Software Engineering Institute Makes CERT C++ Coding Standard Freely Available (opens in new tab)

(sei.cmu.edu)

179 pointsBudVVeezer9y ago24 comments

24 comments

brakmic9y ago

http://www.cert.org/downloads/secure-coding/assets/sei-cert-...

rezzo9y ago

The SEI CERT C Coding Standard previously released:

http://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-...

Jare9y ago

Note to self: always check the thread before digging up this kind of stuff myself. Thanks!

mavam9y ago

It would be great to see such elaborate guidelines to be accompanied with an integration into a linting tool, such as clang-tidy.

hermitdev9y ago

I thought there was a checker (based on clang) included by the CPP Core Guidelines [0], but I'm not seeing it there currently. Must have been external. I know I saw a tool that provided partial support, at least for GSL [1] (MS's library support of the the CPP Core Guidelines).

[0] https://github.com/isocpp/CppCoreGuidelines [1] https://github.com/microsoft/gsl/

geokon9y ago

Maybe I'm misunderstanding your reply, but the GSL is the checker. It adds header constructs that create compile time errors based on bad practices. The whole point is that there is no need for an external tool.

1 more reply

BudVVeezerOP9y ago

The clang-tidy tool has some C++ Core Guideline checks under the cppcoreguidelines module.

BudVVeezerOP9y ago

Some of these rules are currently in clang-tidy, but the coverage is by no means comprehensive. Patches always welcome. :-)

EliRivers9y ago

There are integrations of this and various other coding standards into some commercial tools; I don't recall seeing them in any free tools yet.

_pmf_9y ago

Pretty sane and modern when compared to other so called safety standards like MISRA that are in fact rules to satisfy proprietary legacy compilers.

a3n9y ago

And C: http://www.cert.org/news/article.cfm?assetid=465486&article=...

sargun9y ago

I was really hoping the Wikipedia article on Roller Coasters was better. I wanted to write a piece of prose paralleling roller coasters and programming languages, but unfortunately, I have such little info to go on (https://en.wikipedia.org/wiki/Roller_coaster).

I feel like roller coasters started because people wanted to go fast, and this crazy death contraption was the only way how. Subsequently, ride operators, in order to avoid the death of their patrons, advised them not to stick their limbs outside of the car. Unfortunately, this mechanism only reduced injuries, but far from eliminated them. Not only do accidents occur because of the actions of the riders themselves, but ride operators can pose introduce risk not only by malice, but negligence. In extremely rare cases, riders can be injured by compiler failures.

Roller coaster operators soon learned that these contraptions were fundamentally unsafe, and the only way to induce safety was if the systems which drove the coaster had safety as a fundamental concern. Therefore they introduced these things like "PLCs" -- a type of computer to make sure the operators could only do so much to endanger the riders. In addition, by following the basic rules of physics at build time of the coaster they further increased safety. Since people have stopped building coasters that relied on the rider's healthy sense of caution, and the operator's awareness of safety, they've become one of the safest ways to enjoy oneself. Or at least this is how I was hoping the story went.

Cyph0n9y ago

To anyone experienced with CERT C++: are there rules in the standard that are critical for secure code, but not easy to discover without extensive experience?

For instance, I went through the I/O section, and most of the rules seem quite intuitive even to a novice C++ programmer like myself.

temac9y ago

I'm currently working on a system that had no locking order defined (and no any other proper way to prevent or handle deadlocks) -- and looking at the face of my colleagues when I announced that, a good proportion (maybe even the majority) never heard about that kind of stuff before (and they typically have been programming for >5 years)

It disturbed me a little because this is the kind of stuff you learn in school, and they all have been there. Maybe they did not paid enough attention. Given the kind of programs we are writing, I could be rejecting candidates who don't cite deadlocks has a classic problem, and give a locking order as a classic solution to avoid them, even if they are right out of school.

All of that to say: IMO "novice" or "experienced" C++ programmer very often bear the risk of not really predicting the ability to write correct and maintainable code, because for the experienced ones, they can very well never have had any serious approach or mentors to get them to a decent mindset, while at the same time a smart and motivated novice can quickly figure out more and more of what matters, given some predispositions, a proper mentor, and/or a project inducing that.

If you find some of the CERT rules basic, you will quickly find most of them in that case. However, they are still useful to be used as a checklist, or for programmers who don't care enough about programming, or simply have been busy implementing piles of features in some kind of spaghetti code (and fixing 10% of the resulting bugs during 75% of their time) during a decade, etc.

daemin9y ago

I get the feeling this comes out of the divide between people treating programming like a craft, and those treating it just as a means to get something working.

Those that treat it like a craft aim to understand what they are doing, how to do things better.

Those that treat it like "just a job" or a means to an end don't want to know or learn anything beyond what is immediately required to do the task.

An example could be using "git push --force" if git push returns with errors

BudVVeezerOP9y ago

What's considered critical or difficult to discover is a bit subjective, but:

It's easy to forget that alignment is important on some architectures (other than for performance reasons), so be careful when using placement new: https://www.securecoding.cert.org/confluence/display/cpluspl...

This may seem obvious, but even the C++ committee got this one wrong when they created auto_ptr (which has since been removed from the standard): https://www.securecoding.cert.org/confluence/display/cpluspl...

This one is totally obvious but has a stunning number of ways you can fail to adhere to it, some of which look reasonable at first blush: https://www.securecoding.cert.org/confluence/display/cpluspl...

duneroadrunner9y ago

> This one is totally obvious but has a stunning number of ways you can fail to adhere to it, some of which look reasonable at first blush

If memory safety is actually important to you, there's now an actual practical solution: SaferCPlusPlus[1].

A tool to automatically retrofit memory safety to existing C/C++ code is in early development (but resources are limited so it might be a while).

[1] shameless plug: https://github.com/duneroadrunner/SaferCPlusPlus

hermitdev9y ago

I've not read through the CERT C++ rules (yet), but I highly recommend reading "Secure Coding in C and C++" [0]. Expectedly, there's a good discussion on bounds checking. But, nearly half the book is dedicated to integer underflow/overflow (and signed/unsigned) issues (which most devs either ignore or are oblivious to). It's not a panacea, but if you're write C/C++ without thinking about security and how things can go wrong, it can be a real eye opener.

[0] https://www.amazon.com/Secure-Coding-2nd-Software-Engineerin...

duneroadrunner9y ago

I haven't read the book. What's the gist of the recommendations for addressing those issues? SaferCPlusPlus addresses the signed/unsigned issue by providing compatible substitutes[1] for "int" and "size_t" that automatically handle it. And it addresses the integer underflow/overflow issue by recommending another compatible "int" substitute[2] and introducing the concept (but not yet the implementation) of "quarantined" types for untrusted input values.

[1] https://github.com/duneroadrunner/SaferCPlusPlus#cint-csize_...

[2] https://github.com/robertramey/safe_numerics

1 more reply

nickpsecurity9y ago

Just found slides of the integer stuff, too, for anyone without the book.

http://www.sis.pitt.edu/jjoshi/courses/IS2620/Spring07/Lectu...

koja869y ago

I think it is pretty basic but with nice explanations, examples, it's pretty complete and it is free so you can basically hand it to someone willing to learn these things.

Some recommendations seem little bit like "don't make mistakes" but still I like it.

wyldfire9y ago

I've not got experience w/CERT C++, so caveats. IMO, the major utility in releasing these guidelines publicly is that developers of clang-tidy and other open source static checkers can freely access the guides that will allow them to check for compliance.

Kudos to the SEI.

j / k navigate · click thread line to collapse

24 comments

brakmic9y ago

http://www.cert.org/downloads/secure-coding/assets/sei-cert-...

rezzo9y ago

The SEI CERT C Coding Standard previously released:

http://www.sei.cmu.edu/downloads/sei-cert-c-coding-standard-...

Jare9y ago

Note to self: always check the thread before digging up this kind of stuff myself. Thanks!

mavam9y ago

It would be great to see such elaborate guidelines to be accompanied with an integration into a linting tool, such as clang-tidy.

hermitdev9y ago

[0] https://github.com/isocpp/CppCoreGuidelines [1] https://github.com/microsoft/gsl/

geokon9y ago

1 more reply

BudVVeezerOP9y ago

The clang-tidy tool has some C++ Core Guideline checks under the cppcoreguidelines module.

BudVVeezerOP9y ago

Some of these rules are currently in clang-tidy, but the coverage is by no means comprehensive. Patches always welcome. :-)

EliRivers9y ago

There are integrations of this and various other coding standards into some commercial tools; I don't recall seeing them in any free tools yet.

_pmf_9y ago

Pretty sane and modern when compared to other so called safety standards like MISRA that are in fact rules to satisfy proprietary legacy compilers.

a3n9y ago

And C: http://www.cert.org/news/article.cfm?assetid=465486&article=...

sargun9y ago

Cyph0n9y ago

To anyone experienced with CERT C++: are there rules in the standard that are critical for secure code, but not easy to discover without extensive experience?

For instance, I went through the I/O section, and most of the rules seem quite intuitive even to a novice C++ programmer like myself.

temac9y ago

daemin9y ago

I get the feeling this comes out of the divide between people treating programming like a craft, and those treating it just as a means to get something working.

Those that treat it like a craft aim to understand what they are doing, how to do things better.

Those that treat it like "just a job" or a means to an end don't want to know or learn anything beyond what is immediately required to do the task.

An example could be using "git push --force" if git push returns with errors

BudVVeezerOP9y ago

What's considered critical or difficult to discover is a bit subjective, but:

duneroadrunner9y ago

> This one is totally obvious but has a stunning number of ways you can fail to adhere to it, some of which look reasonable at first blush

If memory safety is actually important to you, there's now an actual practical solution: SaferCPlusPlus[1].

A tool to automatically retrofit memory safety to existing C/C++ code is in early development (but resources are limited so it might be a while).

[1] shameless plug: https://github.com/duneroadrunner/SaferCPlusPlus

hermitdev9y ago

[0] https://www.amazon.com/Secure-Coding-2nd-Software-Engineerin...

duneroadrunner9y ago

[1] https://github.com/duneroadrunner/SaferCPlusPlus#cint-csize_...

[2] https://github.com/robertramey/safe_numerics

1 more reply

nickpsecurity9y ago

Just found slides of the integer stuff, too, for anyone without the book.

http://www.sis.pitt.edu/jjoshi/courses/IS2620/Spring07/Lectu...

koja869y ago

I think it is pretty basic but with nice explanations, examples, it's pretty complete and it is free so you can basically hand it to someone willing to learn these things.

Some recommendations seem little bit like "don't make mistakes" but still I like it.

wyldfire9y ago

Kudos to the SEI.

j / k navigate · click thread line to collapse