Upcoming Course:

Secure Coding in C and C++

November 3-6, 2009
Arlington, VA
Register at:
http://www.sei.cmu.edu/products/courses/p63.html

1
13th International Software Product Line
Conference 2009 (SPLC)

http://www.sei.cmu.edu/splc2009/index.html

Organizations Need
Software Product Lines
Now More Than Ever!
Effectively using software product lines
improves time to market, cost,
productivity, and quality. They also
enable rapid market entry and flexible
response. And, using software product
lines simplifies software maintenance
and enhancement.

2
Research, Technology, and System Solutions Program:
Working with the SEI
If you need to improve The SEI can

the structure and behavior of your harness the appropriate technology to

software-reliant systems (regardless of scale) help you solve specific problems

help you launch initiatives

your ability to predict that behavior
help you improve your capabilities

conduct applied research that meets your

needs

partner with you to create leading edge

techniques, methods, and tools

For more information contact [email protected]

3
CERT's Podcast Series:
Security for Business Leaders.

http://www.cert.org/podcast/

4
SEPG is the premier, global conference series
on software and systems process management

http://www.sei.cmu.edu/sepg/index.html

Call for Abstracts and Reviewers open for

SEPG North America 2010!

5
Get Certified!
SEI Certifications:
Proof of your skill from a world leader in
software engineering.
http://www.sei.cmu.edu/certification/

6
Want a Closer Connection to the SEI?

Become an SEI Member!

http://www.sei.cmu.edu/membership/

7
Do you have the knowledge you need?

SEI Education & Training

http://www.sei.cmu.edu/products/courses/

8
SEI Webinar Series:
Secure Coding
August 18th

Robert C. Seacord

2009 Carnegie Mellon University

Presenter Bio
Robert Seacord began programming
(professionally) for IBM in 1982 and has
been programming in C since 1985.
Robert leads the Secure Coding Initiative
at the CERT, located at Carnegie
Mellons Software Engineering Institute
(SEI). He is author of The CERT C
Secure Coding Standard (Addison-
Wesley, 2009), Secure Coding in C and
C++ (Addison-Wesley, 2005), Building
Systems from Commercial Components
(Addison-Wesley, 2002) and
Modernizing Legacy Systems (Addison-
Wesley, 2003).

10
How did you hear about this webinar?
Invitation
SEI Website
SEI member Bulletin
LinkedIn or Twitter
Programming Language Special Interest Group

11
Secure Coding Initiative
Initiative Goals Current Capabilities
Work with software developers and Secure coding standards
software development organizations www.securecoding.cert.org
to eliminate vulnerabilities resulting Source code analysis and
from coding errors before they are conformance testing
deployed. Training courses
Overall Thrusts Involved in international standards
development.
Advance the state of the practice in
secure coding
Identify common programming
errors that lead to software
vulnerabilities
Establish standard secure coding
practices
Educate software developers

12
Secure Coding in the SDLC

13
Increasing Vulnerabilities
Reacting to vulnerabilities in
existing systems is not working

14
CERT Secure Coding Initiative
Reduce the number of vulnerabilities to a level where
they can be handled by computer security incident
response teams (CSIRTs)
Decrease remediation costs by eliminating
vulnerabilities before software is deployed

15
Poll
What programming languages is primarily used by
your department / group / organization?
a) C
b) C++
c) Java
d) Scripting
e) Other

16
Fun With Integers
char x, y; Lesson: Process is irrelevant
x = -128; without a strong fundamental
knowledge of the language and
y = -x; environment

if (x == y) puts("1");
if ((x - y) == 0) puts("2");
if ((x + y) == 2 * x) puts("3");
if (((char)(-x) + x) != 0) puts("4");
if (x != -y) puts("5");

17
Secure Coding Roadmap
Licensed to:
Computer Associates
SEI Secure Siemens
Coding Course SANS
University courses
Secure Design CMU
Patterns Purdue Influence International
University of Florida Standard Bodies
Santa Clara University Tool Test Suite
Breadth of impact

St. John Fisher College

Adoption by Analyzer Tools

Application
Conformance
Testing

Adoption by software developers

Lockheed Martin Aeronautics
General Atomics

2003 Time 2010

18
Products and Services
CERT Secure Coding Standards
CERT SCALe (Source Code Analysis Laboratory)
TSP Secure
Training courses
Research

19
CERT Secure Coding Standards
Establish coding guidelines for commonly used
programming languages that can be used to improve
the security of software systems under development
Based on documented standard language versions
as defined by official or de facto standards
organizations
Secure coding standards are under development for:
C programming language (ISO/IEC 9899:1999)
C++ programming language (ISO/IEC 14882-2003)
Java Platform Standard Edition 6

20
Secure Coding Web Site (Wiki)
www.securecoding.cert.org
Rules are solicited from the
community

Published as candidate rules

and recommendations on the
CERT Wiki.

Threaded discussions used

for public vetting

Candidate coding practices are

moved into a secure coding
standard when consensus is
reached

21
Noncompliant Examples & Compliant Solutions

Noncompliant Code Example

In this noncompliant code example, the char pointer p is
initialized to the address of a string literal. Attempting to modify
the string literal results in undefined behavior.
char *p = "string literal"; p[0] = 'S';
Compliant Solution
As an array initializer, a string literal specifies the initial values
of characters in an array as well as the size of the array. This
code creates a copy of the string literal in the space allocated
to the character array a. The string stored in a can be safely
modified.
char a[] = "string literal"; a[0] = 'S';

22
CERT C Secure Coding Standard Rules (89) CERT C Secure Coding Standard
Recommendations (132)

0 5 10 15 20
0 2 4 6 8 10 12 14 16
Preprocessor (PRE) 11
Preprocessor (PRE) 2
Declarations and Initialization (DCL) 15
Declarations and
7
Initialization (DCL)
Expressions (EXP) 12
Expressions (EXP) 9
Integers (INT) 16
Integers (INT) 6

Floating Point (FLP) 4

Floating Point (FLP) 5

Arrays (ARR) 9 Arrays (ARR) 3

Characters and Strings Characters and Strings (STR) 9

8
(STR)
Memory Management
6 Memory Management (MEM) 11
(MEM)

Input Output (FIO) 15 Input Output (FIO) 17

Environment (ENV) 4 Environment (ENV) 5

Signals (SIG) 5
Signals (SIG) 3

Error Handling (ERR) 3

Error Handling (ERR) 7
Miscellaneous (MSC) 2
Miscellaneous (MSC) 16
POSIX (POS) 8
POSIX (POS) 3

23
CERT Mitigation Information
Vulnerability Note VU#649732
This vulnerability occurred as a
result of failing to comply with rule
FIO30-C of the CERT C
Programming Language Secure
Coding Standard.
US CERT Technical Alerts

Examples of vulnerabilities
resulting from the violation
of this recommendation can
be found on the CERT
CERT Secure Coding Standard website .

24
Secure Coding Standard Applications
Establish secure coding practices within an
organization
may be extended with organization-specific rules
cannot replace or remove existing rules
Train software professionals
Certify programmers in secure
coding
Establish requirements for
software analysis tools
Certify software systems

25
Industry Adoption
Software developers that require code to conform to
The CERT C Secure Coding Standard:

Software tools that (partially) enforce The CERT C

Secure Coding Standard:

26
Industry Adoption
LDRA ships new TBsecure complete with
CERT C Secure Coding programming checker

Screenshot from the LDRA tool suite shows the selection of the
CERT C secure coding standard from the C standards models

27
Products and Services
CERT Secure Coding Standards
CERT SCALe (Source Code Analysis Laboratory)
TSP Secure
Training courses
Research

28
Enforcing Coding Standards
Increasingly, application source code reviews are dictated.
The Payment Card Industry (PCI) Data
Security Standard requires that
companies with stored credit card or other
consumer financial data
install application firewalls around all
Internet-facing applications or
have all the applications' code reviewed for
security flaws.
This requirement could be met by a
manual review of application source code
or the proper use of automated
application source code analyzer tools.

29
CERT SCALe (Source Code Analysis Lab)
Satisfy demand for source code assessments for
both government and industry organizations.
Assess source code
against one or more
secure coding standards.
Provided a detailed
report of findings.
Assist customers in
developing conforming
systems.

30
Conformance Testing
Client contacts SCALe

The use of secure coding standards

SCALe communicates
requirement
defines a proscriptive set of rules and
recommendations to which the source
Client provides buildable
software
code can be evaluated for compliance.

SCALe selects tool set

INT30-C. Provably nonconforming

SCALe analyzes source
code and generates initial
report INT31-C. Documented deviation
INT32-C. Conforming
Client repairs software

INT33-C. Provably Conforming

SCALe issues conformance
tests results and certificate

31
Products and Services
CERT Secure Coding Standards
CERT SCALe (Source Code Analysis Laboratory)
TSP Secure
Training courses
Research

32
Secure TSP

static
analysis
tools, unit
tests, and
221 Guidelines fuzz testing

Security
Manager

Deploy

Source
Code

33
Products and Services
CERT Secure Coding Standards
CERT SCALe (Source Code Analysis Laboratory)
TSP Secure
Training Courses
Research

34
Secure Coding in C/C++ Course
Four day course provides practical guidance on secure
programming
provides a detailed explanation of common programming errors
describes how errors can lead to vulnerable code
evaluates available mitigation strategies
http://www.sei.cmu.edu/products/courses/p63.html
Useful to anyone involved in developing secure C and C++
programs regardless of the application
Direct offerings in Pittsburgh, Arlington, and other cities
Partnered with industry
Licensed to Computer Associates to train 9000+ internal software
developers
Licensed to SANS to provide public training

35
CMU CS 15-392 Secure Programming
Offered as an undergraduate elective in the School of
Computer Science in S07, S08 and S09
More of a vocational course than an enduring
knowledge course.
Students are interested in taking a class that goes
beyond policy
Secure Software Engineering graduate course
offered at INI in F08, F09
Working with NSF to sponsor a workshop in Mauritius
to help universities throughout the world teach secure
coding

36
Products and Services
CERT Secure Coding Standards
CERT SCALe (Source Code Analysis Laboratory)
TSP Secure
Training Courses
Research

37
As-if Infinitely Ranged (AIR) Integers
AIR integers is a model for automating the elimination of integer overflow
and truncation in C and C++ code.
integer operations either succeed or trap
uses the runtime-constraint handling mechanisms defined by ISO/IEC TR
24731-1
generates constraint violations for
signed overflow for addition, subtraction, multiplication, negation, and left shifts
unsigned wrapping for addition, subtraction, and multiplication
truncation resulting from coercion (not included in benchmarks)

SPECINT2006 macro-benchmarks
Optimization Level Control Ratio Analyzable Ratio % Slowdown
-O0 4.92 4.60 6.96
-O1 7.21 6.77 6.50
-O2 7.38 6.99 5.58

38
CERT C and C++
Develop a holistic solution to the problem that includes
An analyzability annex for the C1X standard
As-if infinitely ranged (AIR) integers
Safe Secure C/C++ methods (SSCC)
C and C++ Secure Coding Guidelines
This solution eliminates the vulnerabilities:
Writing outside the bounds of an object (e.g., buffer overflow)
Reading outside the bounds of an object
Arbitrary reads/writes (e.g., wild-pointer stores)
Integer overflow and truncation
Prototype using Compass/ROSE and GCC

39
ROSE diagnostics
Prototype
Design
Source file

Run-time
pointer-checking
library
Compiler

Compiler
Frontend

Pre-linker Linker Safe/Secure

Internal Executable
representation
(IR)

Modified
Advice file Compiler Object code
Backend

40
Poll
Would you like to receive email announcements
about secure coding in the future?
a) Yes
b) No

41
For More Information
Visit CERT web sites:
http://www.cert.org/secure-coding/
https://www.securecoding.cert.org/

Contact Presenter
Robert C. Seacord
[email protected]
(412) 268-7608

Contact CERT:
Software Engineering Institute
Carnegie Mellon University
4500 Fifth Avenue
Pittsburgh PA 15213-3890
USA

42