CERT C Secure Coding Standard with the LDRA tool suite

Overview

The CERT C Secure Coding Standard provides rules and recommendations for secure coding in the C programming language. The goal of these rules and recommendations is to eliminate insecure coding practices and undefined behaviours that can lead to exploitable vulnerabilities. The application of the secure coding standard will lead to higher-quality systems that are robust and more resistant to attack

Why Secure Coding?

Security is an important parameter that contributes to overall system quality. Easily avoided software defects are a primary cause of commonly exploited software vulnerabilities. CERT (Computer Emergency Response Team) has observed, through an analysis of thousands of vulnerability reports, that most vulnerabilities stem from a relatively small number of common programming errors. By identifying insecure coding practices and developing secure alternatives, software developers can take practical steps to reduce or eliminate vulnerabilities before deployment.

As part of this initiative, the CERT Secure Coding team works with software developers and software development organisations to reduce vulnerabilities resulting from coding errors before they are deployed. In collaboration with the software assurance and C language development communities, CERT developed the CERT C Secure Coding Standard to provide secure coding guidance to developers and suggests secure code must exhibits properties like:

  • Dependability: Dependable software executes predictably and operates correctly under all conditions, including hostile conditions, including when the software comes under attack or runs on a malicious host.
  • Trustworthiness: Trustworthy software contains few if any vulnerabilities or weaknesses that can be intentionally exploited to subvert or sabotage the software's dependability. In addition, to be considered trustworthy, the software must contain no malicious logic that causes it to behave in a malicious manner.
  • Survivability: Survivable software is software that is resilient enough to (1) either resist (i.e., protect itself against) or tolerate (i.e., continue operating dependably in spite of) most known attacks plus as many novel attacks as possible, and (2) recover as quickly as possible, and with as little damage as possible, from those attacks that it can neither resist nor tolerate.

Solution: Integrating Security into the Software Development Lifecycle (SDLC)

"Security enhancement" of the SDLC process mainly involves the adaptation or augmentation of existing SDLC activities, practices, and checkpoints, and in a few instances, it may also entail the addition of new activities, practices, or checkpoints. In very few instances, it may also require the elimination or wholesale replacement of certain activities or practices that are known to obstruct the ability to produce secure software. The key elements of a secure software life cycle process are:

  • Security risk identification
  • Add security to system requirements
  • Add security to architectural design
  • Adopt secure coding practices
  • Test for security or security testing practices that focus on verifying the dependability, trustworthiness, and sustainability of the software being tested.

Obtaining Further Information

For further information on compliance to CERT C and availability please complete the LDRA reply form or email .

TBsecureŽ automates documentation for security compliance and certification.

LDRA, the leading provider of automated software verification, source code analysis, and test tools has developed TBsecureŽ to provide developers with the means to determine software compliance to the Secure Coding Standard (CERT C), which identifies the common programming errors behind the majority of software security attacks.

LDRA Testbed, the core analysis engine of the LDRA tool suite, performs the static analysis required for coding standards enforcement. TBvision may then be used to review the results against any of the many LDRA tool suite supported industry coding standards, including CERT C.

Building Security into the SDLC

The foundation of sound software design and development practices starts with requirements, which establish the verification baseline for the project; the highest level description of what the 'right' system is. This includes both the functional requirements (i.e. what the system is supposed to do), together with non-functional requirements (e.g. performance requirements). In addition, requirements should describe the assurance activities necessary to ensure that the requirements have been implemented correctly. This refers to the ability to link system requirements to software safety requirements, then from software safety requirements to design requirements and then to source code and the associated test cases. Tracing requirements is the best way to ensure that the final system does exactly what is specified by the initial requirements.

The LDRA tool suite spans the entire software development lifecycle, from requirements traceability through static and dynamic software analysis and unit testing, facilitating the process automation required to achieve good quality software, which is on time and within budget. The accuracy, determinism and formal reporting capabilities of the LDRA tool suite lend themselves to their use in the development of safety critical software.

Benefits

  • Helps drive security focus
  • Improves accuracy
  • Requirements Traceability
    - Ensures security focus throughout SDLC
  • Static Analysis
    - Improves the overall quality of code
  • Unit Test
    - Improves security testing productivity
    - Helps ensure 100% code coverage
  • Test Verification
    - Ensures 100% requirements coverage

Obtaining Further Information

For further information on compliance to CERT C and availability please complete the LDRA reply form or email .

Compliance

The MISRA C++:2008 guidelines consist of a set of rules to be followed in developing safe and reliable software in the automotive industry. Great emphasis is placed on the usage of static checking tools to enforce compliance with the subset and it is hoped to become common practice by the developers of critical systems.

The LDRA tool suite provides the most comprehensive C++ coding standards enforcement available on the market today and this has now been enhanced to support the imminent launch of MISRA C++:2008. Already within the scope of the C++ language we have worked with Lockheed Martin in developing the JSF AV C++ standard, as well as enforcing the High-Integrity C++ Coding Standard* and the LM Train Control Program (LMTCP) standard.

When choosing a static checking tool it is clearly desirable that the tool enforces as many of the rules in this document as possible. To this end it is essential that the tool is capable of performing checks across the whole program, and not only within a single

  • A compliance matrix has been completed which shows how compliance has been enforced.
  • All of the C++ code in the product is compliant with the rules of this document or subject to documented deviations.
  • A list of all instances of rules not being followed is maintained, and for each instance there is an appropriately signed-off deviation.
source file. In addition, LDRA tool suite has capabilities for performing the extra checks other than the scope of the MISRA C++. Of the 228 Rules mentioned in the guidelines, 176 rules are fully implemented by LDRA, 32 rules are partially implemented and 14 not deemed to be statically analysable.

Implementing MISRA-C++:2008 with the LDRA tool suite

The LDRA tool suite can be configured with additional analysis facilities to automate the checking of source code for conformance to the MISRA C++:2008 standard. This process can be undertaken during Unit, System and Integration testing to ensure compliance throughout the software development cycle, enabling both Developers and Managers to benefit from faster adoption of the standard in new or existing projects.

Compliance can be claimed for a product and not for an organisation. When claiming MISRA C++ compliance for a product, a developer should state that evidence exists to show:

The LDRA tool suite locates and highlights areas of code that are non-conforming to aid documentation and modification. Extensive reports and graphical displays enhance understanding of the source code, facilitating improvements in testability, understandability and maintainability in line with MISRA C++:2008 guidelines. During software unit design and implementation, coding standards enforcement ensures the use of sound design principles for software unit implementation. LDRA Testbed and TBvision both have extensive standards checking capability, including industry leading compliance to the MISRA C++ 2008 standard.

TBvision a Code Quality Reporting tool provides users with the ability to quickly and easily view results in callgraphs, flowgraphs, code review reports and summary reports. The advanced reporting measures of TBvision enable users to quickly access the portability, dependability, Testability, maintainability, complexity and style of code generated by project teams. Figure 2 illustrates how MISRA C++ 2008 violations are reported in TBvision. Such graphical representation makes it easy for developers to immediately spot such things as code that does not complaint to the standards.

The LDRA tool suite also enables coverage measures to be taken to ensure software testedness is measured and maintained, as recommended by the MISRA C++:2008 standard.

Obtaining Further Information

For further information on compliance to CERT C and availability please complete the LDRA reply form or email .

*The High-Integrity C++ Coding Standard: © The Programming Research Group manual has been designed for use by organisations that aim to produce high quality C++ software. LDRA is able to assist software developers and testers to check for violations against the standard by utilising the powerful analysis capabilities of the LDRA tool suite. A full version of the standard can be obtained by visiting the following website www.codingstandard.com/HICPPCM/index.html.

LDRA tool suite highlights - ISO/DIS 26262 (Part 6)

Software Design, Implementation and Testing

ISO/DIS 26262 (part 6) details the software development process of the product as design and coding work continues. It specifically addresses:

  • The software architectural design
  • Software unit design and implementation
  • Software unit testing, and
  • Software integration and testing

As these themes are developed in this part of the standard, it becomes clear that irrespective of the ASIL level involved assistance is available from the LDRA tool suite every step of the way.

Software Architectural Design

For instance, the standard calls for the "verification of the architectural design". Graphical artefacts generated by the LDRA tool suite are ideally suited to the review the implemented design against the design artefacts either by walkthroughs or inspections.

Software Unit Design and Implementation

During software unit design and implementation, ISO/DIS26262 calls for coding standards to ensure the use of sound design principles for software unit implementation.

LDRA Testbed and TBvision both have extensive standards checking capability, including industry leading compliance to the MISRA C and C++ standards mentioned in the ISO/DIS 26262 standard itself.

Software Unit Testing

The standard requires that "Software unit testing shall be planned, specified and executed..." TBrun provides a graphical user interface for unit test specification, to create tests according to the defined specification, and to present a list of all defined test cases with appropriate pass/fail status.

Automatic creating of the test harness, stubbed functions and even test vectors (if desired) mean that unit test execution becomes a quick and easy process, requiring a minimum of specialist knowledge.

Software Integration and Testing

LDRA Testbed and TBrun have the capability to provide Structural Coverage Analysis, both at system test level and at unit test level. The coverage data derived from these approaches can also be combined to provide the most effective way of working for the particular needs of a development project.

Addressing all ASIL levels with the LDRA tool suite

The LDRA tool suite is widely used for on target testing of embedded systems, in the development of software to meet DO-178B and in other IEC 61508 based standards such as CENELEC prEN 50128. This illustrates how the LDRA tool suite is equipped to support even the most demanding ASIL level D application.

Seamless integration with the target hardware ensures that target testing is as efficient and effective as possible, with a host of mechanisms available to optimise the extraction of test data from the target system.

Integration with Eclipse based operating systems takes that integration one step further, whilst upstream integration with UML tools such as IBM Rational Rhapsody provides an integrated test environment throughout the software development process.

Obtaining Further Information

For further information on compliance to ISO/DIS 26262 and availability please complete the LDRA reply form or email .