SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 26

changes.mady.by.user David Svoboda

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagebash
% strings a.out
...
AUATL
[]A\A]A^A_
correct code
Authentication error
Authentication successful
...
%

Compliant Solution (C23, memset_explicit())

This compliant solution requires the user to supply the authentication code, and securely erases it when done, using memset_sexplicit(), an optional function provided by C11's Annex K.

Code Block
bgColor#ccccff
languagecpp
/* Returns nonzero if authenticated */
int authenticate(const char* code);

int main() {
#define CODE_LEN 50
  char code[CODE_LEN];
  printf("Please enter your authentication code:\n");
  fgets(code, sizeof(code), stdin);
  int flag = authenticate(code);
  memset_sexplicit(code, sizeof(code), 0, sizeof(code));
  if (!flag) {
    printf("Access denied\n");
    return -1;
  }
  printf("Access granted\n");
  // ...Work with system...
  return 0;
}

...

Rule

Severity

Likelihood

Detectable

Repairable

Priority

Level

MSC41-C

High

Probable

No

No

P9P6

L2

Automated Detection

ToolVersionCheckerDescription
Astrée
Include Page
Astrée_V
Astrée_V


Supported
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
HARDCODED.AUTH
HARDCODED.DNS
HARDCODED.KEY
HARDCODED.SALT
HARDCODED.SEED
Hardcoded Authentication
Hardcoded DNS Name
Hardcoded Crypto Key
Hardcoded Crypto Salt
Hardcoded Seed in PRNG
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C3122

DF3556, DF3557, DF3558

C++3842


Klocwork
Include Page
Klocwork_V
Klocwork_V

HCC
HCC.PWD
HCC.USER
CXX.SV.PWD.PLAIN
CXX.SV.PWD.PLAIN.LENGTH
CXX.SV.PWD.PLAIN.ZERO


Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-MSC41-a

Do not hard code string literals

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

2460

Assistance provided: reports when a literal is provided as an argument to a function parameter with the ‘noliteral’ argument Semantic; several Windows API functions are marked as such and the ‘-sem’ option can apply it to other functions as appropriate

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule MSC41-CChecks for hard coded sensitive data (rule partially covered)
RuleChecker

Include Page
RuleChecker_V
RuleChecker_V


Supported
Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

RTOS_14Fully implemented

Related Guidelines

javaMSC03-J. Never hard code sensitive information

ISO/IEC TR 24772:2010

Hard-coded Password [XYP]

MITRE CWE

CWE-259, Use of Hard-Coded Password
CWE-798, Use of Hard-Coded Credentials

...