Jump to: navigation, search

Difference between revisions of "StarlingX/Security/Banned C Functions"

(Guidance)
(Guidance)
Line 25: Line 25:
 
|-
 
|-
 
|sprintf, vsprintf
 
|sprintf, vsprintf
| style="color: red" | unbounded, banned; use snprintf, vsnprintf
+
| style="color: white; background-color:#ff0000" | unbounded, banned; use snprintf, vsnprintf
 
|-
 
|-
 
|snprintf
 
|snprintf
Line 34: Line 34:
 
|-
 
|-
 
|strtok
 
|strtok
| style="color: red" | unbounded, banned; use strtok_r or strsep
+
| style="color: white; background-color:#ff0000" | unbounded, banned; use strtok_r or strsep
 
|-
 
|-
 
|strtok_r, strsep
 
|strtok_r, strsep
Line 40: Line 40:
 
|-
 
|-
 
|sscanf, vsscanf
 
|sscanf, vsscanf
| style="color: red" | unbounded, banned
+
| style="color: white; background-color:#ff0000" | unbounded, banned
 
|-
 
|-
 
|gets
 
|gets
| style="color: red" | unbounded, banned, use fgets() instead
+
| style="color: white; background-color:#ff0000" | unbounded, banned, use fgets() instead
 
|-
 
|-
 
|ato*
 
|ato*
| style="color: red" | banned, use equivalent strto* functions
+
| style="color: white; background-color:#ff0000" | banned, use equivalent strto* functions
 
|-
 
|-
 
|*toa
 
|*toa
Line 65: Line 65:
 
|+
 
|+
 
|Allowed w/Inspection
 
|Allowed w/Inspection
| style="color: red" | Banned
+
| style="color: white; background-color:#ff0000" | Banned
 
| style="color: orange" | Banned w/Exceptions
 
| style="color: orange" | Banned w/Exceptions
 
|}
 
|}

Revision as of 21:56, 16 November 2018

Guidance

Prohibiting the use of banned functions is a good way to remove a significant number of potential code vulnerabilities from C and C++ code. This list is the compiled library of known bad functions that should be removed to reduce vulnerabilities. It is derived from experience with real-world security bugs and focuses primarily on functions that can lead to buffer overruns (reference: msdn). Specifically, for starling X, the main guidelines are that:

  • Only functions in the standard C runtime library—libc—are mandated
  • Unbounded functions are banned unless specifically noted
  • Stack allocation functions are banned unless specifically approved by the project core

There is no requirement to retrofit existing upstream code to meet these guidelines. A summary of the policy is provided below.

Func Status
strcpy, wcscpy unbounded, banned; use strncpy
strncpy inspect for unterminated/truncated output
strcat, wcscat unbounded, banned; use strncat
strncat inspect for truncated output
sprintf, vsprintf unbounded, banned; use snprintf, vsnprintf
snprintf inspect for result fitting in buffer: snprintf(buf, size, ...) < size
vsnprintf banned except with approval from core. requires detailed inspection to avoid va_list pitfalls
strtok unbounded, banned; use strtok_r or strsep
strtok_r, strsep Inspect for terminated input buffer
sscanf, vsscanf unbounded, banned
gets unbounded, banned, use fgets() instead
ato* banned, use equivalent strto* functions
*toa Non-standard, inspect for output buffer length; prefer snprintf
strlen, wcslen banned except static strings; use strnlen with max length constant
memcpy, memmove allowed
alloca banned except with approval of core. requires detailed inspection to avoid stack overflow

Color Coding

Allowed w/Inspection Banned Banned w/Exceptions