473,608 Members | 2,412 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Re: CERT C Secure Coding Standard - last call for reviewers

I hadn't read this before, but I just came back from the
Embedded Systems Conference, where three vendors were selling
checking tools to find bugs in real-time C code. Sometimes
they can detect array bounds errors by static analysis. But
the approaches used aren't airtight.

Reading the "CERT C Secure Coding Standard" is interesting,
but a program compliant with the rules can still have memory
access violations. That's the trouble with viewing this as
a stylistic problem.

We could do much better, but would have to extend the C language
to do so. Is there any interest in that? C99 has a few halting
steps in the right direction, like the use of "static" in array
arguments in function declarations to indicate the minimum size
of the array passed. I've been writing up something in this area,
but unless there's serious political interest, it's not something
I would spend time on.

John Nagle
Animats
Jun 27 '08 #1
2 1421
John Nagle wrote:
>
I hadn't read this before, but I just came back from the Embedded
Systems Conference, where three vendors were selling checking
tools to find bugs in real-time C code. Sometimes they can
detect array bounds errors by static analysis. But the
approaches used aren't airtight.
.... snip ...
>
We could do much better, but would have to extend the C language
to do so. Is there any interest in that? C99 has a few halting
steps in the right direction, like the use of "static" in array
arguments in function declarations to indicate the minimum size
of the array passed. I've been writing up something in this
area, but unless there's serious political interest, it's not
something I would spend time on.
It's not feasible, because the requirements would either destroy
previously valid code, or slow the execution down to a crawl, or
both. Ada or Pascal will give you what you want (but watch out for
non-compliant Pascals, such as that used by Borland or in Delphi).

--
[mail]: Chuck F (cbfalconer at maineline dot net)
[page]: <http://cbfalconer.home .att.net>
Try the download section.
** Posted from http://www.teranews.com **
Jun 27 '08 #2
John Nagle wrote:
I hadn't read this before, but I just came back from the
Embedded Systems Conference, where three vendors were selling
checking tools to find bugs in real-time C code. Sometimes
they can detect array bounds errors by static analysis. But
the approaches used aren't airtight.
Obviously they cannot be airtight and still permit all correct,
strictly conforming programs.
Reading the "CERT C Secure Coding Standard" is interesting,
but a program compliant with the rules can still have memory
access violations. That's the trouble with viewing this as
a stylistic problem.
Trying to address errors of (programmer) thought with automation
is futile. The best that such coding standards can hope to
achieve is to catch a large fraction of the mistakes that might
otherwise find their way into delivered products.
We could do much better, but would have to extend the C language
to do so. Is there any interest in that? C99 has a few halting
steps in the right direction, like the use of "static" in array
arguments in function declarations to indicate the minimum size
of the array passed. I've been writing up something in this area,
but unless there's serious political interest, it's not something
I would spend time on.
I would suggest that so long as C remains compatible with past
(correct) C source code, extensions won't guarantee anything.
Note that there have already been other guidelines (e.g. MISRA)
and "safer" libraries (one is described in a TR from WG14).

I am sure there is academic and perhaps commercial interest in
development of a *new* programming language that has safety
"built in" to a significantly greater extent. (Some PLs claim
that they are already that way.) Maybe your effort would be
better employed working on those.
Jun 27 '08 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
2816
passing cert location + password to a custom JSSESocketFactory
by: Lewis Sellers | last post by:
I have a custom JSSESocketFactory class that can take a PKCS12 certificate and password and use it to talk through axis to a secure web service. That works.... The problem is it needs to work on a shared hosting environment where each customer will have thier own certificates, the certificate is used used to verify their identity. I've been staring at the JSSE but am at somewhat of a loss as how to pass the cert location/password TO the...
Java
144
6814
Coding standards
by: Natt Serrasalmus | last post by:
After years of operating without any coding standards whatsoever, the company that I recently started working for has decided that it might be a good idea to have some. I'm involved in this initiative. Typically I find that coding standards are written by some guy in the company who has a way of coding that he likes and then tries to force everybody else to write code the way he likes it, not for any rational reason, but simply for the...
C / C++
1
1266
integrate with SSL Cert
by: Grey | last post by:
i have set up a web application. I want to know that how to integrate it with SSL cert?? If I got the cert already, how can I set the web server in order to be SSL enable web ?? Million Thanks..
ASP.NET
3
1479
asp.net client cert issue
by: Param R. | last post by:
Hi all, I have an aspx page that needs to call a remote website that is protected by client cert authentication. I have installed the client cert and set permissions for IIS_WPG as per http://support.microsoft.com/default.aspx?scid=kb;en-us;817854. I then exported the cert to a DER encoded file. Now here is my code:- Dim h as httpwebrequest h = Ctype(WebRequest.Create(strurl), httpwebrequest)
ASP.NET
7
4939
CERT C Programming Language Secure Coding Standard
by: Robert Seacord | last post by:
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already developed significant content for the C programming language that is available at: https://www.securecoding.cert.org/ by clicking on the "CERT C Programming Language Secure Coding Standard"
C / C++
19
3960
CSharp Coding Standards
by: auratius | last post by:
http://www.auratius.co.za/CSharpCodingStandards.html Complete CSharp Coding Standards 1. Naming Conventions and Styles 2. Coding Practices 3. Project Settings and Project Structure 4. Framework-Specific Guidelines Naming Conventions and Styles
C# / C Sharp
0
1477
Capturing a Client Cert and Passing it to a Secure Web Service
by: hepsubah | last post by:
I'm trying to capture a client cert in my ASP.NET application, and use that cert as the client cert for a call to secure web service. I've used the following code, but am getting a 403 error on the invocation of the service. All the service is supposed to do is return the subject of the passed cert (I'll do more with it later) ...
ASP.NET
2
1817
Client Cert Delegation to Web Service
by: hepsubah | last post by:
I have some secure ASP.NET Web Services (which could become WCF services) used to generate a secure ASP.NET page. Is there any way to delegate (impersonate?) the client cert from the user accessing the page to the secure service ? Thanks in advance Doug
.NET Framework
9
2091
C++ coding standards
by: dom.k.black | last post by:
Can anyone recommend a good existing C++ coding standard - parctical, pragmatic and sensible? A company I joined recently are moving from C to C++, they are very much into coding standards. But I have a horibble feeling they might get a C programmer to write the C++ standard. Would be nice to be able to suggest an existing standard.
C / C++
0
8067
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
General
0
8010
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8501
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8483
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
1
8157
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
Windows Server
0
6820
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
Career Advice
1
6015
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5479
Couldn’t get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
3967
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us