Difference between revisions of "StarlingX/Security/Banned C Functions"
(→Guidance) |
(→Guidance) |
||
Line 4: | Line 4: | ||
Prohibiting the use of banned functions is a good way to remove a significant number of potential code vulnerabilities from C and C++ code. This list is the compiled library of known bad functions that should be removed to reduce vulnerabilities. It is derived from experience with real-world security bugs and focuses primarily on functions that can lead to buffer overruns (reference: [https://msdn.microsoft.com/en-us/library/bb288454.aspx msdn]). | Prohibiting the use of banned functions is a good way to remove a significant number of potential code vulnerabilities from C and C++ code. This list is the compiled library of known bad functions that should be removed to reduce vulnerabilities. It is derived from experience with real-world security bugs and focuses primarily on functions that can lead to buffer overruns (reference: [https://msdn.microsoft.com/en-us/library/bb288454.aspx msdn]). | ||
− | Specifically, for | + | Specifically, for Starling X, the main guidelines are that: |
* Only functions in the standard C runtime library—libc—are mandated | * Only functions in the standard C runtime library—libc—are mandated | ||
* Unbounded functions are banned unless specifically noted | * Unbounded functions are banned unless specifically noted | ||
Line 35: | Line 35: | ||
|- | |- | ||
|vsnprintf | |vsnprintf | ||
− | | style="color: white; background-color:#ff8000;" | banned except with approval from core. requires detailed inspection to avoid va_list pitfalls | + | | style="color: white; background-color:#ff8000;" | banned except with approval from core. requires detailed inspection to avoid va_list pitfalls. vsnprint() is typically used for custom logging functionality. Given the flexibility of this function, it is easy to mismatch data types pushed on the stack for a va-list function and types pulled from the stack by the function. The core needs to ensure that the format matches the variables passed to avoid mismatches. |
|- | |- | ||
|strtok | |strtok |
Revision as of 21:01, 10 December 2018
DRAFT
Guidance
Prohibiting the use of banned functions is a good way to remove a significant number of potential code vulnerabilities from C and C++ code. This list is the compiled library of known bad functions that should be removed to reduce vulnerabilities. It is derived from experience with real-world security bugs and focuses primarily on functions that can lead to buffer overruns (reference: msdn).
Specifically, for Starling X, the main guidelines are that:
- Only functions in the standard C runtime library—libc—are mandated
- Unbounded functions are banned unless specifically noted
- Stack allocation functions are banned unless specifically approved by the project core
There is no requirement to retrofit existing upstream code to meet these guidelines. A summary of the policy is provided below.
Func | Status |
strcpy, wcscpy | unbounded, banned; use strncpy |
strncpy | inspect for unterminated/truncated output |
strcat, wcscat | unbounded, banned; use strncat |
strncat | inspect for truncated output |
sprintf, vsprintf | unbounded, banned; use snprintf, vsnprintf |
snprintf | inspect for result fitting in buffer: snprintf(buf, size, ...) < size |
vsnprintf | banned except with approval from core. requires detailed inspection to avoid va_list pitfalls. vsnprint() is typically used for custom logging functionality. Given the flexibility of this function, it is easy to mismatch data types pushed on the stack for a va-list function and types pulled from the stack by the function. The core needs to ensure that the format matches the variables passed to avoid mismatches. |
strtok | unbounded, banned; use strtok_r or strsep |
strtok_r, strsep | Inspect for terminated input buffer |
sscanf, vsscanf | unbounded, banned |
gets | unbounded, banned, use fgets() instead |
ato* | banned, use equivalent strto* functions |
*toa | Non-standard, inspect for output buffer length; prefer snprintf |
strlen, wcslen | banned except static strings; use strnlen with max length constant |
memcpy, memmove | allowed |
alloca | banned except with approval of core. requires detailed inspection to avoid stack overflow |
Color Coding
Allowed w/Inspection | Banned | Banned w/Exceptions |