stored in reusable resources returned for reuse Do not perform zero-length allocations Avoid large stack allocations Ensure that sensitive data is not written out to disk

6 MEM07-C MEM10-C MEM11-C MEM12-C MEM30-C MEM31-C MEM33-C MEM34-C MEM35-C MEM36-C Ensure that the arguments to calloc(), when multiplied, do not wrap Define and use a pointer validation function Do not assume infinite heap space Consider using a goto chain when leaving a function on error when using and releasing resources Do not access freed memory Free dynamically allocated memory exactly once Allocate and copy structures containing a flexible array member dynamically Only free memory allocated dynamically Allocate sufficient memory for an object Do not modify the alignment of objects by calling realloc() CERT C FIO Guideline FIO01-C FIO02-C FIO03-C FIO05-C FIO06-C FIO08-C FIO09-C FIO10-C FIO11-C FIO13-C FIO14-C FIO15-C FIO17-C FIO18-C FIO19-C FIO20-C FIO21-C FIO22-C FIO23-C FIO30-C FIO31-C FIO32-C FIO37-C FIO38-C Be careful using functions that use file names for identification Canonicalize path names originating from untrusted sources Do not make assumptions about fopen() and file creation Identify files using multiple file attributes Create files with appropriate access permissions Take care when calling remove() on an open file Be careful with binary data when transferring data across systems Take care when using the rename() function Take care when specifying the mode parameter of fopen() Never push back anything other than one read character Understand the difference between text mode and binary mode with file streams Ensure that file operations are performed in a secure directory Do not rely on an ending null character when using fread() Never expect fwrite() to terminate the writing process at a null character Do not use fseek() and ftell() to compute the size of a regular file Avoid unintentional truncation when using fgets() or fgetws() Do not create temporary files in shared directories Close files before spawning processes Do not exit with unflushed data in stdout or stderr Exclude user input from format strings Do not open a file that is already open Do not perform operations on devices that are only appropriate for files Do not assume that fgets() or fgetws() returns a nonempty string when successful Do not copy a FILE object

7 FIO39-C FIO40-C FIO41-C FIO42-C FIO44-C FIO45-C FIO46-C FIO47-C Do not alternately input and output from a stream without an intervening flush or positioning call Reset strings on fgets() or fgetws() failure Do not call getc(), putc(), getwc(), or putwc() with stream arguments that have side effects Close files when they are no longer needed Only use values for fsetpos() that are returned from fgetpos() Avoid TOCTOU race conditions while accessing files Do not access a closed file Use valid format strings CERT C ENV Guideline ENV01-C ENV02-C ENV03-C ENV30-C ENV31-C ENV32-C ENV33-C ENV34-C Do not make assumptions about the size of an environment variable Beware of multiple environment variables with the same effective name Sanitize the environment before external programs Do not modify the object referenced by the return value of certain functions Do not rely on an environment pointer following an operation that may invalidate it All exit handlers must return normally Do not call system() Do not store pointers returned by certain functions CERT C SIG Guideline SIG00-C SIG01-C SIG02-C SIG30-C SIG31-C SIG34-C SIG35-C Mask signals handled by noninterruptable signal handlers Understand implementation-specific details regarding signal handler persistence Avoid using signals to implement normal functionality Call only asynchronous-safe functions within signal handlers Do not access shared objects in signal handlers Do not call signal() from within interruptable signal handlers Do not return from a computational exception signal handler CERT C ERR Guideline ERR00-C ERR01-C ERR02-C ERR03-C ERR04-C ERR05-C Adopt and implement a consistent and comprehensive error handling policy Use ferror() rather than errno to check for FILE stream errors Avoid in-band error indicators Use runtime-constraint handlers when calling functions defined by TR31-1 Choose an appropriate termination strategy Application-independent code should provide error detection without dictating error handling

8 ERR06-C ERR07-C ERR30-C ERR32-C ERR33-C Understand the termination behavior of assert() and abort() Prefer functions that support error checking over equivalent functions that don't Set errno to zero before calling a library function known to set errno, and check errno only after the function returns a value indicating failure Do not rely on indeterminate values of errno Detect and handle standard library errors CERT C MSC Guideline MSC00-C MSC01-C MSC04-C MSC05-C MSC06-C MSC09-C MSC10-C MSC11-C MSC12-C MSC13-C MSC14-C MSC15-C MSC17-C MSC18-C MSC19-C MSC20-C MSC21-C MSC22-C MSC23-C MSC24-C MSC30-C MSC32-C MSC33-C MSC37-C MSC38-C MSC39-C MSC40-C Compile cleanly at high warning levels Strive for logical completeness Use comments consistently and in a readable fashion Do not manipulate time_t typed values directly Beware of compiler optimizations Character Encoding - Use Subset of ASCII for Safety Character Encoding - UTF8 Related Issues Incorporate diagnostic tests using assertions Detect and remove code that has no effect or is never executed Detect and remove unused values Do not introduce unnecessary platform dependencies Do not depend on undefined behavior Finish every set of statements associated with a case label with a break statement Be careful while handling sensitive data, such as passwords, in program code For functions that return an array, prefer returning an empty array over a null value Do not use a switch statement to transfer control into a complex block Use robust loop termination conditions Use the setjmp(), longjmp() facility securely Beware of vendor-specific library and language differences Do not use deprecated or obsolescent functions Do not use the rand function for generating pseudorandom numbers Properly seed pseudorandom number generators Do not pass invalid data to the asctime() function Ensure that control never reaches the end of a non-void function Do not treat a predefined identifier as an object if it might only be implemented as a macro Do not call va_arg() on a va_list that has an indeterminate value Do not violate constraints

9 CERT C POS Guideline POS01-C POS02-C POS04-C POS05-C POS30-C POS33-C POS34-C POS35-C POS36-C POS37-C POS38-C POS39-C POS44-C POS47-C POS48-C POS49-C POS50-C POS51-C POS52-C POS53-C POS54-C Check for the existence of links when dealing with files Follow the principle of least privilege Avoid using PTHREAD_MUTEX_NORMAL type mutex locks Limit access to files by creating a jail Use the readlink() function properly Do not use vfork() Do not call putenv() with a pointer to an automatic variable as the argument Avoid race conditions while checking for the existence of a symbolic link Observe correct revocation order while relinquishing privileges Ensure that privilege relinquishment is successful Beware of race conditions when using fork and file descriptors Use the correct byte ordering when transferring data between systems Do not use signals to terminate threads Do not use threads that can be canceled asynchronously Do not unlock or destroy another POSIX thread's mutex When data must be accessed by multiple threads, provide a mutex and guarantee no adjacent data is also accessed Declare objects shared between POSIX threads with appropriate storage durations Avoid deadlock with POSIX threads by locking in predefined order Do not perform operations that can block while holding a POSIX lock Do not use more than one mutex for concurrent waiting operations on a condition variable Detect and handle POSIX library errors Disclaimer: The information on this page was provided directly by the vendor and has not been validated by CERT.

Synopsys Static Analysis Support for SEI CERT C Coding Standard

Synopsys Static Analysis Support for SEI CERT C Coding Standard Fully ensure the safety, reliability, and security of software written in C The SEI CERT C Coding Standard is a list of rules for writing