Transcription
Secure CodingStandards2008 February 5thR b tCRobertC. SSeacordd 2009 Carnegie Mellon University
AgendagSoftware SecurityyCERT Secure Coding InitiativeCERT Secure Coding StandardsFuture Directions and Key Points2
Increasingg VulnerabilitiesReactingg to vulnerabilities inexisting systems is not working3
ApplicationppSecurityy4
Most Vulnerabilities caused byProgramming ErrorsAccording to a study of vulnerabilities in the NationalVulnerabilty Database (NVD) in 2004 by Heffley/Meunier: 64% of the vulnerabilities are due to programming errors 36% of vulnerabilities are due to configuration or design problems.Most of these pprogramminggg errors are repeatedpbasicmistakes. 20% buffer overflows 11% directory traversal attacks 9% format stringg vulnerabilities 4% symlink attacks 4% cross-site scriptingp g vulnerabilities3% shell metacharacter 5
AgendagSoftware SecurityyCERT Secure Coding InitiativeCERT Secure Coding StandardsFuture Directions and Key Points6
Secure Codingg InitiativeInitiative GoalsCurrent CapabilitiesWork with software developers andsoftware development organizationsto eliminate vulnerabilities resultingfrom coding errors before they aredeployed.Secure coding standardswww.securecoding.cert.orgSource code analysis andcertificationTraining coursesInvolved in international standardsdevelopment.Overall ThrustsAdvance the state of the practice insecure codingdiIdentify common programmingerrors that lead to softwarevulnerabilitiesEstablishstab s stastandardda d secusecuree codcodinggpracticesEducate software developers7
EXPLORECREATEAPPLYAMPLIFYSUSTAINCERT C Secure Coding Standard Open Group Adoption WG23 Language Annex Software Certification Wiki content Tool CertificationCERT C Secure Coding StandardThe CERT Sun Microsystems Secure Coding Standard for JavaC Language Security Annex and Prototype8
C Languageg g Securityy Annex and PrototypeypC language standard is undergoing a major revision “C1X” Originally about security, emphasis has shifted 180 degrees towardssupport for multithreading and performance optimizations that may actuallyhurt security.This work would develop a An informative “Analyzability”yy annex to the C standard that defines asecurity “profile”— some enhancements would be implemented by simply recompiling— others may require source code modificationa prototype implementation using gccAnnex could be implemented by compiler vendors who want to provide a secure implementation do not have to compete head to head with other compilers only concernedwith performance.9
C Languageg g Securityy Annex and PrototypeypThis project could have a greater positive impact on softwaresecurity than anything I can imagine given that success of the C securityy annex would motivate C vendors to provide the same semantics for C C and C account for 26%26% of the market (according tothe TIOBE index) 65% of vulnerabilities in the USUS-CERTCERT vulnerabilitydatabase involve these languages standardizationt d di ti willill resultlt ini bbroadd adoptiond ti bby compilerilvendors10
AgendagSoftware SecurityyCERT Secure Coding InitiativeCERT Secure Coding StandardsFuture Directions and Key Points11
CERT Secure Codingg StandardsIdentify coding practices that can be used to improvethe security of software systems under developmentCoding practices are classified as either rules orrecommendations Rules need to be followed to claim compliance. Recommendations are guidelines or suggestions.Development of Secure Coding Standards is acommunity effort12
ScopepThe secure coding standards proposed by CERT are basedon documented standard language versions as defined byofficial or de facto standards organizations.Secure coding standards are under development for: Cpprogramminggg languageg g ((ISO/IEC 9899:1999)) C programming language (ISO/IEC 14882-2003 )Applicable technical corrigenda and documented languageextensions such as the ISO/IEC TR 24731 extensions to the Clibrary are also included.13
Secure Codingg Wikiwww.securecoding.cert.orgRules are solicited from thecommunityPublished as candidate rulesandd recommendationsd tion thethCERT Wiki.Threaded discussions usedfor public vettingCandidate coding practices aremoved into a secure codinggstandard when consensus isreached14
RulesCodinggppractices are defined as rules when1.Violation of the coding practice is likely to result ina security flaw that may result in an exploitablevulnerability.2.There is a denumerable set of conditions forwhich violating the coding practice is necessary toensure correct behavior.3.ConformanceCftot theth codingdi practiceti can bbedetermined through automated analysis, formalmethods, or manual inspection techniques.15
RecommendationsCodinggppractices are defined as recommendationswhen11.Application of the coding practice is likely toimprove system security.2.One or more of the requirements necessary for acodinggppractice to be considered a rule cannot bemet.16
The CERT C Secure Codingg StandardDevelopedp with communityyinvolvement, including over320 registered participantson the wiki.Version 1.0 published byAddison-Wesley inSeptember, 2008. 134 Recommendations 89 Rules17
Noncompliant Examples & Compliant SolutionsNoncompliant Code ExampleIn this noncompliant code example, the char pointer p isg literal. Attemptingp g to modifyyinitialized to the address of a stringthe string literal results in undefined behavior.char *pp "stringstring literal";literal ; p[0] 'S';S ;Compliant SolutionA an array initializer,Asi iti lia stringt i litliterall specifiesifi theth initiali iti l valueslof characters in an array as well as the size of the array. Thiscoded createst a copy off theth stringt i literallit l ini theth space allocatedllt dto the character array a. The string stored in a can be safelymodified.modifiedchar a[] "string literal"; a[0] 'S';18
Distribution of C Recommendations0510Preprocessor (PRE)1511Declarations and Initialization (DCL)16Expressions (EXP)13Integers (INT)16Fl ti PointFloatingP i t (FLP)Arrays (ARR)2043Characters and Strings (STR)9Memory Management (MEM)11Input Output (FIO)17Environment (ENV)Signals (SIG)53Error Handling (ERR)7Miscellaneous (MSC)POSIX (POS)16319
Distribution of C Rules0Preprocessor (PRE)246810167Expressions (EXP)9Integers (INT)6Floating Point (FLP)5Arrays (ARR)9Characters and Strings (STR)8Memoryy Managementg((MEM))6Input Output (FIO)15Environment (ENV)4SiSignalsl (SIG)5Error Handling (ERR)POSIX (POS)142Declarations and Initialization (DCL)Miscellaneous (MSC)1232820
POSIXMany of the core guidelines demonstrate compliant solutionsthat rely for POSIX-compliant systems.g Standard also contains anThe CERT C Secure Codingappendix with guidelines (3 recommendations and 8 rules) forusingg functions that are defined as ppart of the POSIX familyy ofstandards but are not included in ISO/IEC 9899-1999.These rules and recommendations are not part of the corestandard because they do not apply in all C languageapplicationsppand because theyy representpan incompletepset.The intent of providing these guidelines is to demonstrate howrules and recommendations for other standards or specificimplementations may be integrated with the core C99recommendations.21
Contributors and ReviewersContributorsA b b Ahmad,ArbobAh d JJuan AlAlvarado,d DDave AAronson, AbhishekAbhi h k Arya,ABJ Bayha,B h LeviL iBBroderick,d i k HHallBurch, Steven Christey, Ciera Christopher, Geoff Clare, Joe Damato, Stephen C. Dewhurst,Susan Ditmore, Chad Dougherty, Mark Dowd, Xiaoyi Fei, William Fithen, Hallvard Furuseth,Jeffrey Gennari,Gennari Douglas A.A Gwyn,Gwyn Shaun HedrickHedrick, Christina Johns,Johns David Keaton,Keaton TakuyaKondo, Masaki Kubo, Richard Lane, Stephanie Wan-Ruey Lee, Jonathan Leffler, Fred Long,Gregory K. Look, Nat Lyle, Larry Maccherone, John McDonald, Dhruv Mohindra, BhaswanthNalabothula Justin Pincar,Nalabothula,Pincar Randy MeyersMeyers, David M.M Pickett,Pickett Thomas Plum,Plum Dan Saks,Saks RobertC. Seacord, David Svoboda, Chris Taschner, Ben Tucker, Fred J. Tydeman, Nick Stoughton,Wietse Venema, Alex Volkovitsky, Grant Watters, and Gary Yuan.ReviewersKevin Bagust, Greg Beeley, Arjun Bijanki, John Bode, Stewart Brodie, G Bulmer, Kyle Comer,Sean Connelly, Ale Contenti, Tom Danielsen, Török Edwin, Brian Ewins, Justin Ferguson,St h Friedl,StephenF i dl SamiumS iGGromoff,ff KowsikKik Guruswamy,GP t Gutmann,PeterG tRi h d Heathfield,RichardH thfi ldDarryl Hill, Paul Hsieh, Ivan Jager, Steven G. Johnson, Anders Kaseorg, Jerry Leichter,Nicholas Marriott, Scott Meyers, Eric Miller, Ron Natalie, Heikki Orsila, Dan Plakosh, P.J.Plauger Michel Schinz,Plauger,Schinz Eric Sosman,Sosman Chris Tapp,Tapp Andrey Tarasevich,Tarasevich Josh TriplettTriplett, PavelVasilyev, Ivan Vecerina, Zeljko Vrba, David Wagner, Henry S. Warren, Colin Watson, ZhenyuWu, Drew Yao, and Christopher Yeleighton.22
Priorities and LevelsHigh severityseverity,likely,inexpensive torepairi flflawsL1 P12-P27L2 P6-P9L3 P1-P4Med severity,probable, medcost to repairflawsLow severity,unlikelyunlikely,expensive torepair flaws23
FIO30-C. Exclude user input from format stringsg24
CERT MitigationgInformationVulnerabilityu e ab ty Noteote VU#649732U#6 9 3This vulnerability occurred as aresult of failing to comply with ruleFIO30-C of the CERT CProgramming Language SecureCoding StandardStandard.CERT Secure Coding StandardUS CERT Technical AlertsExamples of vulnerabilitiesresulting from the violationof this recommendation canbe found on the CERTwebsite .25
Secure Codingg Standard ApplicationsppEstablish secure codinggppractices within anorganization may be extended with organizationorganization-specificspecific rules cannot replace or remove existing rulesTrain software professionalsCertify programmers in securecodingEstablish requirements forytoolssoftware analysisSoftware Certification26
Major Software Vendor LDRA AdoptsCERT C Secure Coding StandardLDRA shipsp new TBsecure completepwithCERT C Secure Coding programming checkerScreenshot from the LDRA tool suite shows the selection of the CERT C secure coding standard from the C standards models27
LDRA Press ReleaseBoston,, MA – October 26,, 2008. LDRA (Booth(1017), provider of the most complete automatedsoftware verification,verification source code analysis and testtools covering the full development lifecycle, hasreleased its new TBsecure plug-inplug in complete with theCarnegie Mellon Software Engineering Institute (SEI)CERT C secure codingdi standard.t d dTBsecure identifies security vulnerabilities andenables implementation of the just released CERT CSecure Coding Standard version 11.0.028
Software Validation & VerificationImplementingpg checkers for various software analysisytools to verify compliance with CERT secure codingstandards LDRA Fortify SCA Lawrence Livermore National Laboratory (LLNL)Compass / ROSE Coverityy Prevent29
CMU/SEI-2008-TR-014“Evaluation of CERT Secure Coding Rules through Integrationwith Source Code Analysis Tools”y to evaluate the effectiveness of secure codinggppractices,,Studyincluding the use of static analysis tools coupled with securecodingg rule sets the CERT C Programming Language Secure Coding Standard CERT C Programminggg Languageg g Secure Codingg StandardThis study was a joint effort between the CERT Secure CodingInitiative and JPCERT/CC.The objectives of the study were to evaluate the efficacy of theCERT Secure Coding Standards and source code analysistools in improving the quality and security of commercialsoftware projects.projects30
Studyy DesigngTwo static analysis tools were selected for their extensibility aswell as overall effectiveness: Fortify Source Code Analysis (SCA) from Fortify Software and Compass/ROSE from Lawrence Livermore National Laboratory.Checkers were developedp for each tool to check code forviolations of the CERT C and C Secure Coding Standards.These tools were provided to Software Research Associates,AssociatesInc. (SRA), a Japanese software development firm.SRA evaluated the extended versions of Fortify SCA andCompass/ROSE on two existing projects: a toll collection systemsystem-relatedrelated GUI application written in C a Video Service Communication Protocol written in the Cprogramming languagelanguage.31
Studyy ConclusionsThe project successfully extended source code analysis toolsto discover a number of software defects in both projectsevaluated, demonstrating the effectiveness of both the CERTSecure Coding Standards and the static analysis toolsevaluated in improving software quality.The project was also successful in identifying ways in whichboth the CERT Secure Coding Standards and the staticanalysis tools could be further improved.32
CERT SCALe ((Source Code AnalysisyLab))The use of secure coding standards defines a proscriptive setof rules and recommendations to which the source code canbe evaluated for compliance.INT30-C.Provably nonconformingINT31-C.CDocumented deviationINT32-C.ConformingINT33-C.Provably ConformingEnable buyers and developers of software to ensure thatsoftware is correct, secure, and fault resistant, even whensource code and design information is not fully available.33
Secure Codingg in C/C TraininggSecure Codingg in C and C pprovides ppracticalguidance on secure programming provides a detailed explanation of common programmingerrors describesdib hhow errors can lleadd tto vulnerablelbl coded evaluates available mitigation strategiesUseful to anyone involved in developing secure Cand C programs regardless of the application34
Software Assurance EducationCMU CS 15392 Secure Programminggg offered as anundergraduate elective in the School of ComputerScience in S07S07, S08S08, S09 More of a vocational course than an “enduringknowledge course.knowledge”course Students are interested in taking a class that goesbbeyondd ““policy”li ”CMU INI Graduate Class in Secure SoftwareEngineering14735Courses based on this material currently beingoffered at several universities35
Software Assurance EducationThe SEI is organizinggg a small ggroupp of universitiesaround the theme of secure coding.The SEI to host a workshop that brings professorstogether to design parallel efforts topromulgate secure coding to their students and2. measure the impact of #1 on student abilities to developsoftware that is not vulnerable to known attacks.1.36
AgendagSoftware SecurityyCERT Secure Coding InitiativeCERT Secure Coding StandardsFuture Directions and Key Points37
CERT C and ISO/IEC WG14The idea for a CERT C Secure Coding standard arose at theISO/IEC WG14 (the international standardization workinggroup for the programming language C) meeting in Berlin inMarch 2006.guideline has been twice reviewed byy WG14, atThe CERT C gthe London and Kona meetings.During the Delft 2008 meeting, PL22.11 discussed if it shouldsubmit the CERT Secure Coding Standard to WG14 as acandidate for ppublication as a Typeyp 2 or Typeyp 3 technicalreport.The next revision of the C Secure Coding Guideline is beingprepared in proper format for approval as an ISO C TechnicalReport and should be available by the end of this month.38
ISO/IEC C Secure Codingg GuidelineGoal is to ppublish as a Typeyp II technical report.pTarget audience would include source code analysistool vendors.vendorsggguidelines would focus on rulesThe secure codingand “analyzable” recommendations.The CERT C Secure Coding Standard is being usedas a base document.Cut down to eliminate non-normative text such as compliant solutions risk analysis39
Publication as an Openp StandardPublishing secure coding guidelines as an open standard willallow the content to be controlled through an open standardsprocess.Particularly important In the case where government or otherindustryy bodies beging to requireqconformance with thisdocument. The corollaryy is that not publishingpg as an openp standard mayy notprevent the US government or other software consumers fromrequiring conformance to the existing document. For example, procurement language under development by theState of New York and other state governments already is beingadjusted to use the CWE/SANS TOP 25 Programming Errors whichis mapped to CERT Secure Coding Standards.40
ationC tifi nalCertification,,ApplicationCertificationAdoption bysource codedanalysisvendors anddevelopersAdoption bysource codeyanalysisvendors anddevelopersAmpplifyAppplyCERT SunMicrosystemsSecure CodingStandard forJJavaApplyA yCrreateeCERT C Secure CodingStandardTraining,P ionApplyCreaC ateCERT CSSecureCodingC diStandardCreaateRoadmappAdoption bysource codeanalysisvendors andddevelopersl41
Future DirectionsContinue to developp and enhance existingg securecoding standards and associated checkersDevelop secure coding standards for otherlanguages and programming environments Web Development Language independent Ada, SPARKDDevelopl secure codingdi ddesigni patternstt42
Keyy PointsEverydayy y software defects cause the majorityj y ofsoftware vulnerabilities.Software developers are not always properly trainedand equipped to program securely.The result is numerous delivered defects, some ofwhich can lead to vulnerabilities.Understanding the sources of vulnerabilities andllearningi tto program securelyl isi iimperativeti ttoprotecting the Internet and ourselves from attack.43
Questions44
For More InformationVisit CERT web cert org/secure coding/https://www.securecoding.cert.org/Contact PresenterRobert C. Seacord rcs@cert.orgContact CERT Coordination Center:Software Engineering InstituteCarnegie Mellon University4500 Fifth AvenuePittsburgh PA 15213-3890USAHotline: 1 412 268 7090CERT/CC personnel answer 24x7, 365days per yearFax: 1 412 268 6989Mailto: cert@cert.org@g45
the CERT C Programming Language Secure Coding Standard CERT C Proggggg gramming Language Secure Coding Standard This study was a joint effort between the CERT Secure Coding Initiative and JPCERT/CC.Initiative and JPCERT/CC. The objectives of the study were to evaluate the efficacy of the CERT Secure Coding Standards and source code .
