Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Svoboda & Aaron Ballman

Published byPaul Jefferson Modified over 7 years ago

Similar presentations

Presentation on theme: "David Svoboda & Aaron Ballman"— Presentation transcript:

1 David Svoboda & Aaron Ballman
Avoiding Insecure C++ David Svoboda & Aaron Ballman

2 Copyright 2016 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non- US Government use and distribution. This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at CERT® is a registered mark of Carnegie Mellon University. DM

3 Problem Statement & Focus
Writing secure C++ code is hard, existing coding standards are insufficient MISRA C++:2008 and JSF++ (2005) focus on safety-critical systems; outdated CERT rules focus on modern concerns: C++11 and C++14. Concurrency, lambdas, and other modern, high-impact C++ features C++ Core Guidelines (2015) are modern, but subset the language; e.g., ES.75: Avoid do statements I.11: Never transfer ownership by a raw pointer (T*) CERT rules do not subset the C++ language Encourages adoption within legacy code bases as well as new Enforceability of the rules is desirable. Demonstrate implementing checkers to help strengthen and enforce rules Do not replicate rules from the CERT C Coding Standard

4 Our Results: Rules Declarations and Initialization (DCL)
Expressions (EXP) Integers (INT) Containers (CTR) Characters and Strings (STR) Memory Management (MEM) Input Output (FIO) Exceptions and Error Handling (ERR) Object Oriented Programming (OOP) Concurrency (CON) Miscellaneous (MSC) All rules were heavily modified 2 new C rules, 79 total C rules applicable to C++ 14 new C++ rules, 83 total C++ rules

5 Our Results: Rule Organization
Title Introduction & Normative Text

6 Noncompliant Code Compliant Code Don’t try this at home!
Fixes noncompliant code.

7

8

9 Author Software Engineering Institute
THE END 4/23/2018

10 Our Process ISO WG21 (C++ Standards Committee) ISO C++14 Standard
C++ Books MITRE CVEs CERT Vulnerability Database

11 Our Results: Checkers Contributed 15 new checkers to the Clang open source compiler (the C/C++ frontend to the LLVM compiler infrastructure) Clang community has shown significant interest in CERT's contributions Community members are making their own contributions based on our rules Demonstrated a desire to make it easier to enable all checks for CERT rules 19 checkers for CERT rules in Clang (created by others). Independent of our 15 new checkers. The Clang community wants to build mapping for CERT guidelines (rather than C++ core guidelines or MISRA) There are 12 million registered users on Apple's app store Clang is used by 10s of millions of programmers to write 100s of millions of apps that are used by billions of users Primary compiler for MacOS, iOS, FreeBSD Supported by Microsoft Visual Studio, Linux

12 Risk Assessment Risk assessment is performed using failure mode, effects, and criticality analysis.

13 Our Results: Rules Modified 137 out of 162 C/C++ rules during FY16 Created 16 new rules; primarily on concurrency and other modern features Steadily increasing engagement with the CERT C++ Coding Standard

14 Secure Coding Checker Case Study: OOP11-CPP
Process which occupied 2-3 weeks, 3 man-days of effort. Operational Theory: it is never valid to copy construct a base class from the initializer-list of a move constructor. Idea originated from discussions during a WG21 meeting; seems to negatively impact security of code when unexpected code paths are taken. Initially developed as a rule with the normative restriction being: diagnose when a base class is copy-initialized within the move constructor of a derived class.

15 Secure Coding checker Case Study: OOP11-CPP
Implemented basic checker for Clang, ran on default target code base: LLVM family of products (~2M SLoc) Found a bug! (Fixed in commits/Week-of-Mon / html) Community discussion uncovered the fact that the rule text was too narrow: should also include class data members. Iterated normative restrictions to: diagnose when a base class or data member object is copy-initialized within the move constructor of a class.

16 Secure Coding checker Case Study: OOP11-CPP
Implemented updated checker, re-ran on LLVM family ~800 false positives 0 true positives (the one in LLVM had already been fixed) Community discussion uncovered the fact that the rule text was too strict: should take object triviality into account. Iterated normative restrictions to: diagnose when a base class or data member object of non-trivially-copyable type is copy-initialized within the move constructor of a class.

17 Secure Coding checker Case Study: OOP11-CPP
Implemented updated checker, re-ran on LLVM family 0 false positives 0 true positives Ran updated checker on other code bases (~14M SLoc total), found acceptable TP vs FP rate (0 FP, >=1 TP). Discussion with CERT and external collaborators determined rule should be downgraded to recommendation Did not pass the “would you fail a code audit” sniff test Performance issue more than security issue Google regularly pulls newly committed Clang checkers & builds their entire source code. And hollers at false positives.

Download ppt "David Svoboda & Aaron Ballman"

Similar presentations

ITU WORKSHOP ON STANDARDS AND INTELLECTUAL PROPERTY RIGHTS (IPR) ISSUES Session 5: Software copyright issues Dirk Weiler, Chairman of ETSI General Assembly.

ITU WORKSHOP ON STANDARDS AND INTELLECTUAL PROPERTY RIGHTS (IPR) ISSUES Session 5: Software copyright issues Dirk Weiler, Chairman of ETSI General Assembly.
The following 10 questions test your knowledge of Internet-based client management in Configuration Manager 2007. Configuration Manager 2007 Internet-Based.

The following 10 questions test your knowledge of Internet-based client management in Configuration Manager Configuration Manager 2007 Internet-Based.
The following 10 questions test your knowledge of desired configuration management in Configuration Manager 2007. Configuration Manager Desired Configuration.

The following 10 questions test your knowledge of desired configuration management in Configuration Manager Configuration Manager Desired Configuration.
Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.

Carnegie Mellon University Software Engineering Institute CERT® Knowledgebase Copyright © 1997 Carnegie Mellon University VU#14202 UNIX rlogin with stack.
© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.

© 2013 Carnegie Mellon University UFO: From Underapproximations to Overapproximations and Back! Arie Gurfinkel (SEI/CMU) with Aws Albarghouthi and Marsha.
© 2014 Microsoft Corporation. All rights reserved.

© 2014 Microsoft Corporation. All rights reserved.
© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.

© 2011 Carnegie Mellon University System of Systems V&V John B. Goodenough October 19, 2011.
© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.

© 2013 Carnegie Mellon University Academy for Software Engineering Education and Training, 2013 Session Architect: Tony Cowling Session Chair: Nancy Mead.
© 2007-2011 Carnegie Mellon University The CERT Insider Threat Center.

© Carnegie Mellon University The CERT Insider Threat Center.
Megan Houchin Safety Analysis Engineering Y-12 National Security Complex SAWG May 7 th, 2012.

Megan Houchin Safety Analysis Engineering Y-12 National Security Complex SAWG May 7 th, 2012.
Copyright and Alternatives to Copyright Why now? Rita S. Heimes Director, Technology Law Center University of Maine School of Law Rita S. Heimes Director,

Copyright and Alternatives to Copyright Why now? Rita S. Heimes Director, Technology Law Center University of Maine School of Law Rita S. Heimes Director,
© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.

© 2011 Carnegie Mellon University Should-Cost: A Use for Parametric Estimates Additional uses for estimation tools Presenters:Bob Ferguson (SEMA) Date:November.
Jul 2006 1The New Geant4 License J. Perl The New Geant4 License Makes clear the user’s wide- ranging freedom to use, extend or redistribute Geant4, even.

Jul The New Geant4 License J. Perl The New Geant4 License Makes clear the user’s wide- ranging freedom to use, extend or redistribute Geant4, even.
Jeremy W. Poling B&W Y-12 L.L.C. Can’t Decide Whether to Use a DATA Step or PROC SQL? You Can Have It Both Ways with the SQL Function!

Jeremy W. Poling B&W Y-12 L.L.C. Can’t Decide Whether to Use a DATA Step or PROC SQL? You Can Have It Both Ways with the SQL Function!
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.

Ipek Ozkaya, COCOMO Forum © 2012 Carnegie Mellon University Affordability and the Value of Architecting Ipek Ozkaya Research, Technology.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication.
Four tips to mitigate Mobile fraud in the future.

Four tips to mitigate Mobile fraud in the future.
INTELLECTUAL PROPERTY COPYRIGHTS, PATENTS AND TRADE MARKS.

INTELLECTUAL PROPERTY COPYRIGHTS, PATENTS AND TRADE MARKS.
© 2010 Carnegie Mellon University Team Software Process.

© 2010 Carnegie Mellon University Team Software Process.

Similar presentations

Ads by Google