SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 158

changes.mady.by.user Unknown User (lflynn)

Saved on

compared with

New Version 159

changes.mady.by.user Arthur Hicken

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: added parasoft

...

Failing to exclude user input from format specifiers may allow an attacker to crash a vulnerable process, view the contents of the stack, view memory content, or write to an arbitrary memory location and consequently execute arbitrary code with the permissions of the vulnerable process.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

FIO30-C

High

Likely

Medium

P18

L1

Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

IO.INJ.FMT
MISC.FMT

Format string injection
Format string

Compass/ROSE
 

 

 



Coverity
Include Page
Coverity_V
Coverity_V

TAINTED_STRING

Implemented
GCC
Include Page
GCC_V
GCC_V
 

Can detect violations of this rule when the -Wformat-security flag is used

Klocwork
Include Page
Klocwork_V
Klocwork_V

SV.FMTSTR.GENERIC
SV.TAINTED.FMTSTR

 

LDRA tool suite
Include Page
LDRA_V
LDRA_V

86 D

Partially Implemented
Parasoft C/C++test10.3SECURITY-05 SECURITY-08 SECURITY-36
Polyspace Bug FinderR2016aTainted string format

Input format argument is from an unsecure source

Splint
Include Page
Splint_V
Splint_V
  


Related Vulnerabilities

Two examples of format-string vulnerabilities resulting from a violation of this rule include Ettercap and Samba.

...

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT Oracle Secure Coding Standard for JavaIDS06-J. Exclude unsanitized user input from format stringsPrior to 2018-01-12: CERT: Unspecified Relationship
CERT Perl Secure Coding StandardIDS30-PL. Exclude user input from format stringsPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Injection [RST]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961:2013Including tainted or out-of-domain input in a format string [usrfmt]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11CWE-134, Uncontrolled Format String2017-05-16: CERT: Exact
CWE 2.11CWE-20, Improper Input Validation2017-05-17: CERT: Rule subset of CWE

Bibliography

[IEEE Std 1003.1:2013]XSH, System Interfaces, syslog
[Seacord 2013b]Chapter 6, "Formatted Output"
[Viega 2005]Section 5.2.23, "Format String Problem"

...


...