...
| Code Block | ||
|---|---|---|
| ||
% strings a.out ... AUATL []A\A]A^A_ correct code Authentication error Authentication successful ... % |
Compliant Solution (C23, memset_explicit())
This compliant solution requires the user to supply the authentication code, and securely erases it when done, using memset_sexplicit(), an optional function provided by C11's Annex K.
| Code Block | ||||
|---|---|---|---|---|
| ||||
/* Returns nonzero if authenticated */
int authenticate(const char* code);
int main() {
#define CODE_LEN 50
char code[CODE_LEN];
printf("Please enter your authentication code:\n");
fgets(code, sizeof(code), stdin);
int flag = authenticate(code);
memset_sexplicit(code, sizeof(code), 0, sizeof(code));
if (!flag) {
printf("Access denied\n");
return -1;
}
printf("Access granted\n");
// ...Work with system...
return 0;
}
|
...
Rule | Severity | Likelihood | Detectable | Repairable | Priority | Level |
|---|---|---|---|---|---|---|
MSC41-C | High | Probable | No | No | P9P6 | L2 |
Automated Detection
| Tool | Version | Checker | Description | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Astrée |
| Supported | |||||||
| CodeSonar |
| HARDCODED.AUTH HARDCODED.DNS HARDCODED.KEY HARDCODED.SALT HARDCODED.SEED | Hardcoded Authentication Hardcoded DNS Name Hardcoded Crypto Key Hardcoded Crypto Salt Hardcoded Seed in PRNG | ||||||
| Helix QAC |
| C3122DF3556, DF3557, DF3558 C++3842 | |||||||
| Klocwork |
| HCC | |||||||
| Parasoft C/C++test |
| CERT_C-MSC41-a | Do not hard code string literals | ||||||
| PC-lint Plus |
| 2460 | Assistance provided: reports when a literal is provided as an argument to a function parameter with the ‘noliteral’ argument Semantic; several Windows API functions are marked as such and the ‘-sem’ option can apply it to other functions as appropriate | ||||||
| Polyspace Bug Finder |
| CERT C: Rule MSC41-C | Checks for hard coded sensitive data (rule partially covered) | ||||||
| RuleChecker |
| Supported |
...