Secure Coding Initiative - Cert

Secure Coding InitiativeRobert C. Seacord© 2010 Carnegie Mellon University

NO WARRANTYTHIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERINGINSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NOWARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING,BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLONUNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOMFROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.Use of any trademarks in this presentation is not intended in any way to infringe on the rights of thetrademark holder.This Presentation may be reproduced in its entirety, without modification, and freely distributed in written orelectronic form without requesting formal permission. Permission is required for any other use. Requestsfor permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally fundedresearch and development center. The Government of the United States has a royalty-free governmentpurposelicense to use, duplicate, or disclose the work, in whole or in part and in any manner, and to haveor permit others to do so, for government purposes pursuant to the copyright license under the clause at252.227-7013.2

Presenter BioRobert Seacord began programming(professionally) for IBM in 1982 and hasbeen programming in C since 1985.Robert leads the Secure Coding Initiativeat the CERT, located at CarnegieMellon’s Software Engineering Institute(SEI). He is author of The CERT CSecure Coding Standard (Addison-Wesley, 2009), Secure Coding in C andC++ (Addison-Wesley, 2005), BuildingSystems from Commercial Components(Addison-Wesley, 2002) andModernizing Legacy Systems (Addison-Wesley, 2003).3

Secure Coding InitiativeInitiative GoalsWork with software developers andsoftware development organizationsto eliminate vulnerabilities resultingfrom coding errors before they aredeployed.Overall ThrustsAdvance the state of the practice insecure codingIdentify common programmingerrors that lead to softwarevulnerabilitiesEstablish standard secure codingpracticesEducate software developersCurrent CapabilitiesSecure coding standardswww.securecoding.cert.orgSource code analysis andconformance testingTraining coursesInvolved in international standardsdevelopment.4

Secure Coding in the SDLC5

Increasing VulnerabilitiesReacting to vulnerabilities inexisting systems is not working6

CERT Secure Coding InitiativeReduce the number of vulnerabilities to a level wherethey can be handled by computer security incidentresponse teams (CSIRTs)Decrease remediation costs by eliminatingvulnerabilities before software is deployed7

Fun With Integerschar x, y;x = -128;y = -x;Lesson: Process is irrelevantwithout a strong fundamentalknowledge of the language andenvironmentif (x == y) puts("1");if ((x - y) == 0) puts("2");if ((x + y) == 2 * x) puts("3");if (((char)(-x) + x) != 0) puts("4");if (x != -y) puts("5");8

Secure Coding RoadmapBreadth of impactSecure DesignPatternsUniversity courses• CMU• Purdue• University of Florida• Santa Clara University• St. John Fisher CollegeSEI SecureCoding CourseInfluence InternationalStandard BodiesAdoption by Analyzer ToolsLicensed to:• Computer Associates• Siemens• SANSTool Test SuiteApplicationConformanceTestingAdoption by software developers• Lockheed Martin Aeronautics• General Atomics2003 Time 20109

Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining coursesResearch10

CERT Secure Coding StandardsEstablish coding guidelines for commonly usedprogramming languages that can be used to improvethe security of software systems under developmentBased on documented standard language versionsas defined by official or de facto standardsorganizationsSecure coding standards are under development for:• C programming language (ISO/IEC 9899:1999)• C++ programming language (ISO/IEC 14882-2003)• Java Platform Standard Edition 611

Secure Coding Web Site (Wiki)www.securecoding.cert.orgRules are solicited from thecommunityPublished as candidate rulesand recommendations on theCERT Wiki.Threaded discussions usedfor public vettingCandidate coding practices aremoved into a secure codingstandard when consensus isreached12

Noncompliant Examples & Compliant SolutionsNoncompliant Code ExampleIn this noncompliant code example, the char pointer p isinitialized to the address of a string literal. Attempting to modifythe string literal results in undefined behavior.char *p = "string literal"; p[0] = 'S';Compliant SolutionAs an array initializer, a string literal specifies the initial valuesof characters in an array as well as the size of the array. Thiscode creates a copy of the string literal in the space allocatedto the character array a. The string stored in a can be safelymodified.char a[] = "string literal"; a[0] = 'S';13

CERT C Secure Coding Standard Rules (89)CERT C Secure Coding StandardRecommendations (132)0 5 10 15 20Preprocessor (PRE)Declarations andInitialization (DCL)Expressions (EXP)0 2 4 6 8 10 12 14 16279Preprocessor (PRE)Declarations and Initialization (DCL)Expressions (EXP)111215Integers (INT)6Integers (INT)16Floating Point (FLP)5Floating Point (FLP)4Arrays (ARR)9Arrays (ARR)3Characters and Strings(STR)8Characters and Strings (STR)9Memory Management(MEM)6Memory Management (MEM)11Input Output (FIO)15Input Output (FIO)17Environment (ENV)4Environment (ENV)5Signals (SIG)5Signals (SIG)3Error Handling (ERR)3Error Handling (ERR)7Miscellaneous (MSC)2Miscellaneous (MSC)16POSIX (POS)8POSIX (POS)314

CERT Mitigation InformationVulnerability Note VU#649732This vulnerability occurred as aresult of failing to comply with ruleFIO30-C of the CERT CProgramming Language SecureCoding Standard.US CERT Technical AlertsCERT Secure Coding StandardExamples of vulnerabilitiesresulting from the violationof this recommendation canbe found on the CERTwebsite .15

Secure Coding Standard ApplicationsEstablish secure coding practices within anorganization• may be extended with organization-specific rules• cannot replace or remove existing rulesTrain software professionalsCertify programmers in securecodingEstablish requirements forsoftware analysis toolsCertify software systems16

Industry AdoptionSoftware developers that require code to conform toThe CERT C Secure Coding Standard:Software tools that (partially) enforce The CERT CSecure Coding Standard:17

Industry AdoptionLDRA ships new TBsecure complete withCERT C Secure Coding programming checkerScreenshot from the LDRA tool suite shows the selection of theCERT C secure coding standard from the C standards models18

Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining coursesResearch19

Enforcing Coding StandardsIncreasingly, application source code reviews are dictated.The Payment Card Industry (PCI) DataSecurity Standard requires thatcompanies with stored credit card or otherconsumer financial data• install application firewalls around allInternet-facing applications or• have all the applications' code reviewed forsecurity flaws.This requirement could be met by amanual review of application source codeor the proper use of automatedapplication source code analyzer tools.20

CERT SCALe (Source Code Analysis Lab)Satisfy demand for source code assessments forboth government and industry organizations.Assess source codeagainst one or moresecure coding standards.Provided a detailedreport of findings.Assist customers indeveloping conformingsystems.21

Conformance TestingClient contacts SCALeSCALe communicatesrequirementClient provides buildablesoftwareThe use of secure coding standardsdefines a proscriptive set of rules andrecommendations to which the sourcecode can be evaluated for compliance.SCALe selects tool setSCALe analyzes sourcecode and generates initialreportClient repairs softwareSCALe issues conformancetests results and certificateINT30-C.INT31-C.INT32-C.INT33-C.Provably nonconformingDocumented deviationConformingProvably Conforming22

Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining coursesResearch23

Secure TSP221 Guidelinesstaticanalysistools, unittests, andfuzz testingSecurityManagerDeploySourceCode24

Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining CoursesResearch25

Secure Coding in C/C++ CourseFour day course provides practical guidance on secureprogramming• provides a detailed explanation of common programming errors• describes how errors can lead to vulnerable code• evaluates available mitigation strategies• http://www.sei.cmu.edu/products/courses/p63.htmlUseful to anyone involved in developing secure C and C++programs regardless of the applicationDirect offerings in Pittsburgh, Arlington, and other citiesPartnered with industry• Licensed to Computer Associates to train 9000+ internal softwaredevelopers• Licensed to SANS to provide public training26

CMU CS 15-392 Secure ProgrammingOffered as an undergraduate elective in the School ofComputer Science in S07, S08 and S09• More of a vocational course than an “enduringknowledge” course.• Students are interested in taking a class that goesbeyond “policy”Secure Software Engineering graduate courseoffered at INI in F08, F09Working with NSF to sponsor a workshop in Mauritiusto help universities throughout the world teach securecoding27

Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining CoursesResearch28

As-if Infinitely Ranged (AIR) IntegersAIR integers is a model for automating the elimination of integer overflowand truncation in C and C++ code.• integer operations either succeed or trap• uses the runtime-constraint handling mechanisms defined by ISO/IEC TR24731-1• generates constraint violations for— signed overflow for addition, subtraction, multiplication, negation, and left shifts— unsigned wrapping for addition, subtraction, and multiplication— truncation resulting from coercion (not included in benchmarks)SPECINT2006 macro-benchmarksOptimization Level Control Ratio Analyzable Ratio % Slowdown-O0 4.92 4.60 6.96-O1 7.21 6.77 6.50-O2 7.38 6.99 5.5829

CERT C and C++Develop a holistic solution to the problem that includes• An analyzability annex for the C1X standard• As-if infinitely ranged (“AIR”) integers• Safe Secure C/C++ methods (SSCC)• C and C++ Secure Coding GuidelinesThis solution eliminates the vulnerabilities:• Writing outside the bounds of an object (e.g., buffer overflow)• Reading outside the bounds of an object• Arbitrary reads/writes (e.g., wild-pointer stores)• Integer overflow and truncationPrototype using Compass/ROSE and GCC30

ROSESource filediagnosticsPrototypeDesignCompilerCompilerFrontendRun-timepointer-checkinglibraryInternalrepresentation(IR)Pre-linker Linker Safe/SecureExecutableAdvice fileModifiedCompilerBackendObject code31

For More InformationVisit CERT ® web sites:http://www.cert.org/secure-coding/https://www.securecoding.cert.org/Contact PresenterRobert C. Seacordrcs@cert.org(412) 268-7608Contact CERT:Software Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh PA 15213-3890USA32