SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 55

changes.mady.by.user Jon O'Donnell

Saved on

compared with

New Version Current

changes.mady.by.user Francesco Mariani

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Recommendation

Severity

Likelihood

Detectable

RepairableRemediation Cost

Priority

Level

MSC18-C

Medium

Probable

No

MediumNo

P8P4

L2L3

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Automated Detection

Constant cipher key

Constant block cipher initialization vector

Predictable cipher key

Predictable block cipher initialization vector

ToolVersionCheckerDescription
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

HARDCODED.AUTH

HARDCODED.KEY

HARDCODED.SALT

MISC.PWD.PLAIN

MISC.PWD.PLAINTRAN

Hardcoded Authentication

Hardcoded Crypto Key

Hardcoded Crypto Salt

Plaintext Storage of Password

Plaintext Transmission of Password

Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C3556
C3557
C3558


PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

586

Partially supported: reports functions that read passwords from the user or that take a password as an argument instead of prompting the user as well as insecure password erasure

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. MSC18-C


Checks for:

  • Constant or predictable block cipher initialization vector
  • Constant or predictable cipher key
  • Sensitive heap memory not cleared before release
  • Uncleared sensitive data in stack
  • Unsafe standard encryption function

Sensitive data not cleared or released by memory routine

Variable in stack is not cleared and contains sensitive data

Function is not reentrant or uses a risky encryption algorithm

Encryption or decryption key is constant instead of randomized or  generated from a weak random number generator

Initialization vector is constant instead of randomized

Encryption or decryption key is generated from a weak random number generator

Initialization vector is generated from a weak random number generator

Rec. partially covered.

Security Reviewer - Static Reviewer

Include Page
Security Reviewer - Static Reviewer_V
Security Reviewer - Static Reviewer_V

CsFPC

Fully implemented

Related Guidelines

CERT Oracle Secure Coding Standard for JavaMSC03-J. Never hard code sensitive information
cCERT C Secure Coding StandardMSC41-C. Never hard code sensitive information
MITRE CWECWE-259, Use of Hard-coded Password
CWE-261, Weak Cryptography for Passwords
CWE-311, Missing encryption of sensitive data
CWE-319, Cleartext Transmission of Sensitive Information
CWE-321, Use of Hard-coded Cryptographic Key
CWE-326, Inadequate encryption strength
CWE-798, Use of hard-coded credentials

...