加入VIP
  • 专属下载特权
  • 现金文档折扣购买
  • VIP免费专区
  • 千万文档免费下载

上传资料

关闭

关闭

关闭

封号提示

内容

首页 C安全编码标准(实现C安全编程的权威指南)

C安全编码标准(实现C安全编程的权威指南).pdf

C安全编码标准(实现C安全编程的权威指南)

missingyou_kk
2010-11-07 0人阅读 举报 0 0 暂无简介

简介:本文档为《C安全编码标准(实现C安全编程的权威指南)pdf》,可适用于IT/计算机领域

LegalNoticeThispagelastchangedonSep,byrcsCERTCProgrammingLanguageSecureCodingStandardDocumentNoNSeptember,LegalNoticeThisdocumentrepresentsapreliminarydraftoftheCERTCProgrammingLanguageSecureCodingStandardThisprojectwasinitiatedfollowingtheBerlinmeetingofWGtoproduceasecurecodingstandardbasedontheCstandardAlthoughthisisanincompletework,wewouldgreatlyappreciateyourcommentsandfeedbackatthistimetofurtherthedevelopmentandrefinementofthematerialPleaseprovidecommentsthatarecommensuratewiththeexistingdetailinthedocumentForexample,ifaruleorrecommendationissimplyastubyoumaywishtocommentifyouthinkhavingaruleorrecommendationinthatareaisunwarrantedThisworkissponsoredbytheUSDepartmentofDefenseTheSoftwareEngineeringInstituteisafederallyfundedresearchanddevelopmentcentersponsoredbytheUSDepartmentofDefenseCopyrightCarnegieMellonUniversityNOWARRANTYTHISCARNEGIEMELLONUNIVERSITYANDSOFTWAREENGINEERINGINSTITUTEMATERIALISFURNISHEDONAN"ASIS"BASISCARNEGIEMELLONUNIVERSITYMAKESNOWARRANTIESOFANYKIND,EITHEREXPRESSEDORIMPLIED,ASTOANYMATTERINCLUDING,BUTNOTLIMITEDTO,WARRANTYOFFITNESSFORPURPOSEORMERCHANTABILITY,EXCLUSIVITY,ORRESULTSOBTAINEDFROMUSEOFTHEMATERIALCARNEGIEMELLONUNIVERSITYDOESNOTMAKEANYWARRANTYOFANYKINDWITHRESPECTTOFREEDOMFROMPATENT,TRADEMARK,ORCOPYRIGHTINFRINGEMENTUseofanytrademarksinthisreportisnotintendedinanywaytoinfringeontherightsofthetrademarkholderInternalusePermissiontoreproducethisdocumentandtopreparederivativeworksfromthisdocumentforinternaluseisgranted,providedthecopyrightand"NoWarranty"statementsareincludedwithallreproductionsandderivativeworksExternaluseRequestsforpermissiontoreproducethisdocumentorpreparederivativeworksofthisdocumentforexternalandcommercialuseshouldbeaddressedtotheSEILicensingAgentThisworkwascreatedintheperformanceofFederalGovernmentContractNumberFCDocumentgeneratedbyConfluenceonSep,:PagewithCarnegieMellonUniversityfortheoperationoftheSoftwareEngineeringInstitute,afederallyfundedresearchanddevelopmentcenterTheGovernmentoftheUnitedStateshasaroyaltyfreegovernmentpurposelicensetouse,duplicate,ordisclosethework,inwholeorinpartandinanymanner,andtohaveorpermitotherstodoso,forgovernmentpurposespursuanttothecopyrightlicenseundertheclauseatDocumentgeneratedbyConfluenceonSep,:PageAcknowledgementsThispagelastchangedonAug,byrcsThankstoeveryonewhocontributedtomakingthiseffortasuccessContributorsJuanAlvarado,HalBurch,StephenCDewhurst,ChadDougherty,MarkDowd,WilliamFithen,JeffreyGennari,ShaunHedrick,FredLong,JohnMcDonald,JustinPincar,ThomasPlum,DanSaks,RobertCSeacordReviewersJerryLeichter,ScottMeyers,RonNatalie,DanPlakosh,MichelSchinz,EricSosman,AndreyTarasevich,HenrySWarren,andIvanVecerinaEditorsJodiBlake,PamelaCurtisDevelopersandAdministratorsRudolphMaceyko,JasonMcCormick,JoeMcManus,BradRubboSpecialThanksJeffCarpenter,JasonRafail,FrankRednerDocumentgeneratedbyConfluenceonSep,:PageCERTCProgrammingLanguageSecureCodingStandardThispagelastchangedonJun,byjpincarIntroductionPreprocessor(PRE)DeclarationsandInitialization(DCL)Expressions(EXP)Integers(INT)FloatingPoint(FLP)Arrays(ARR)Strings(STR)MemoryManagement(MEM)InputOutput(FIO)TemporaryFiles(TMP)Environment(ENV)Signals(SIG)Miscellaneous(MSC)POSIXTheVoidAACReferencesBBDefinitionsDocumentgeneratedbyConfluenceonSep,:PageIntroductionThispagelastchangedonMar,bypdcseicmueduAnessentialelementofsecurecodingintheCprogramminglanguageiswelldocumentedandenforceablecodingstandardsCodingstandardsencourageprogrammerstofollowauniformsetofrulesandguidelinesdeterminedbytherequirementsoftheprojectandorganization,ratherthanbytheprogrammer'sfamiliarityorpreferenceOnceestablished,thesestandardscanbeusedasametrictoevaluatesourcecode(usingmanualorautomatedprocesses)ScopeRulesVersusRecommendationsDevelopmentProcessUsageSystemQualitiesPriorityandLevelsIdentifiersDocumentgeneratedbyConfluenceonSep,:PageDevelopmentProcessThispagelastchangedonMar,bypdcseicmueduThedevelopmentofasecurecodingstandardforanyprogramminglanguageisadifficultundertakingthatrequiressignificantcommunityinvolvementThefollowingdevelopmentprocesshasbeenusedtocreatethisstandard:Rulesandrecommendationsforacodingstandardaresolicitedfromthecommunitiesinvolvedinthedevelopmentandapplicationofeachprogramminglanguage,includingtheformalordefactostandardbodiesresponsibleforthedocumentedstandardTheserulesandrecommendationsareeditedbyseniormembersoftheCERTtechnicalstaffforcontentandstyleandplacedontheCERTSecureCodingStandardswebsiteforcommentandreviewTheusercommunitymaythencommentonthepublicallypostedcontentusingthreadeddiscussionsandothercommunicationtoolsOnceaconsensusdevelopsthattheruleorrecommendationisappropriateandcorrect,thefinalruleisincorporatedintothecodingstandardDraftsoftheCERTCProgrammingLanguageSecureCodingStandardarereviewedbytheISOIECJTCSCWGinternationalstandardizationworkinggroupfortheCprogramminglanguageandotherindustrygroupsasappropriateDocumentgeneratedbyConfluenceonSep,:PageIdentifiersThispagelastchangedonMar,bypdcseicmueduEachruleandrecommendationisgivenauniqueidentifierwithinastandardTheseidentifiersconsistofthreeparts:•Athreelettermneumonicrepresentingthesectionofthestandard•Atwodigitnumericvalueintherangeof•Theletter"A"or"C"toindicatewhetherthecodingpracticeisanadvisoryrecommendationoracompulsoryruleThethreelettermneumoniccanbeusedtogroupsimilarcodingpracticesandtoindicatetowhichcategoryacodingpracticebelongsThenumericvalueisusedtogiveeachcodingpracticeauniqueidentifierNumericvaluesintherangeofarereservedforrecommendations,whilevaluesintherangeofarereservedforrulesTheletter"A"or"C"intheidentifierisnotrequiredtouniquelyidentifyeachcodingpracticeItisusedonlytoprovideaclearindicationofwhetherthecodingpracticeisanadvisoryrecommendationoracompulsoryruleDocumentgeneratedbyConfluenceonSep,:PagePriorityandLevelsThispagelastchangedonMar,bypdcseicmueduEachruleandrecommendationinasecurecodingstandardhasanassignedpriorityPrioritiesareassignedusingametricbasedonFailureMode,Effects,andCriticalityAnalysis(FMECA)IECThreevaluesareassignedforeachruleonascaleoffor•severityhowseriousaretheconsequencesoftherulebeingignored=low(denialofserviceattack,abnormaltermination)=medium(dataintegrityviolation,unintentionalinformationdisclosure)=high(runarbitrarycode)•likelihoodhowlikelyisitthataflawintroducedbyignoringtherulecouldleadtoanexploitablevulnerability=unlikely=probable=likely•remediationcosthowexpensiveisittocomplywiththerule=high(manualdetectionandcorrection)=medium(automaticdetectionmanualcorrection)=low(automaticdetectionandcorrection)ThethreevaluesarethenmultipliedtogetherforeachruleThisproductprovidesameasurethatcanbeusedinprioritizingtheapplicationoftherulesTheseproductsrangefromtoRulesandrecommendationswithapriorityintherangeofarelevelrules,arelevel,andarelevelAsaresult,itispossibletoclaimlevel,level,orcompletecompliance(level)withastandardbyimplementingallrulesinalevel,asshowninthefollowingillustration:DocumentgeneratedbyConfluenceonSep,:PageRecommendationsarenotcompulsoryandareprovidedforinformationpurposesonlyThemetricisdesignedprimarilyforremediationprojectsItisassumedthatnewdevelopmenteffortswillconformwiththeentirestandardDocumentgeneratedbyConfluenceonSep,:PageRulesVersusRecommendationsThispagelastchangedonAug,byrcsThissecurecodingstandardconsistsofrulesandrecommendationsCodingpracticesaredefinedtoberuleswhenallofthefollowingconditionsaremet:ViolationofthecodingpracticewillresultinasecurityflawthatmayresultinanexploitablevulnerabilityThereisanenumerablesetofexceptionalconditions(ornosuchconditions)inwhichviolatingthecodingpracticeisnecessarytoensurethecorrectbehaviorfortheprogramConformancetothecodingpracticecanbeverifiedRulesmustbefollowedtoclaimcompliancewiththisstandardunlessanexceptionalconditionexistsIfanexceptionalconditionisclaimed,theexceptionmustcorrespondtoapredefinedexceptionalconditionandtheapplicationofthisexceptionmustbedocumentedinthesourcecodeRecommendationsareguidelinesorsuggestionsCodingpracticesaredefinedtoberecommendationswhenallofthefollowingconditionsaremet:ApplicationofthecodingpracticeislikelytoimprovesystemsecurityOneormoreoftherequirementsnecessaryforacodingpracticetobeconsideredarulecannotbemetCompliancewithrecommendationsisnotnecessarytoclaimcompliancewiththisstandardItispossible,however,toclaimcompliancewithrecommendations(especiallyincasesinwhichcompliancecanbeverified)ThesetofrecommendationsthataparticulardevelopmenteffortadoptsdependsonthesecurityrequirementsofthefinalsoftwareproductProjectswithhighsecurityrequirementscandedicatemoreresourcestosecurityandarethuslikelytoadoptalargersetofrecommendationsImplementationofthesecurecodingrulesdefinedinthisstandardarenecessary(butnotsufficient)toensurethesecurityofsoftwaresystemsdevelopingintheCprogramminglanguagesThefollowinggraphshowsthenumberandbreakdownofrulesandrecommendationsfortheCERTCProgrammingLanguageSecureCodingstandard:DocumentgeneratedbyConfluenceonSep,:PageDocumentgeneratedbyConfluenceonSep,:PageScopeThispagelastchangedonMar,bypdcseicmueduTheCERTCProgrammingLanguageSecureCodingStandardwasdevelopedspecificallyforversionoftheCprogramminglanguagedefinedby•ISOIECProgrammingLanguagesC,SecondEditionISOIEC•TechnicalcorrigendaTCandTC•ISOIECTRExtensionstotheCLibrary,PartI:BoundscheckinginterfacesISOIECTR•ISOIECWDTRSpecificationforSaferCLibraryFunctionsPartII:DynamicAllocationFunctionsMostofthematerialincludedinthisstandardcanalsobeappliedtoearlierversionsoftheCprogramminglanguageRulesandrecommendationsincludedinthisstandardaredesignedtobeoperatingsystemandplatformindependentHowever,thebestavailablesolutionstotheseproblemsisoftenplatformspecificInmostcases,wehaveattemptedtoprovideappropriatecompliantsolutionsforPOSIXcompliantandWindowsoperatingsystemsInmanycases,compliantsolutionshavealsobeenprovidedforspecificplatformssuchasLinuxorOpenBSDOccasionally,wealsopointoutimplementationspecificbehaviorswhenthesebehaviorsareofinterestDocumentgeneratedbyConfluenceonSep,:PageSystemQualitiesThispagelastchangedonMar,bypdcseicmueduSecurityisoneofmanysystemattributesthatmustbeconsideredintheselectionandapplicationofacodingstandardOtherattributesofinterestincludesafety,portability,reliability,availability,maintainability,readability,andperformanceManyoftheseattributesareinterrelatedininterestingwaysForexample,readabilityisanattributeofmaintainabilitybothareimportantforlimitingtheintroductionofdefectsduringmaintenancethatcouldresultinsecurityflawsorreliabilityissuesReliabilityandavailabilityrequireproperresourcesmanagement,whichcontributesalsotothesafetyandsecurityofthesystemSystemattributessuchasperformanceandsecurityareofteninconflict,requiringtradeoffstobeconsideredThepurposeofthesecurecodingstandardistopromotesoftwaresecurityHowever,becauseoftherelationshipbetweensecurityandothersystemattributes,thecodingstandardsmayproviderecommendationsthatdealprimarilywithsomeothersystemattributethatalsohasasignificantimpactonsecurityThedualnatureoftheserecommendationswillbenotedinthestandardDocumentgeneratedbyConfluenceonSep,:PageUsageThispagelastchangedonMar,bypdcseicmueduTheserulesmaybeextendedwithorganizationspecificrulesHowever,therulescontainedinastandardmustbeobeyedtoclaimcompliancewiththestandardTrainingmaybedevelopedtoeducatesoftwareprofessionalsregardingtheappropriateapplicationofsecurecodingstandardsAfterpassinganexamination,thesetrainedprogrammersmayalsobecertifiedassecurecodingprofessionalsOnceasecurecodingstandardhasbeenestablished,toolscanbedevelopedormodifiedtodeterminecompliancewiththestandardOneoftheconditionsforacodingpracticetobeconsideredaruleisthatconformancecanbeverifiedVerificationcanbeperformedmanuallyorautomatedManualverificationcanbelaborintensiveanderrorproneToolverificationisalsoproblematicinthattheabilityofastaticanalysistooltodetectallviolationsofarulemustbeprovenforeachproductreleasebecauseofpossibleregressionerrorsEvenwiththesechallenges,automatedvalidationmaybetheonlyeconomicallyscalablesolutiontovalidateconformancewiththecodingstandardSoftwareanalysistoolsmaybecertifiedasbeingabletoverifycompliancewiththesecurecodingstandardCompliantsoftwaresystemsmaybecertifiedascompliantbyaproperlyauthorizedcertificationbodybytheapplicationofcertifiedtoolsDocumentgeneratedbyConfluenceonSep,:PagePreprocessor(PRE)ThispagelastchangedonAug,byshaunhRecommendationsPREAPreferinlinefunctionstomacrosPREAUseparentheseswithinmacrosaroundvariablenamesPREAMacroexpansionshouldalwaysbeparenthesizedforfunctionlikemacrosPREAAvoidinvokingamacrowhentryingtoinvokeafunctionPREADonotreuseastandardheaderfilenameRulesPRECDonotcreateauniversalcharacternamethroughconcatenationRiskAssessmentSummaryRecommendationSeverityLikelihoodRemediationCostPriorityLevelPREA(low)(unlikely)(medium)PLPREA(low)(unlikely)(low)PLPREA(low)(unlikely)(low)PLPREA(low)(unlikely)(high)PLPREA(low)(unlikely)(low)PLRuleSeverityLikelihoodRemediationCostPriorityLevelPREC(low)(unlikely)(high)PLDocumentgeneratedbyConfluenceonSep,:PagePREAPreferinlinefunctionstomacrosThispagelastchangedonSep,byfwlMacrosaredangerousbecausetheiruseresemblesthatofrealfunctions,buttheyhavedifferentsemanticsCaddsinlinefunctionstotheCprogramminglanguageInlinefunctionsshouldbeusedinpreferencetomacroswhentheycanbeusedinterchangablyMakingafunctionaninlinefunctionsuggeststhatcallstothefunctionbeasfastaspossiblebyusing,forexample,analternativetotheusualfunctioncallmechanism,suchasinlinesubstitutionSeealsoPREAUseparentheseswithinmacrosaroundvariablenamesandPREAMacroexpansionshouldalwaysbeparenthesizedforfunctionlikemacrosInlinesubstitutionisnottextualsubstitution,nordoesitcreateanewfunctionForexample,theexpansionofamacrousedwithinthebodyofthefunctionusesthedefinitionithadatthepointthefunctionbodyappears,andnotwherethefunctioniscalledandidentifiersrefertothedeclarationsinscopewherethebodyoccursNonCompliantCodeExampleInthisexamplethemacroCUBE()hasundefinedbehaviorwhenpassedanexpressionthatcontainssideeffects#defineCUBE(X)((X)*(X)*(X))inti=inta=CUBE(i)Forthisexample,theinitializationforaexpandstointa=(i*i*i)whichisundefined(seeEXPCDonotdependonorderofevaluationbetweensequencepoints)CompliantSolutionWhenthemacrodefinitionisreplacedbyaninlinefunction,thesideeffectisonlyexecutedoncebeforethefunctioniscalledinlineintcube(inti){returni*i*i}**inti=inta=cube(i)NonCompliantCodeExampleDocumentgeneratedbyConfluenceonSep,:PageInthisnoncompliantexample,theprogrammerhaswrittenamacrocalledEXECBUMP()tocallaspecifiedfunctionandincrementaglobalcounterWhentheexpansionofamacroisusedwithinthebodyofafunction,asinthisexample,identifiersrefertothedeclarationsinscopewherethebodyoccursAsaresult,whenthemacroiscalledintheaFunc()function,itinadvertantlyincrementsalocalcounterwiththesamenameastheglobalvariableNotethatthisexampleviolatesDCLADonotreusevariablenamesinsubscopessizetcount=#defineEXECBUMP(func)(func(),count)voidg(void){printf("Calledg,count=dn",count)}voidaFunc(void){sizetcount=while(count<){EXECBUMP(g)}}TheresultisthatinvokingaFunc()printsoutthefollowinglinetimes:Calledg,count=ThisexampleisamodifiedversionofgotchaexecbumpcppDewhurstCompliantSolutionInthiscompliantsolution,theEXECBUMP()macroisreplacedbytheinlinefunctionexecbump()InvokingaFunc()now(correctly)printsthevalueofcountrangingfromtosizetcount=voidg(void){printf("Calledg,count=dn",count)}typedefvoid(*execfunc)(void)inlinevoidexecbump(execfuncf){f()count}voidaFunc(void){sizetcount=while(count<){execbump(g)}}TheuseoftheinlinefunctionbindstheidentifiercounttotheglobalvariablewhenthefunctionbodyiscompiledThenamecannotbereboundtoadifferentvariable(withthesamename)whenthefunctioniscalledDocumentgeneratedbyConfluenceonSep,:PageNonCompliantCodeExampleInthisexample,amacrocalledSWAP()tocalledtoswaptwovalues(aandb)ifaisgreaterthanb#defineSWAP(x,y)(x)^=(y)(y)^=(x)(x)^=(y)**if(a>b)SWAP(a,b)However,whentheexpansionofthemacrooccurs,onlythefirstlineofthemacro((x)^=(y))willfallwithinthescopeofthecondit

用户评价(0)

关闭

新课改视野下建构高中语文教学实验成果报告(32KB)

抱歉,积分不足下载失败,请稍后再试!

提示

试读已结束,如需要继续阅读或者下载,敬请购买!

文档小程序码

使用微信“扫一扫”扫码寻找文档

1

打开微信

2

扫描小程序码

3

发布寻找信息

4

等待寻找结果

我知道了
评分:

/49

C安全编码标准(实现C安全编程的权威指南)

仅供在线阅读

VIP

在线
客服

免费
邮箱

爱问共享资料服务号

扫描关注领取更多福利