In a world where software can be found everywhere and potential security holes can be exploited at any time to gain unprivileged access to important systems, most organizations make some efforts to ensure the software they produce is safe and secure.
Usually this is done in the form of black-box testing or penetration testing, which is great, but an even better way is of course to produce software that is more secure and reliable in the first place. To do so, it is helpful to leverage industry coding standards, but there is a veritable jungle of information to tackle, including security coding standards (i.e. CERT, OWASP, CWE) and numerous domain-specific standards (i.e. MISRA, AUTOSAR, and a whole family of IEC 61508-based standards). It can be challenging to determine the set of coding standards that should be applied to a specific project, and even more challenging to do so in the middle of software development, when the already-existing software needs to suddenly be tuned to comply to such a standard.
8. CQE
• Community initiative
• Managed by the MITRECorporation
• CWE-like industry standard for software
quality
• Still a draft (v. 0.9)
• 112 Quality Issues
Common Quality Enumeration
CQE-9221: Excessive Code Complexity
The code is too complex, as calculated using a
well-defined, quantitative measure.
Parent of:
• CQE-9222 Excessive Cyclomatic
Complexity
• CQE-9223 Excessive Halstead Complexity
• CQE-9225 Excessively Deep Nesting
• CQE-9226 ExcessiveAttack Surface
CQE, CWE, and the CQE logo are trademarks of The MITRE Corporation.
9. The Jungle of the Secure Coding Standards
CVE
CQE
MISRA
ISO26262
CERT DO178C
AUTOSAR
CWE
IEC61508
10. Functional Safety Standards
• DO-178C / ED-12C
• Aviation
• IEC 61508
• General purpose
• ISO 26262
• Automotive
• IEC 62279 / EN 50128
• Railway
• IEC 62061
• Machinery
...
• IEC 62304
• Medical
11. IEC 61508 and Static analysis
• Table A.9 – Software verification
• Table B.1 – Design and coding standards
• Table B.8 – Static Analysis
Technique / measure SIL 1 SIL 2 SIL 3 SIL 4
3. Static analysis R HR HR HR
Technique / measure SIL 1 SIL 2 SIL 3 SIL 4
3. Control Flow Analysis R HR HR HR
4. Data Flow Analysis R HR HR HR
9. Static analysis of run time error behaviour R R R HR
Technique / measure SIL 1 SIL 2 SIL 3 SIL 4
1. Use of coding standard to reduce likelihood of errors HR HR HR HR
2. No dynamic objects R HR HR HR
8. No automatic type conversion R HR HR HR
12. The Jungle of the Secure Coding Standards
CVE
CQE
MISRA
ISO26262
CERT DO178C
AUTOSAR
CWE
IEC61508
13. Coding Standards
• MISRA C
• MISRA C++
• JSF AV C++ Coding Standard
• SEI CERT C Coding Standard
• SEI CERT C++ Coding Standard
• AUTOSAR C++14 Guidelines
Commonly used C and C++ standards
14. MISRA C / C++
• MISRA C:
• MISRAC:1998 (Guidelines for the use of the C language in vehicle based software)
• MISRAC:2004 (Guidelines for the use of the C language in critical systems)
• MISRAC:2012 (Guidelines for the use of the C language in critical systems)
• MISRAC:2012 Amendment 1 (Additional security guidelines for MISRA C:2012)
• MISRA C++:
• MISRAC++:2008 (Guidelines for the use of the C++ language in critical systems)
• Covers C++03
• Focused on Safety-related aspects
15. MISRA C / C++
• Rule 2.1
• A project shall not contain unreachable code
• Rule 2.2
• There shall be no dead code
• Rule 11.1
• Conversions shall not be performed between a pointer to a function and any other type
• Rule 19.2
• The union keyword should not be used
MISRA C:2012 rule examples:
16. JSF++ AV Coding Standard (C++)
• Created by Lockhead Martin
• Coding Standards for the System Development and Demonstration Program
• Part of the Joint Strike Fighter program (aka F-35)
• Released in 2005
• Covers C++03
• Focused on Safety-related aspects
17. SEI CERT C / C++ Coding Standard
• CERT C:
• The CERT C Secure Coding Standard (2008)
• The CERT C Coding Standard (2013)
• SEI CERT C Coding Standard (2016)
• Actively maintained / updated using Confluence
• CERT C++
• SEI CERT C++ Coding Standard (2016)
• Actively maintained / updated using Confluence
• Covers C++14
• Focused on Security-related aspects
18. SEI CERT C / C++ Coding Standard
• CON50-CPP
• Do not destroy a mutex while it is locked
• DCL50-CPP
• Do not define a C-style variadic function
• EXP51-CPP
• Do not delete an array through a pointer of the incorrect type
• FIO50-CPP
• Do not alternately input and output from a file stream without an intervening positioning call
CERT C++ rule examples:
19. AUTOSAR C++14 Coding Guidelines
• Guidelines for the use of the C++14 language in critical and safety-related systems
• Part of the AUTOSARAdaptive Platform
• Released twice a year: 17-03, 17-10, 18-03, 18-10, ?
• Based on MISRAC++:2008
• Adapted to cover C++14
• Contains traceability to MISRA C++, JSF++,CERT C++ and C++ Core Guidelines
20. Bonus: C++ Core Guidelines
• Announced by Bjarne Stroustrup in 2015
• A set of guidelines for using C++ well
• Focused on modern C++ (currently C++17)
• Living document under continuous improvement. No stable version yet.
• Hosted on github: https://github.com/isocpp/CppCoreGuidelines
21. Best practices
Which Coding Standard is good for me?
Do not try to reinvent the wheel!
You need to decide based on the specifics of your project!
22. Best practices
Coding Standard # of guidelines Details
MISRAC 2012 (w/ Amendment 1) 173 156 rules, 17 directives
CERT C Guidelines 307 121 rules, 186 recommendations
AUTOSAR C++14 Coding Guidelines 344 319 required, 25 advisory
CERT C++ Rules 163 83 C++ specific rules, 80 relevant C rules
MISRAC++ 2008 228 198 required, 18 advisory, 12 document
How can I handle such a large number of guidelines to follow?
Use an automated tool!
23. Best practices
• Does the tool support the chosen coding standard(s) fully / partially?
• If the tool qualification is required by the functional safety standard:
• is the tool certified?
• does the toold provide the qualification kit?
• Can the tool produce analysis reports in a form required to do compliance analysis?
• Can the tool produce analysis reports in a form easy to read by the developers?
• Does the tool integrate cleanly with used IDEs, build and CI systems?
• Does the tool take advantage of the risk scoring algorithms to help prioritize found defects?
• [...]
How can I choose the right tool?
Find the tool that can be efficiently used in your ecosystem!
29. Summary
• Wisely choose appropriate coding standard(s)
• Use right automated tool(s)
• Set up realistic goals
• Focus on the newly written code first
• Prioritize defects based on their severity / importance
• Measure compliance level
• Perform continuous testing to find defects early
Best practices
30. Navigating the Jungle of Secure Coding Standards
Thank you for your attention!
Questions?
Please, come visit us
Hall 4, Booth 378
Michal Rozenau