SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 49

changes.mady.by.user Astha Singhal

Saved on

compared with

New Version 50

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Two common mechanisms by which data is inadvertently be written to disk are swapping and core dumps.

Many general-purpose operating systems implement a virtual memory management memory–management technique called paging (also referred to as also called swapping) to transfer pages between main memory and an auxiliary store, such as a disk drive. This feature is typically implemented as a task running in the kernel of the operating system, and its operation is invisible to the running program.

...

Code Block
bgColor#FFcccc
langc

char *secret;

secret = (char *)malloc(size+1);
if (!secret) {
  /* Handle error */
}

/* Perform operations using secret... */

free(secret);
secret = NULL;

...

To prevent the information from being written to a core dump, the size of core dumps that the program will generate should be set to 0 . This can be accomplished by using setrlimit().

Code Block
bgColor#ccccff
langc

#include <sys/resource.h>
/* ... */
struct rlimit limit;
limit.rlim_cur = 0;
limit.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &limit) != 0) {
    /* Handle error */
}

char *secret;

secret = (char *)malloc(size+1);
if (!secret) {
  /* Handle error */
}

/* Perform operations using secret... */

free(secret);
secret = NULL;

...

The added security from using mlock() is limited. (See the sidebar by Nick Stoughton.)

Processes with elevated privileges can disable paging by " locking " memory in place using the POSIX mlock() function [Open Group 2004]. This ensures that memory is never copied to the hard drive, where it may be retained indefinitely in nonvolatile storage.

This compliant solution not only disables the creation of core files , but also ensures that the buffer is not swapped to hard disk.

Code Block
bgColor#CCCCFF
langc

#include <sys/resource.h>
/* ... */
struct rlimit limit;
limit.rlim_cur = 0;
limit.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &limit) != 0) {
    /* Handle error */
}

long pagesize = sysconf(_SC_PAGESIZE);
if (pagesize == -1) {
  /* Handle error */
}

char *secret_buf;
char *secret;

secret_buf = (char *)malloc(size+1+pagesize);
if (!secret_buf) {
  /* Handle error */
}

/* mlock() may require that the address is a multiple of PAGESIZE */
secret = (char *)((((intptr_t)secret_buf + pagesize - 1) / pagesize) * pagesize);

if (mlock(secret, size+1) != 0) {
    /* Handle error */
}

/* Perform operations using secret... */

if (munlock(secret, size+1) != 0) {
    /* Handle error */
}
secret = NULL;

free(secret_buf);
secret_buf = NULL;

...

Windows processes running with elevated privileges can disable paging by locking memory in place using VirtualLock() (Windows) [MSDN]:

Code Block
bgColor#CCCCFF
langc

char *secret;

secret = (char *)malloc(size+1);
if (!secret) {
  /* Handle error */
}

if (VirtualLock(secret, size+1) != 0) {
    /* Handle error */
}

/* Perform operations using secret... */

free(secret);
secret = NULL;

...

CERT C++ Secure Coding Standard: MEM06-CPP. Ensure that sensitive data is not written out to disk

ISO/IEC PDTR 24772TR 24731-2:2010 "XZX Memory Lockinglocking"

MITRE CWE: CWE-591, "Sensitive Data Storage in Improperly Locked Memorydata storage in improperly locked memory"

MITRE CWE: CWE-528, "Information Leak Through Core Dump Filesleak through core dump files"

Bibliography

[Open Group 204] mlock(), setrlimit()
[Wheeler 2003] Sections 7.14 and 11.4

...