CERT® Secure Coding eNewsletter

Spring Edition 2016

News
Language Standards Updates
Upcoming Events
Our People
Secure Coding Resources

Welcome to the Spring 2016 edition of the CERT Secure Coding Standards newsletter!

We have some exciting news about CERT Secure Coding standards. We just released the freely downloadable online snapshot publication (PDF) of the SEI CERT C Coding Standard, (2016 Edition). This edition reflects two years of research and insight gained since the previously released edition. Being freely available, this online edition enables developers to share it widely and use it in training, documentation, tool development, professional guides, and other environments. We plan to release other standards in this format as well.

The newly published standard joins the SEI CERT Secure Coding in C and C++ Professional Certificate that we launched several months ago. Along with the SEI CERT C++ Coding Standard, this certificate helps software developers and source code analysts develop more secure code by improving their ability to avoid unintentional behaviors in the C and C++ languages.

Save the date! We are planning to hold a Secure Coding Symposium on September 8, 2016 in the Arlington, VA area. Registration will open in the next several weeks. We are inviting speakers from government, industry, and academia to talk about future trends that will affect secure coding. If you have ideas for a speaker or a topic you think is particularly relevant, please send us a note at info@sei.cmu.edu. If you're interested in attending the symposium, let us know at info@sei.cmu.edu, and we'll be sure to contact you when registration opens.

We released Clang 3.8! This latest version of Clang contains nine additional checks for the CERT C and C++ Coding standards. You can download pre-built binaries and tagged sources.

To better focus attention on the CERT C++ Coding Standard, we hid the Recommendations section from the main landing page and reordered them to be within The Void in the wiki page tree view. While reviewing the Recommendations, we determined their content wasn't of sufficient quality to justify such prominent placement in the coding standard. We intend to update that content at a later date, at which point, we'll return it to the C++ landing page.

I'd love to hear how you are using the newsletters or will use the newly released SEI CERT C Coding Standard (2016 Edition). Send me a note at info@sei.cmu.edu.

Thank you all for your continued interest and engagement in the SEI CERT Secure Coding Initiative. Have a great summer!

- Bob Schiela

Language Standards Updates

CERT C Coding Standard

Editors: Martin Sebor (Red Hat, Inc.) and Aaron Ballman (SEI/CERT)

Added

EXP47-C. Do not call va_arg with an argument of the incorrect type

Changed

Due to the release of Clang 3.8, all automated detection sections that previously listed a check as "Clang 3.8 (pre-release)" are now listed as "Clang 3.8" instead.
DCL39-C. Avoid information leakage when passing a structure across a trust boundary
now covers leaking information via bit-field storage unit padding, along with a new NCCE/CS pair. Was previously titled DCL39-C. Avoid information leakage in structure padding,
CON34-C. Declare objects shared between threads with appropriate storage durations
The first CS relied on implementation-defined behavior, so it has been changed back to an NCCE with a citation of why the behavior is implementation defined.
CON00-C. Avoid race conditions with multiple threads
now has a new set of code examples that illustrate CVE-2015-8550 / XSA-155.
ERR34-C. Detect errors when converting a string to a number
is now a rule which was formerly recommendation INT06-C. Unlike the recommendation, this rule applies strictly to C integer-parsing functions like atoi(); it does not address custom integer parsers.
MSC37-C. Ensure that control never reaches the end of a non-void function
Added an exception for code paths that involve calling a function marked _Noreturn; matches MSC54-CPP-EX2.
ARR38-C. Guarantee that library functions do not form invalid pointers
Added information about CVE-2016-2208 as a related vulnerability.
FLP30-C. Do not use floating-point variables as loop counters
Added a citation to [Goldberg 1991] for background on why floats are bad for precise compuations. Also, updated a Compliant Solution to reduce compounded rounding errors.
CON40-C. Do not refer to an atomic variable twice in an expressionClarified the final compliant solution to show that the function parameter need not be atomic. This provides a performance benefit without losing any other properties.

New Clang Checkers

ERR34-C. Detect errors when converting a string to a number

CERT C++ Secure Coding Standard

Editors: Martin Sebor (Red Hat, Inc.) and Aaron Ballman (SEI/CERT)

Added

DCL60-CPP. Avoid information leakage when passing a class object across a trust boundary
ERR62-CPP. Detect errors when converting a string to a number
CON52-CPP. Prevent data races when accessing bit-fields from multiple threads
Ported from CON32-C with examples that illustrate the C++ style.
CON53-CPP. Avoid deadlock by locking in a predefined order
Ported from CON35-C with appropriate C++ updates
CON54-CPP. Wrap functions that can spuriously wake up in a loop
Ported from CON36-C with appropriate C++ updates
CON55-CPP. Preserve thread safety and liveness when using condition variables
Ported from CON38-C with appropriate C++ updates

Changed

Due to the release of Clang 3.8, all automated detection sections that previously listed a check as "Clang 3.8 (pre-release)" are now listed as "Clang 3.8" instead.
ERR56-CPP. Guarantee exception safety
Substantially edited for clarity, completing the rule. Removed the work-in-progress warning.
EXP58-CPP. Pass an object of the correct type to va_start
Added further information about default argument promotions, added another NCCE/CS pair, and performed some minor wordsmithing. Changed the title to be more vague because the scope of the rule was expanded; was previously called EXP58-CPP. Do not pass a reference or nontrivially copyable type to va_start. Updated the wording of the rule to refer to DCL50-CPP, which prohibits defining a variadic function, except when it's an extern "C" function.
CON51-CPP. Ensure actively held locks are released on exceptional conditions
Previously only mentioned one type of lock object; added the two others that are appropriate. Clarifies that lock objects are not required, but are preferred.
CTR51-CPP. Use valid references, pointers, and iterators to reference elements of a container
Clarified that references and pointers should be treated the same, despite the C++ Standard giving more latitude for pointers under certain circumstances.
CTR58-CPP. Predicate function objects should not be mutable
No longer requires predicate function objects to implement pure function call semantics, which barred reasonable practices such as IO and accessing other global state.
CTR57-CPP. Provide a valid ordering predicate
Corrected the description of the asymetical property of a strict weak ordering.
DCL53-CPP. Do not write syntactically ambiguous declarations
Added another NCCE/CS pair based on real-world code examples.

Removed

The Recommendations section has been removed from the landing page and temporarily moved into The Void within the wiki page tree view. It will be returned to the landing page at a later date, after the content has been appropriately reviewed and updated.
DCL55-CPP. Overloaded postfix increment and decrement operators should return a const object
Was converted from a rule to a recommendation. Is now DCL21-CPP. Overloaded postfix increment and decrement operators should return a const object.

New Clang Checkers

The Clang -Wvarargs warning flag was extended to catch additional cases of undefined behavior from EXP58-CPP. Pass an object of the correct type to va_start; namely, it now diagnoses arguments that undergo default argument promotion, and use of the register keyword in C.
ERR62-CPP. Detect errors when converting a string to a number
The clang-tidy checker flags use of unsafe C Standard Library functions even when used from C++ (such as calling std::atoi()), but it does not provide additional C++ checking.

CERT Oracle Secure Coding Standard for Java

Editors: Brad Senetza (Oracle) and David Svoboda (SEI/CERT)

Changed

SER12-J. Prevent deserialization of untrusted classes No longer suggests that the Java default SecurityManager can be used to prevent malicious deserialization.
IDS03-J. Do not log unsanitized user input The compliant solution separates the sanitization out into a sanitizeUser()method. There is also a second compliant solution that embeds sanitization into the Logger.
IDS08-J. Sanitize untrusted data included in a regular expression now has a compliant solution that uses Pattern.quote() to sanitize input to a regex.
MSC61-J. Do not use insecure or weak cryptographic algorithms's compliant solution has been overhauled to use a secure mode-of-operation for block ciphers.
MSC62-J. Store passwords using a hash function's compliant solution has been overhauled to use PBKDF2 and thwart timing attacks.
MSC02-J. Generate strong random numbers has a new CS that showcases SecureRandom.getInstanceStrong(), which was introduced in Java 8. It also no longer explicitly specifies a RNG algorithm, which allows the Java core library to select a suitable one.
The first compliant solution in MSC03-J. Never hard code sensitive information now performs a standards-compliant read of data from a file.
In OBJ11-J. Be wary of letting constructors throw exceptions the "initializer flag" compliant solution how has some rationale on why the initializer flag is volatile.
ERR00-J. Do not suppress or ignore checked exceptions has a more precise illustration of the ExceptionReporter class.

No Java rules were added or removed.

CERT Secure Coding Standard for Android

Editors: Fred Long (Aberystwyth University) and Lori Flynn (SEI/CERT)

No Android rules were added, removed, deprecated, or substantively changed.

CERT Perl Secure Coding Standard

Editor: David Svoboda (SEI/CERT)

No Perl rules were added, removed, deprecated, or substantively changed.

Upcoming Events

Aaron Ballman and Mark Sherman will present "Construction and Implementation of CERT Secure Coding Rules Improving Automation of Secure Coding" at the Safe and Secure Systems and Software Symposium (S5) on July 12-14, 2016 in Dayton OH.

Mark Sherman will present "Risks in the Software Supply Chain," at Abstractions on August 18-20, 2016 in Pittsburgh, PA.

Recent Events

Lori Flynn was co-chair of MobileSoft 2016 (IEEE/ACM International Conference on Mobile Software Engineering and Systems), which took place May 16-17 and was co-located with ICSE in Austin, TX.

On April 11, Mark Sherman and Bob Schiela, along with Chris Valasek (Uber ATC) and Chris Alberts, Hasan Yasar, and Chris King (all from SEI CERT), delivered the Lessons Learned from the Jeep Hack: How to Reduce Software Vulnerabilities in Cyber-Physical Systems webinar. If you missed it, you can watch a recorded version.

Our People

In the eNewsletter, we highlight staff members behind our secure coding research. This month we feature David Svoboda.

David Svoboda is a software security engineer at at the CERT Division of the SEI. He co-authored or contributed to four books, including The CERT C Coding Standard and The CERT Oracle Secure Coding Standard for Java. He also maintains the SEI CERT Coding Standard wikis and has taught Secure Coding in C and C++ all over the world to various groups in the military, government, and banking industries. David is also involved in several ISO standards groups: the JTC1/SC22/WG14 group for standardizing C, and the JTC1/SC22/WG21 group for standardizing C++.

David has been the primary developer on a diverse set of software development projects at Carnegie Mellon University since 1991. His projects have ranged from hierarchical chip modeling and social organization simulation to automated machine translation (AMT). His KANTOO AMT software, developed in 1996, is still in production use at Caterpillar.

Secure Coding Resources

Read Vehicle Cybersecurity: The Jeep Hack and Beyond blog post

Read Who Needs to Exploit Vulnerabilities When You Have Macros? blog post

Watch Lessons Learned from the Jeep Hack: How to Reduce Software Vulnerabilities in Cyber-Physical Systems webinar.

Subscribe to Our eNewsletter

Join the SEI CERT Secure Coding Community