Difference between revisions of "StarlingX/Security/Banned C Functions"
(→Guidance) |
(→Guidance) |
||
| Line 13: | Line 13: | ||
|- | |- | ||
|strcpy, wcscpy | |strcpy, wcscpy | ||
| − | |unbounded, banned; use strncpy | + | |<pre style="color: red">unbounded, banned; use strncpy</pre> |
|- | |- | ||
|strncpy | |strncpy | ||
| Line 19: | Line 19: | ||
|- | |- | ||
|strcat, wcscat | |strcat, wcscat | ||
| − | |unbounded, banned; use strncat | + | |<pre style="color: red">unbounded, banned; use strncat</pre> |
|- | |- | ||
|strncat | |strncat | ||
| Line 25: | Line 25: | ||
|- | |- | ||
|sprintf, vsprintf | |sprintf, vsprintf | ||
| − | |unbounded, banned; use snprintf, vsnprintf | + | |<pre style="color: red">unbounded, banned; use snprintf, vsnprintf</pre> |
|- | |- | ||
|snprintf | |snprintf | ||
| Line 31: | Line 31: | ||
|- | |- | ||
|vsnprintf | |vsnprintf | ||
| − | |banned except with approval from core. requires detailed inspection to avoid va_list pitfalls | + | |<pre style="color: orange">banned except with approval from core. requires detailed inspection to avoid va_list pitfalls</pre> |
|- | |- | ||
|strtok | |strtok | ||
| − | |unbounded, banned; use strtok_r or strsep | + | |<pre style="color: red">unbounded, banned; use strtok_r or strsep</pre> |
|- | |- | ||
|strtok_r, strsep | |strtok_r, strsep | ||
| Line 40: | Line 40: | ||
|- | |- | ||
|sscanf, vsscanf | |sscanf, vsscanf | ||
| − | |unbounded, banned | + | |<pre style="color: red">unbounded, banned</pre> |
|- | |- | ||
|gets | |gets | ||
| − | |unbounded, banned, use fgets() instead | + | |<pre style="color: red">unbounded, banned, use fgets() instead</pre> |
|- | |- | ||
|ato* | |ato* | ||
| − | |banned, use equivalent strto* functions | + | |<pre style="color: red">banned, use equivalent strto* functions</pre> |
|- | |- | ||
|*toa | |*toa | ||
| Line 52: | Line 52: | ||
|- | |- | ||
|strlen, wcslen | |strlen, wcslen | ||
| − | |banned except static strings; use strnlen with max length constant | + | |<pre style="color: orange">banned except static strings; use strnlen with max length constant</pre> |
|- | |- | ||
|memcpy, memmove | |memcpy, memmove | ||
| Line 58: | Line 58: | ||
|- | |- | ||
|alloca | |alloca | ||
| − | |banned except with approval of core. requires detailed inspection to avoid stack overflow | + | |<pre style="color: orange">banned except with approval of core. requires detailed inspection to avoid stack overflow</pre> |
|} | |} | ||
Revision as of 21:41, 16 November 2018
Guidance
Prohibiting the use of banned functions is a good way to remove a significant number of potential code vulnerabilities from C and C++ code. This list is the compiled library of known bad functions that should be removed to reduce vulnerabilities. It is derived from experience with real-world security bugs and focuses primarily on functions that can lead to buffer overruns (reference: msdn). Specifically, for starling X, the main guidelines are that:
- Only functions in the standard C runtime library—libc—are mandated
- Unbounded functions are banned unless specifically noted
- Stack allocation functions are banned unless specifically approved by the project core
There is no requirement to retrofit existing upstream code to meet these guidelines. A summary of the policy is provided below.
| Func | Status |
| strcpy, wcscpy | unbounded, banned; use strncpy |
| strncpy | inspect for unterminated/truncated output |
| strcat, wcscat | unbounded, banned; use strncat |
| strncat | inspect for truncated output |
| sprintf, vsprintf | unbounded, banned; use snprintf, vsnprintf |
| snprintf | inspect for result fitting in buffer: snprintf(buf, size, ...) < size |
| vsnprintf | banned except with approval from core. requires detailed inspection to avoid va_list pitfalls |
| strtok | unbounded, banned; use strtok_r or strsep |
| strtok_r, strsep | Inspect for terminated input buffer |
| sscanf, vsscanf | unbounded, banned |
| gets | unbounded, banned, use fgets() instead |
| ato* | banned, use equivalent strto* functions |
| *toa | Non-standard, inspect for output buffer length; prefer snprintf |
| strlen, wcslen | banned except static strings; use strnlen with max length constant |
| memcpy, memmove | allowed |
| alloca | banned except with approval of core. requires detailed inspection to avoid stack overflow |
Color Coding
| Allowed w/Inspection | Banned |
Banned w/Exceptions |
