Transcription
Secure Coding InitiativeRobert C. Seacord 2010 Carnegie Mellon University
NO WARRANTYTHIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERINGINSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NOWARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING,BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY,EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLONUNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOMFROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.Use of any trademarks in this presentation is not intended in any way to infringe on the rights of thetrademark holder.This Presentation may be reproduced in its entirety, without modification, and freely distributed in written orelectronic form without requesting formal permission. Permission is required for any other use. Requestsfor permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.This work was created in the performance of Federal Government Contract Number FA8721-05-C-0003with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally fundedresearch and development center. The Government of the United States has a royalty-free governmentpurpose license to use, duplicate, or disclose the work, in whole or in part and in any manner, and to haveor permit others to do so, for government purposes pursuant to the copyright license under the clause at252.227-7013.2
Presenter BioRobert Seacord began programming(professionally) for IBM in 1982 and hasbeen programming in C since 1985.Robert leads the Secure Coding Initiativeat the CERT, located at CarnegieMellon’s Software Engineering Institute(SEI). He is author of The CERT CSecure Coding Standard (AddisonWesley, 2009), Secure Coding in C andC (Addison-Wesley, 2005), BuildingSystems from Commercial Components(Addison-Wesley, 2002) andModernizing Legacy Systems (AddisonWesley, 2003).3
Secure Coding InitiativeInitiative GoalsCurrent CapabilitiesWork with software developers andsoftware development organizationsto eliminate vulnerabilities resultingfrom coding errors before they aredeployed.Secure coding standardswww.securecoding.cert.orgSource code analysis andconformance testingTraining coursesInvolved in international standardsdevelopment.Overall ThrustsAdvance the state of the practice insecure codingIdentify common programmingerrors that lead to softwarevulnerabilitiesEstablish standard secure codingpracticesEducate software developers4
Secure Coding in the SDLC5
Increasing VulnerabilitiesReacting to vulnerabilities inexisting systems is not working6
CERT Secure Coding InitiativeReduce the number of vulnerabilities to a level wherethey can be handled by computer security incidentresponse teams (CSIRTs)Decrease remediation costs by eliminatingvulnerabilities before software is deployed7
Fun With Integerschar x, y;x -128;y -x;Lesson: Process is irrelevantwithout a strong fundamentalknowledge of the language andenvironmentif (x y) puts("1");if ((x - y) 0) puts("2");if ((x y) 2 * x) puts("3");if (((char)(-x) x) ! 0) puts("4");if (x ! -y) puts("5");8
Secure Coding RoadmapSEI SecureCoding CourseBreadth of impactSecure DesignPatternsUniversity courses CMU Purdue University of Florida Santa Clara University St. John Fisher CollegeLicensed to: Computer Associates Siemens SANSInfluence InternationalStandard BodiesTool Test SuiteAdoption by Analyzer ToolsApplicationConformanceTestingAdoption by software developers Lockheed Martin Aeronautics General Atomics2003Time20109
Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining coursesResearch10
CERT Secure Coding StandardsEstablish coding guidelines for commonly usedprogramming languages that can be used to improvethe security of software systems under developmentBased on documented standard language versionsas defined by official or de facto standardsorganizationsSecure coding standards are under development for: C programming language (ISO/IEC 9899:1999) C programming language (ISO/IEC 14882-2003) Java Platform Standard Edition 611
Secure Coding Web Site (Wiki)www.securecoding.cert.orgRules are solicited from thecommunityPublished as candidate rulesand recommendations on theCERT Wiki.Threaded discussions usedfor public vettingCandidate coding practices aremoved into a secure codingstandard when consensus isreached12
Noncompliant Examples & Compliant SolutionsNoncompliant Code ExampleIn this noncompliant code example, the char pointer p isinitialized to the address of a string literal. Attempting to modifythe string literal results in undefined behavior.char *p "string literal"; p[0] 'S';Compliant SolutionAs an array initializer, a string literal specifies the initial valuesof characters in an array as well as the size of the array. Thiscode creates a copy of the string literal in the space allocatedto the character array a. The string stored in a can be safelymodified.char a[] "string literal"; a[0] 'S';13
CERT C Secure Coding Standard Rules (89)CERT C Secure Coding StandardRecommendations (132)002468101214510112Declarations and Initialization (DCL)Declarations andInitialization (DCL)157Expressions (EXP)Expressions (EXP)129Integers (INT)Integers (INT)6Floating Point (FLP)Arrays (ARR)9Characters and Strings(STR)Input Output (FIO)154Signals (SIG)911Input Output (FIO)17Environment (ENV)5Error Handling (ERR)3Memory Management (MEM)6Environment (ENV)4Characters and Strings (STR)8Memory Management(MEM)16Floating Point (FLP)5Arrays (ARR)Miscellaneous (MSC)Signals (SIG)353Error Handling (ERR)72Miscellaneous (MSC)POSIX (POS)2016Preprocessor (PRE)Preprocessor (PRE)15168POSIX (POS)314
CERT Mitigation InformationVulnerability Note VU#649732This vulnerability occurred as aresult of failing to comply with ruleFIO30-C of the CERT CProgramming Language SecureCoding Standard.US CERT Technical AlertsCERT Secure Coding StandardExamples of vulnerabilitiesresulting from the violationof this recommendation canbe found on the CERTwebsite .15
Secure Coding Standard ApplicationsEstablish secure coding practices within anorganization may be extended with organization-specific rules cannot replace or remove existing rulesTrain software professionalsCertify programmers in securecodingEstablish requirements forsoftware analysis toolsCertify software systems16
Industry AdoptionSoftware developers that require code to conform toThe CERT C Secure Coding Standard:Software tools that (partially) enforce The CERT CSecure Coding Standard:17
Industry AdoptionLDRA ships new TBsecure complete withCERT C Secure Coding programming checkerScreenshot from the LDRA tool suite shows the selection of theCERT C secure coding standard from the C standards models18
Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining coursesResearch19
Enforcing Coding StandardsIncreasingly, application source code reviews are dictated.The Payment Card Industry (PCI) DataSecurity Standard requires thatcompanies with stored credit card or otherconsumer financial data install application firewalls around allInternet-facing applications or have all the applications' code reviewed forsecurity flaws.This requirement could be met by amanual review of application source codeor the proper use of automatedapplication source code analyzer tools.20
CERT SCALe (Source Code Analysis Lab)Satisfy demand for source code assessments forboth government and industry organizations.Assess source codeagainst one or moresecure coding standards.Provided a detailedreport of findings.Assist customers indeveloping conformingsystems.21
Conformance TestingClient contacts SCALeSCALe communicatesrequirementClient provides buildablesoftwareThe use of secure coding standardsdefines a proscriptive set of rules andrecommendations to which the sourcecode can be evaluated for compliance.SCALe selects tool setSCALe analyzes sourcecode and generates initialreportINT30-C.Provably nonconformingINT31-C.Documented deviationINT32-C.ConformingINT33-C.Provably ConformingClient repairs softwareSCALe issues conformancetests results and certificate22
Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining coursesResearch23
Secure TSPstaticanalysistools, unittests, andfuzz testing221 GuidelinesSecurityManagerDeploySourceCode24
Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining CoursesResearch25
Secure Coding in C/C CourseFour day course provides practical guidance on secureprogramming provides a detailed explanation of common programming errors describes how errors can lead to vulnerable code evaluates available mitigation strategies eful to anyone involved in developing secure C and C programs regardless of the applicationDirect offerings in Pittsburgh, Arlington, and other citiesPartnered with industry Licensed to Computer Associates to train 9000 internal softwaredevelopers Licensed to SANS to provide public training26
CMU CS 15-392 Secure ProgrammingOffered as an undergraduate elective in the School ofComputer Science in S07, S08 and S09 More of a vocational course than an “enduringknowledge” course. Students are interested in taking a class that goesbeyond “policy”Secure Software Engineering graduate courseoffered at INI in F08, F09Working with NSF to sponsor a workshop in Mauritiusto help universities throughout the world teach securecoding27
Products and ServicesCERT Secure Coding StandardsCERT SCALe (Source Code Analysis Laboratory)TSP SecureTraining CoursesResearch28
As-if Infinitely Ranged (AIR) IntegersAIR integers is a model for automating the elimination of integer overflowand truncation in C and C code. integer operations either succeed or trap uses the runtime-constraint handling mechanisms defined by ISO/IEC TR24731-1 generates constraint violations for—signed overflow for addition, subtraction, multiplication, negation, and left shifts—unsigned wrapping for addition, subtraction, and multiplication—truncation resulting from coercion (not included in benchmarks)SPECINT2006 macro-benchmarksOptimization LevelControl RatioAnalyzable Ratio% .5829
CERT C and C Develop a holistic solution to the problem that includes An analyzability annex for the C1X standard As-if infinitely ranged (“AIR”) integers Safe Secure C/C methods (SSCC) C and C Secure Coding GuidelinesThis solution eliminates the vulnerabilities: Writing outside the bounds of an object (e.g., buffer overflow) Reading outside the bounds of an object Arbitrary reads/writes (e.g., wild-pointer stores) Integer overflow and truncationPrototype using Compass/ROSE and GCC30
ROSEdiagnosticsPrototypeDesignSource rFrontendInternalrepresentation(IR)Advice cureExecutableObject code31
For More InformationVisit CERT web w.securecoding.cert.org/Contact PresenterRobert C. Seacordrcs@cert.org(412) 268-7608Contact CERT:Software Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh PA 15213-3890USA32
CERT Secure Coding Initiative Reduce the number of vulnerabilities to a level where they can be handled by computer security incident response teams (CSIRTs) Decrease remediation costs by eliminating vulnerabilities before software is deployed. 8 Fun With Integers char x, y; x -128;
