NASA Secure Coding Rules

Slides:



Advertisements
Similar presentations
Programming Languages and Paradigms
Advertisements

Programming Languages and Paradigms The C Programming Language.
Coding Standard: General Rules 1.Always be consistent with existing code. 2.Adopt naming conventions consistent with selected framework. 3.Use the same.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.
CS241 PASCAL I - Control Structures1 PASCAL I - Control Structures Philip Fees CS241.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Software Safety CS3300 Fall Failures are costly ● Bhopal 1984 – 3000 dead and injured ● Therac – 6 dead ● Chernobyl / Three Mile.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. C How To Program - 4th edition Deitels Class 05 University.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 12: Pointers continued, C strings.
1 Homework / Exam Finish up K&R Chapters 3 & 4 Starting K&R Chapter 5 Next Class HW4 due next class Go over HW3 solutions.
Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.
Programming Languages and Paradigms Imperative Programming.
C Functions Three major differences between C and Java functions: –Functions are stand-alone entities, not part of objects they can be defined in a file.
Lecture 3 Classes, Structs, Enums Passing by reference and value Arrays.
DOCUMENTATION SECTION GLOBAL DECLARATION SECTION
CSC 212 Object-Oriented Programming and Java Part 2.
CS241 PASCAL I - Control Structures1 PASCAL Control Structures Modified Slides of Philip Fees.
 2003 Prentice Hall, Inc. All rights reserved. 1 IS 0020 Program Design and Software Tools Preprocessor Midterm Review Lecture 7 Feb 17, 2004.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 8 – C: Miscellanea Control, Declarations, Preprocessor, printf/scanf.
EEL 3801 C++ as an Enhancement of C. EEL 3801 – Lotzi Bölöni Comments  Can be done with // at the start of the commented line.  The end-of-line terminates.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Lucas Bang Lecture 11: Pointers.
Announcements You will receive your scores back for Assignment 2 this week. You will have an opportunity to correct your code and resubmit it for partial.
A First Book of ANSI C Fourth Edition
BIL 104E Introduction to Scientific and Engineering Computing Lecture 4.
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Insertion sort Loop invariants Dynamic memory
Constructors and Destructors
Static Code Analysis What it is and does. Copyright © 2016 Curt Hill.
Test 2 Review Outline.
Chapter 6 CS 3370 – C++ Functions.
Friend Class Friend Class A friend class can access private and protected members of other class in which it is declared as friend. It is sometimes useful.
CSE341: Programming Languages Lecture 15 Macros
FUNCTIONS In C++.
CSE 374 Programming Concepts & Tools
Testing and Debugging.
Functions, locals, parameters, and separate compilation
Programming Fundamentals Lecture #7 Functions
CS1061 C Prgramming Lecture 11: Functions
Parser and Scanner Generation: An Introduction
Java Programming: Guided Learning with Early Objects
Secure Coding Rules for C++ Copyright © Curt Hill
Programmazione I a.a. 2017/2018.
This pointer, Dynamic memory allocation, Constructors and Destructor
CSE341: Programming Languages Lecture 15 Macros
Chapter 5 - Functions Outline 5.1 Introduction
Chapter 9 :: Subroutines and Control Abstraction
Chapter 6 Methods: A Deeper Look
Stacks & Recursion.
Lecture 15 (Notes by P. N. Hilfinger and R. Bodik)
Register Variables Declaring a variable as a "register" variable is an advisory to the compiler to keep the normal location of the variable in a register,
Introduction to Classes and Objects
CMSC 202 Exceptions 2nd Lecture.
CMSC 202 Exceptions 2nd Lecture.
Constructors and Destructors
CSE341: Programming Languages Lecture 15 Macros
Namespaces How Shall I Name Thee?.
UNIT V Run Time Environments.
Languages and Compilers (SProg og Oversættere)
CSE341: Programming Languages Lecture 15 Macros
2. Second Step for Learning C++ Programming • Data Type • Char • Float
CSE341: Programming Languages Lecture 15 Macros
CMSC 202 Exceptions 2nd Lecture.
Chapter 9: Pointers and String
Computer Science 340 Software Design & Testing
CMSC 202 Exceptions 2nd Lecture.
Pointers and pointer applications
SPL – PS3 C++ Classes.
CSE341: Programming Languages Lecture 15 Macros
Presentation transcript:

NASA Secure Coding Rules Necessary Restriction Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill NASA Generates or contracts for a substantial amount of code Their code has to perform well in very adverse conditions Hard to send a service truck to repair Sometimes lives depend on it Their failures always make the news Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Thus They have developed a number of rules that must be strictly observed They have done this out of necessity Saving $50 at the cost of a billion dollar spacecraft is not good economics We will now look at some of these What we need to ask is: Why? Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Flow of Control I Restrict all code to very simple control flow constructs Do not use goto statements, setjmp or longjmp constructs, and direct or indirect recursion. Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Flow of Control II All loops must have a fixed upper-bound It must be trivially possible for a checking tool to prove statically that a preset upper-bound on the number of iterations of a loop cannot be exceeded If the loop-bound cannot be proven statically, the rule is considered violated Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Dynamic Memory Do not use dynamic memory allocation after initialization Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Function I No function should be longer than what can be printed on a single sheet of paper in a standard reference format with one line per statement and one line per declaration Typically, this means no more than about 60 lines of code per function. Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Functions II The return value of non-void functions must be checked by each calling function, and the validity of parameters must be checked inside each function Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Function Assertions The assertion density of the code should average to a minimum of two assertions per function Assertions are used to check for anomalous conditions that should never happen in real-life executions Assertions must always be side-effect free and should be defined as Boolean tests Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Assertions Continued When an assertion fails, an explicit recovery action must be taken, e.g., by returning an error condition to the caller of the function that executes the failing assertion Any assertion for which a static checking tool can prove that it can never fail or never hold violates this rule (I.e., it is not possible to satisfy the rule by adding unhelpful “assert(true)” statements) Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Variables Data objects must be declared at the smallest possible level of scope Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Preprocessor The use of the preprocessor must be limited to the inclusion of header files and simple macro definitions Token pasting, variable argument lists (ellipses), and recursive macro calls are not allowed All macros must expand into complete syntactic units Copyright © 2014-2017 by Curt Hill

Preprocessor Continued The use of conditional compilation directives is often also dubious, but cannot always be avoided This means that there should rarely be justification for more than one or two conditional compilation directives even in large software development efforts, beyond the standard boilerplate that avoids multiple inclusion of the same header file Each such use should be flagged by a tool-based checker and justified in the code Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Pointers The use of pointers should be restricted Specifically, no more than one level of dereferencing is allowed Pointer dereference operations may not be hidden in macro definitions or inside typedef declarations Function pointers are not permitted Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill Compilation All code must be compiled, from the first day of development, with all compiler warnings enabled at the compiler’s most pedantic setting All code must compile with these setting without any warnings All code must be checked daily with at least one, but preferably more than one, state-of-the-art static source code analyzer and should pass the analyses with zero warnings Copyright © 2014-2017 by Curt Hill

Copyright © 2014-2017 by Curt Hill NASA Comment The rules act like the seatbelt in your car: initially they are perhaps a little uncomfortable, but after a while their use becomes second-nature and not using them becomes unimaginable Copyright © 2014-2017 by Curt Hill

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.