473,495 Members | 2,058 Online
Bytes | Software Development & Data Engineering Community
Create Post

Home Posts Topics Members FAQ

Re: CERT C Secure Coding Standard - last call for reviewers

I hadn't read this before, but I just came back from the
Embedded Systems Conference, where three vendors were selling
checking tools to find bugs in real-time C code. Sometimes
they can detect array bounds errors by static analysis. But
the approaches used aren't airtight.

Reading the "CERT C Secure Coding Standard" is interesting,
but a program compliant with the rules can still have memory
access violations. That's the trouble with viewing this as
a stylistic problem.

We could do much better, but would have to extend the C language
to do so. Is there any interest in that? C99 has a few halting
steps in the right direction, like the use of "static" in array
arguments in function declarations to indicate the minimum size
of the array passed. I've been writing up something in this area,
but unless there's serious political interest, it's not something
I would spend time on.

John Nagle
Animats
Jun 27 '08 #1
2 1412
John Nagle wrote:
>
I hadn't read this before, but I just came back from the Embedded
Systems Conference, where three vendors were selling checking
tools to find bugs in real-time C code. Sometimes they can
detect array bounds errors by static analysis. But the
approaches used aren't airtight.
.... snip ...
>
We could do much better, but would have to extend the C language
to do so. Is there any interest in that? C99 has a few halting
steps in the right direction, like the use of "static" in array
arguments in function declarations to indicate the minimum size
of the array passed. I've been writing up something in this
area, but unless there's serious political interest, it's not
something I would spend time on.
It's not feasible, because the requirements would either destroy
previously valid code, or slow the execution down to a crawl, or
both. Ada or Pascal will give you what you want (but watch out for
non-compliant Pascals, such as that used by Borland or in Delphi).

--
[mail]: Chuck F (cbfalconer at maineline dot net)
[page]: <http://cbfalconer.home.att.net>
Try the download section.
** Posted from http://www.teranews.com **
Jun 27 '08 #2
John Nagle wrote:
I hadn't read this before, but I just came back from the
Embedded Systems Conference, where three vendors were selling
checking tools to find bugs in real-time C code. Sometimes
they can detect array bounds errors by static analysis. But
the approaches used aren't airtight.
Obviously they cannot be airtight and still permit all correct,
strictly conforming programs.
Reading the "CERT C Secure Coding Standard" is interesting,
but a program compliant with the rules can still have memory
access violations. That's the trouble with viewing this as
a stylistic problem.
Trying to address errors of (programmer) thought with automation
is futile. The best that such coding standards can hope to
achieve is to catch a large fraction of the mistakes that might
otherwise find their way into delivered products.
We could do much better, but would have to extend the C language
to do so. Is there any interest in that? C99 has a few halting
steps in the right direction, like the use of "static" in array
arguments in function declarations to indicate the minimum size
of the array passed. I've been writing up something in this area,
but unless there's serious political interest, it's not something
I would spend time on.
I would suggest that so long as C remains compatible with past
(correct) C source code, extensions won't guarantee anything.
Note that there have already been other guidelines (e.g. MISRA)
and "safer" libraries (one is described in a TR from WG14).

I am sure there is academic and perhaps commercial interest in
development of a *new* programming language that has safety
"built in" to a significantly greater extent. (Some PLs claim
that they are already that way.) Maybe your effort would be
better employed working on those.
Jun 27 '08 #3
Create Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
1
2811
passing cert location + password to a custom JSSESocketFactory
by: Lewis Sellers | last post by:
I have a custom JSSESocketFactory class that can take a PKCS12 certificate and password and use it to talk through axis to a secure web service. That works.... The problem is it needs to work on...
Java
144
6728
Coding standards
by: Natt Serrasalmus | last post by:
After years of operating without any coding standards whatsoever, the company that I recently started working for has decided that it might be a good idea to have some. I'm involved in this...
C / C++
1
1256
integrate with SSL Cert
by: Grey | last post by:
i have set up a web application. I want to know that how to integrate it with SSL cert?? If I got the cert already, how can I set the web server in order to be SSL enable web ?? Million Thanks..
ASP.NET
3
1475
asp.net client cert issue
by: Param R. | last post by:
Hi all, I have an aspx page that needs to call a remote website that is protected by client cert authentication. I have installed the client cert and set permissions for IIS_WPG as per...
ASP.NET
7
4922
CERT C Programming Language Secure Coding Standard
by: Robert Seacord | last post by:
The CERT/CC has just deployed a new web site dedicated to developing secure coding standards for the C programming language, C++, and eventually other programming language. We have already...
C / C++
19
3936
CSharp Coding Standards
by: auratius | last post by:
http://www.auratius.co.za/CSharpCodingStandards.html Complete CSharp Coding Standards 1. Naming Conventions and Styles 2. Coding Practices 3. Project Settings and Project Structure 4....
C# / C Sharp
0
1466
Capturing a Client Cert and Passing it to a Secure Web Service
by: hepsubah | last post by:
I'm trying to capture a client cert in my ASP.NET application, and use that cert as the client cert for a call to secure web service. I've used the following code, but am getting a 403 error on...
ASP.NET
2
1810
Client Cert Delegation to Web Service
by: hepsubah | last post by:
I have some secure ASP.NET Web Services (which could become WCF services) used to generate a secure ASP.NET page. Is there any way to delegate (impersonate?) the client cert from the user...
.NET Framework
9
2070
C++ coding standards
by: dom.k.black | last post by:
Can anyone recommend a good existing C++ coding standard - parctical, pragmatic and sensible? A company I joined recently are moving from C to C++, they are very much into coding standards. But...
C / C++
0
7120
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
7160
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
7196
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
1
6878
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
Windows Server
0
5456
agi2029
AI Job Threat for Devs
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
Career Advice
1
4897
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new...
Microsoft Access / VBA
0
3078
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
0
1405
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated ...
C# / C Sharp
1
649
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us