...
| Code Block | ||
|---|---|---|
| ||
% strings a.out ... AUATL []A\A]A^A_ correct code Authentication error Authentication successful ... % |
Compliant Solution (C23, memset_explicit())
This compliant solution requires the user to supply the authentication code, and securely erases it when done, using memset_explicit().
...
Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
MSC41-C | High | Probable | No | No | P9P6 | L2 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported | |||||||
| CodeSonar |
| HARDCODED.AUTH HARDCODED.DNS HARDCODED.KEY HARDCODED.SALT HARDCODED.SEED | Hardcoded Authentication Hardcoded DNS Name Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded Seed in PRNG | ||||||
| Helix QAC |
|
DF3556, DF3557, DF3558 C++3842 | |||||||||
| Klocwork |
| HCC | |||||||
| Parasoft C/C++test |
| CERT_C-MSC41-a | Do not hard code string literals | ||||||
| PC-lint Plus |
| 2460 | Assistance provided: reports when a literal is provided as an argument to a function parameter with the ‘noliteral’ argument Semantic; several Windows API functions are marked as such and the ‘-sem’ option can apply it to other functions as appropriate | ||||||
| Polyspace Bug Finder |
| CERT C: Rule MSC41-C | Checks for hard coded sensitive data (rule partially covered) | ||||||
| RuleChecker |
| Supported | |||||||
| Security Reviewer - Static Reviewer |
| RTOS_14 | Fully implemented |
Related Guidelines
| java | MSC03-J. Never hard code sensitive information |
Hard-coded Password [XYP] | |
CWE-259, Use of Hard-Coded Password |
...