![Best practices
• Does the tool support the chosen coding standard(s) fully / partially?
• If the tool qualification is required by the functional safety standard:
• is the tool certified?
• does the toold provide the qualification kit?
• Can the tool produce analysis reports in a form required to do compliance analysis?
• Can the tool produce analysis reports in a form easy to read by the developers?
• Does the tool integrate cleanly with used IDEs, build and CI systems?
• Does the tool take advantage of the risk scoring algorithms to help prioritize found defects?
• [...]
How can I choose the right tool?
Find the tool that can be efficiently used in your ecosystem!](https://image.slidesharecdn.com/session6-190312094653/85/Navigating-the-jungle-of-Secure-Coding-Standards-23-320.jpg)
Navigating the jungle of Secure Coding Standards
- 1. Navigating the Jungle of the Secure Coding Standards Michal Rozenau michal.rozenau@parasoft.com
- 2. The Jungle of the Secure Coding Standards CVE Do you know them? CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
- 3. The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
- 4. Software Safety and Security Issues • Mariner 1 Spacecraft (1962) • Ariane 5 (1996) • Mars Climate Orbiter (1998) • LSAAS Buffer Overflow / SasserWorm (2004) • Bash „Shellshock” bug (2014) • OpenSSL „Heartbleed” bug (2014) Serious issues caused by software bugs
- 5. CVE List • Created by the MITRE Corporation • Not-for-profit company that operates multiple federally funded research and development centers • Initial list in 1999 contained 321 CVE entries • Currently contains over 112k entries • Maintained by 93 CNAs from 16 countries • CVE NumberingAuthorities • It’s alive • 11 new CNAs since Jan 2018 • over 1600 new CVEs already published in 2019 CommonVulnerabilities and Exposures Copyright © 2006-2017, CVE and the CVE logo are trademarks of The MITRE Corporation. • Examples: • „Heartbleed” (CVE-2014-0160) • „ShellShock” (CVE-2014-6271) • „Spectre” (CVE-2017-5715 and CVE-2017-5753) • „Meltdown” (CVE-2017-5754)
- 6. The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
- 7. CWE List • Community initiative • Managed by MITRE Corporation • Categorization of the known issues • 806 weaknesses in CWE 3.2 • Hierarchical representation Common Weakness Enumeration CWE-787: Out-of-boundsWrite The software writes data past the end, or before the beginning, of the intended buffer. ParentOf: • CWE-121 Stack-based Buffer Overflow • CWE-122 Heap-based Buffer Overflow • CWE-124 Buffer Underwrite ('Buffer Underflow') Copyright © 2006-2017, CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.
- 8. CQE • Community initiative • Managed by the MITRECorporation • CWE-like industry standard for software quality • Still a draft (v. 0.9) • 112 Quality Issues Common Quality Enumeration CQE-9221: Excessive Code Complexity The code is too complex, as calculated using a well-defined, quantitative measure. Parent of: • CQE-9222 Excessive Cyclomatic Complexity • CQE-9223 Excessive Halstead Complexity • CQE-9225 Excessively Deep Nesting • CQE-9226 ExcessiveAttack Surface CQE, CWE, and the CQE logo are trademarks of The MITRE Corporation.
- 9. The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
- 10. Functional Safety Standards • DO-178C / ED-12C • Aviation • IEC 61508 • General purpose • ISO 26262 • Automotive • IEC 62279 / EN 50128 • Railway • IEC 62061 • Machinery ... • IEC 62304 • Medical
- 11. IEC 61508 and Static analysis • Table A.9 – Software verification • Table B.1 – Design and coding standards • Table B.8 – Static Analysis Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 3. Static analysis R HR HR HR Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 3. Control Flow Analysis R HR HR HR 4. Data Flow Analysis R HR HR HR 9. Static analysis of run time error behaviour R R R HR Technique / measure SIL 1 SIL 2 SIL 3 SIL 4 1. Use of coding standard to reduce likelihood of errors HR HR HR HR 2. No dynamic objects R HR HR HR 8. No automatic type conversion R HR HR HR
- 12. The Jungle of the Secure Coding Standards CVE CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
- 13. Coding Standards • MISRA C • MISRA C++ • JSF AV C++ Coding Standard • SEI CERT C Coding Standard • SEI CERT C++ Coding Standard • AUTOSAR C++14 Guidelines Commonly used C and C++ standards
- 14. MISRA C / C++ • MISRA C: • MISRAC:1998 (Guidelines for the use of the C language in vehicle based software) • MISRAC:2004 (Guidelines for the use of the C language in critical systems) • MISRAC:2012 (Guidelines for the use of the C language in critical systems) • MISRAC:2012 Amendment 1 (Additional security guidelines for MISRA C:2012) • MISRA C++: • MISRAC++:2008 (Guidelines for the use of the C++ language in critical systems) • Covers C++03 • Focused on Safety-related aspects
- 15. MISRA C / C++ • Rule 2.1 • A project shall not contain unreachable code • Rule 2.2 • There shall be no dead code • Rule 11.1 • Conversions shall not be performed between a pointer to a function and any other type • Rule 19.2 • The union keyword should not be used MISRA C:2012 rule examples:
- 16. JSF++ AV Coding Standard (C++) • Created by Lockhead Martin • Coding Standards for the System Development and Demonstration Program • Part of the Joint Strike Fighter program (aka F-35) • Released in 2005 • Covers C++03 • Focused on Safety-related aspects
- 17. SEI CERT C / C++ Coding Standard • CERT C: • The CERT C Secure Coding Standard (2008) • The CERT C Coding Standard (2013) • SEI CERT C Coding Standard (2016) • Actively maintained / updated using Confluence • CERT C++ • SEI CERT C++ Coding Standard (2016) • Actively maintained / updated using Confluence • Covers C++14 • Focused on Security-related aspects
- 18. SEI CERT C / C++ Coding Standard • CON50-CPP • Do not destroy a mutex while it is locked • DCL50-CPP • Do not define a C-style variadic function • EXP51-CPP • Do not delete an array through a pointer of the incorrect type • FIO50-CPP • Do not alternately input and output from a file stream without an intervening positioning call CERT C++ rule examples:
- 19. AUTOSAR C++14 Coding Guidelines • Guidelines for the use of the C++14 language in critical and safety-related systems • Part of the AUTOSARAdaptive Platform • Released twice a year: 17-03, 17-10, 18-03, 18-10, ? • Based on MISRAC++:2008 • Adapted to cover C++14 • Contains traceability to MISRA C++, JSF++,CERT C++ and C++ Core Guidelines
- 20. Bonus: C++ Core Guidelines • Announced by Bjarne Stroustrup in 2015 • A set of guidelines for using C++ well • Focused on modern C++ (currently C++17) • Living document under continuous improvement. No stable version yet. • Hosted on github: https://github.com/isocpp/CppCoreGuidelines
- 21. Best practices Which Coding Standard is good for me? Do not try to reinvent the wheel! You need to decide based on the specifics of your project!
- 22. Best practices Coding Standard # of guidelines Details MISRAC 2012 (w/ Amendment 1) 173 156 rules, 17 directives CERT C Guidelines 307 121 rules, 186 recommendations AUTOSAR C++14 Coding Guidelines 344 319 required, 25 advisory CERT C++ Rules 163 83 C++ specific rules, 80 relevant C rules MISRAC++ 2008 228 198 required, 18 advisory, 12 document How can I handle such a large number of guidelines to follow? Use an automated tool!
- 23. Best practices • Does the tool support the chosen coding standard(s) fully / partially? • If the tool qualification is required by the functional safety standard: • is the tool certified? • does the toold provide the qualification kit? • Can the tool produce analysis reports in a form required to do compliance analysis? • Can the tool produce analysis reports in a form easy to read by the developers? • Does the tool integrate cleanly with used IDEs, build and CI systems? • Does the tool take advantage of the risk scoring algorithms to help prioritize found defects? • [...] How can I choose the right tool? Find the tool that can be efficiently used in your ecosystem!
- 24. Best practices The tool reports a lot. What do I start with? Focus on the new issues first! Use risk scoring algorithms to initially prioritize violations! Triage and prioritize violations that need to be addressed! SEI CERT C++ Risk Assessment Summary, ©2018 Carnegie Mellon University
- 25. Best practices How can I ensure continuous improvement? Make sure developers fix found problems! Use CI to find newly introduced defects early!
- 26. Best practices How do I know if my project is compliant? Perform compliance measurements!
- 27. Summary CVE Now we know them... CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508
- 28. Summary CVE Now we know them... CQE MISRA ISO26262 CERT DO178C AUTOSAR CWE IEC61508Vulnerabilities Weaknesses / Code Issues Functional Safety Standards Coding Standards
- 29. Summary • Wisely choose appropriate coding standard(s) • Use right automated tool(s) • Set up realistic goals • Focus on the newly written code first • Prioritize defects based on their severity / importance • Measure compliance level • Perform continuous testing to find defects early Best practices
- 30. Navigating the Jungle of Secure Coding Standards Thank you for your attention! Questions? Please, come visit us Hall 4, Booth 378 Michal Rozenau
Editor's Notes
- #3: .