SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 63

changes.mady.by.user Melanie Thompson

Saved on

compared with

New Version 64

changes.mady.by.user Melanie Thompson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Some compiler optimization modes may can remove code sections if the optimizer determines that doing so will not alter the behavior of the program. In this noncompliant code example, optimization may remove the call to memset() (which the programmer had hoped would clear sensitive memory) because the variable is not accessed following the write. Check compiler documentation for information about this compiler-specific behavior and which optimization levels can cause this behavior to occur.

...

The #pragma directives in this compliant solution instruct the compiler to avoid optimizing the enclosed code. This #pragma directive is supported on some versions of Microsoft Visual Studio and may could be supported on other compilers. Check compiler documentation to ensure its availability and its optimization guarantees.

...

This compliant solution uses the volatile type qualifier to inform the compiler that the memory should be overwritten and that the call to the memset_s() function should not be optimized out. Unfortunately, this compliant solution may not be as efficient as possible due to the nature of the volatile type qualifier preventing the compiler from optimizing the code at all. Typically, some compilers are smart enough to replace calls to memset() with equivalent assembly instructions that are much more efficient than the memset() implementation. Implementing a memset_s() function as shown in the example may prevent the compiler from using the optimal assembly instructions and may can result in less efficient code. Check compiler documentation and the assembly output from the compiler.

...

However, note that both calling functions and accessing volatile qualified objects can still be optimized out (while maintaining strict conformance to the standard), so without a C1X conforming implementation, this compliant solution may might still not work in some cases.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C++ Secure Coding Standard: MSC06-CPP. Be aware of compiler optimization when dealing with sensitive data

Bibliography

unmigrated-wiki-markup

\[[ISO/IEC 9899:1999|AA. Bibliography#ISO/IEC 9899-1999]\] Section 6.7.3, "Type qualifiers"

MITRE CWE: CWE-14, "Compiler Removal of Code to Clear Buffers"

Bibliography

Wiki Markup
 qualifiers"
\[Jones 2009|AA. Bibliography#Jones 09]\] Section K.3.7.4.1, "The {{memset_s}} function"
\[[US-CERT|https://buildsecurityin.us-cert.gov/daisy/bsi-rules/home/g1/771.html]\] "MEMSET"
\[[MITRE 2007|AA. Bibliography#MITRE 07]\] [CWE ID 14|http://cwe.mitre.org/data/definitions/14.html], "Compiler Removal of Code to Clear Buffers"
\[[MSDN|AA. Bibliography#MSDN]\] "[SecureZeroMemory|http://msdn.microsoft.com/en-us/library/aa366877.aspx]"
\[[MSDN|AA. Bibliography#MSDN]\] "[Optimize (C/C++)|http://msdn.microsoft.com/en-us/library/chh3fb0k(VS.80).aspx]"
\[[Wheeler 2003|AA. Bibliography#Wheeler 03]\] [Section 11.4|http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/protect-secrets.html], "Specially Protect Secrets (Passwords and Keys) in User Memory"

...