Hard coding sensitive information, such as passwords or encryption keys can expose the information to attackers. Anyone who has access to the executable or dynamic library files can examine them for strings or other critical data, revealing the sensitive information. Leaking data protected by International Traffic in Arms Regulations (ITAR) or the Health Insurance Portability and Accountability Act (HIPAA) can also have legal consequences. Consequently, programs must not hard code sensitive information.
...
| Code Block | ||
|---|---|---|
| ||
% strings a.out ... AUATL []A\A]A^A_ correct code Authentication error Authentication successful ... % |
Compliant Solution (C23, memset_explicit())
This compliant solution requires the user to supply the authentication code, and securely erases it when done, using memset_sexplicit(), an optional function provided by C11's Annex K.
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* Returns nonzero if authenticated */
int authenticate(const char* code);
int main() {
#define CODE_LEN 50
char code[CODE_LEN];
printf("Please enter your authentication code:\n");
fgets(code, sizeof(code), stdin);
int flag = authenticate(code);
memset_s(code, sizeofexplicit(code), 0, sizeof(code));
if (!flag) {
printf("Access denied\n");
return -1;
}
printf("Access granted\n");
// ...Work with system...
return 0;
}
|
...
Hard coding sensitive information exposes that information to attackers. The severity of this rule can vary depending on the kind of information that is disclosed. Frequently, the information disclosed is password or key information, which can lead to remote exploitation. Consequently, a high severity rating is given but may be adjusted downwards according to the nature of the sensitive data.
Rule | Severity | Likelihood | Detectable | RepairableRemediation Cost | Priority | Level |
|---|---|---|---|---|---|---|
MSC41-C | High | Probable | No | NoMedium | P12P6 | L1L2 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported | |||||||
| CodeSonar |
| HARDCODED.AUTH HARDCODED.DNS HARDCODED.KEY HARDCODED.SALT HARDCODED.SEED | Hardcoded Authentication Hardcoded DNS Name Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded Seed in PRNG | ||||||
| Helix QAC |
|
DF3556, DF3557, DF3558 C++3842 | |||||||||
| Klocwork |
| HCC | |||||||
| Parasoft C/C++test |
| CERT_C-MSC41-a | Do not hard code string literals | ||||||
| PC-lint Plus |
| 2460 | Assistance provided: reports when a literal is provided as an argument to a function parameter with the ‘noliteral’ argument Semantic; several Windows API functions are marked as such and the ‘-sem’ option can apply it to other functions as appropriate | ||||||
| Polyspace Bug Finder |
| CERT C: Rule MSC41-C | Checks for hard coded sensitive data (rule partially covered) | ||||||
| RuleChecker |
| Supported | |||||||
| Security Reviewer - Static Reviewer |
| RTOS_14 | Fully implemented |
Related Guidelines
| java | MSC03-J. Never hard code sensitive information |
Hard-coded Password [XYP] | |
CWE-259, Use of Hard-Coded Password |
...
MSC40-C. Do not violate constraints Rule 48. Miscellaneous (MSC) Rule 50. POSIX (POS)