Douglas Walls' Weblog

Tuesday February 21, 2006

Catching security vulnerabilities in C code

Check out what Sun Studio C compiler has provided for detect coding practices that could lead to security vulnerabilities. Specifically, Sun added security vulnerability checking to lint, the C program checker.

Below is an overview of the flag to specify on the lint command to obtain security vulnerability checking. And here is a testimonial about how it is used in the Solaris sources.

-errsecurity=v

lint -errsecurity=core

Checks for source code constructs that are almost always either unsafe or difficult to verify. Checks at this level include:

• Use of variable format strings with the printf() and scanf()family of functions
• Use of unbounded string (%s) formats in scanf() functions
• Use of functions with no safe usage: gets(), cftime(),ascftime(), creat()
• Incorrect use of open() with O_CREAT
  

Consider source code that produces warnings at this level to be abug.  The source code in question should be changed. In all cases, straightforward safer alternatives are available.

lint -errsecurity=standard

Includes all checks from the core level plus constructs that may be safe, but have better alternatives available.  This level is recommended when checking newly-written code. Additional checks at this level include:

• Use of string copy functions other than strlcpy()
• Use of weak random number functions
• Use of unsafe functions to generate temporary files
• Use of fopen() to create files
• Use of functions that invoke the shell
  

Replace source code that produces warnings at this level with new or significantly modified code.  Balance addressing these warnings in legacy code against the risks of destabilizing the application.

lint -errsecurity=extended

Contains the most complete set of checks, including everything from the Core and Standard levels.  In addition, a number of warnings are generated about constructs that may be unsafe in some situations. The checks at this level are useful as an aid in reviewing code, but need not be used as a standard with which acceptable source code must comply.  Additional checks at this level include:

• Calls to getc() or fgetc() inside a loop
• Use of functions prone to pathname race conditions
• Use of the exec() family of functions
• Race conditions between stat() and other functions

Review source code that produces warnings at this level to determine ifthe potential security issue is present.