| Anchor | ||||
|---|---|---|---|---|
|
abnormal termination [Open Group 2008]
Abnormal termination occurs when requested by the
abort() function or when some signals are received. See also normal termination.Anchor analyzer analyzer
analyzer
Mechanism that diagnoses coding flaws in software programs.
NOTE Analyzers may include static analysis tools, tools within a compiler suite, or tools in other contexts.
| Anchor | ||||
|---|---|---|---|---|
|
async-signal-safe function [ISO/IEC 9945:2008]
A function that may be invoked, without restriction, from signal-catching functions. No function (defined in ISO/IEC 9945) is async-signal-safe unless explicitly described as such. See also asynchronous-safe.
...
| Anchor | ||||
|---|---|---|---|---|
|
conforming [ISO/IEC 9899-:2011]
Conforming programs may depend on nonportable features of a conforming implementation.
raceAnchor data
raceflow analysis data flow analysis
data race [ISO/IEC 9899:2011]
The execution of a program contains a data race if it contains two conflicting actions in different threads, at least one of which is not atomic, and neither happens before the other. Any such data race results in undefined behavior.Anchor
Tracking of value constraints along nonexcluded paths through the code.
NOTE 1 Tracking can be performed intraprocedurally, with various assumptions made about what happens at function call boundaries, or interprocedurally, where values are tracked flowing into function calls (directly or indirectly) as arguments and flowing back out either as return values or indirectly through arguments.
NOTE 2 Data flow analysis may or may not track values flowing into or out of the heap or take into account global variables. When this specification refers to values flowing, the key point is contrast with variables or expressions, because a given variable or expression may hold different values along different paths, and a given value may be held by multiple variables or expressions along a path.
| Anchor | ||||
|---|---|---|---|---|
|
data race [ISO/IEC 9899:2011]
The execution of a program contains a data race if it contains two conflicting actions in different threads, at least one of which is not atomic, and neither happens before the other. Any such data race results in undefined behavior.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
denial-of-service attack
Also DoS attack. An attempt to make a computer resource unavailable to its intended users.
| Anchor | ||||
|---|---|---|---|---|
|
error tolerance
Also DoS attack. An attempt to make a computer resource unavailable to its intended users.
The ability of a system or component to continue normal operation despite the presence of erroneous inputs.
A piece of software or a technique that takes advantage of a security vulnerability to violate an explicit or implicit security policy.
Pertaining to The ability of a system or component that automatically places itself in a safe operating mode in the event of a failure—for example, a traffic light that reverts to blinking red in all directions when normal operation failsto continue normal operation despite the presence of erroneous inputs.
| Anchor | ||||
|---|---|---|---|---|
|
exploit [Seacord 2005a]
Technique that takes advantage of a security vulnerability to violate an explicit or implicit security policy.
| Anchor | ||||
|---|---|---|---|---|
|
fail safe fail soft [IEEE Std 610.12 1990]
Pertaining to a system or component that continues to provide partial operational capability in the event of certain failures—for example, a traffic light that continues to alternate between red and green if the yellow light fails.Anchor
The ability of Pertaining to a system or component to continue normal operation despite the presence of hardware or software faultsthat automatically places itself in a safe operating mode in the event of a failure—for example, a traffic light that reverts to blinking red in all directions when normal operation fails.
| Anchor | freestanding environment | freestanding environment |
|---|
An environment in which C program execution may take place without any benefit of an operating system. Program startup might occur at some function other than
main(), complex types might not be implemented, and only certain minimal library facilities are guaranteed to be available.
|
fail soft [IEEE Std 610.12 1990]
Pertaining to a system or component that continues to provide partial operational capability in the event of certain failures—for example, a traffic light that continues to alternate between red and green if the yellow light fails.
| Anchor | ||||
|---|---|---|---|---|
|
fault tolerance [IEEE Std 610.12 1990]
The ability of a system or component to continue normal operation despite the presence of hardware or software faults.
| Anchor | ||||
|---|---|---|---|---|
|
freestanding
A
#define preprocessing directive that defines an identifier immediately followed by zero or more parameters, the ellipsis (...), or a combination of the two, enclosed in parentheses, similar syntactically to a function call. Subsequent instances of the macro name followed by a parenthesized list of arguments in a translation unit are replaced by the replacement list of preprocessing tokens that constitute the remainder of the directive. See also object-like macro and unsafe function-like macro.An environment that is not freestanding. Program startup occurs at in which C program execution may take place without any benefit of an operating system. Program startup might occur at some function other than
main(), complex types are might not be implemented, and all C Standard only certain minimal library facilities are guaranteed to be available.| Anchor | implementation | implementation |
|---|
|
function-like macro [ISO/IEC 9899-:2011]
Particular set of software, running in a particular translation environment under particular control options, that performs translation of programs for, and supports execution of functions in, a particular execution environment. A
#define preprocessing directive that defines an identifier immediately followed by zero or more parameters, the ellipsis (...), or a combination of the two, enclosed in parentheses, similar syntactically to a function call. Subsequent instances of the macro name followed by a parenthesized list of arguments in a translation unit are replaced by the replacement list of preprocessing tokens that constitute the remainder of the directive. See also object-like macro and unsafe function-like macro.| Anchor | ||||
|---|---|---|---|---|
|
hosted environment
Unspecified behavior whereby each implementation documents how the choice is made An environment that is not freestanding. Program startup occurs at
main(), complex types are implemented, and all C Standard library facilities are available.| Anchor | ||||
|---|---|---|---|---|
|
implementation [ISO/IEC 9899-2011]
A type that describes an identifier but lacks information needed to determine the size of the identifier.:2011]
Particular set of software, running in a particular translation environment under particular control options, that performs translation of programs for, and supports execution of functions in, a particular execution environment.
| Anchor | ||||
|---|---|---|---|---|
|
implementation-defined behavior
Either an unspecified value or a trap representation Unspecified behavior whereby each implementation documents how the choice is made.
| Anchor | invalid pointer | invalid pointer |
|---|
A pointer that is not a valid pointer.
Every operation or method invocation executes to completion without interruptions, even if it goes against safety.
|
in-band error indicator
A library function return value on error that can never be returned by a successful call to that library function.
| Anchor | ||||
|---|---|---|---|---|
|
incomplete type
Behavior that depends on local conventions of nationality, culture, and language that each implementation documents A type that describes an identifier but lacks information needed to determine the size of the identifier.
| Anchor | ||||
|---|---|---|---|---|
|
indeterminate value [ISO/IEC 9899-:2011]
An expression with an object type or an incomplete type other than
void. The name lvalue comes originally from the assignment expression E1 = E2, in which the left operand E1 is required to be a (modifiable) lvalue. It is perhaps better considered as representing an object "locator value."Methods, techniques, processes, tools, or runtime libraries that can prevent or limit exploits against vulnerabilities.
Normal termination occurs by a return from
main(), when requested with the exit(), _exit(), or _Exit() functions, or when the last thread in the process terminates by returning from its start function, by calling the pthread_exit() function, or through cancellation. See also abnormal termination.A
#define preprocessing directive that defines an identifier with no parentheses. Subsequent instances of the macro name in a translation unit are replaced by the replacement list of preprocessing tokens that constitute the remainder of the directive. See also function-like macro.A function is reentrant if multiple instances of the same function can run in the same address space concurrently without creating the potential for inconsistent states.
The ability of a system or component to perform its required functions under stated conditions for a specified period of time.
The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.
Value of an expression.
A software defect that poses a potential security risk.
A set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.
Evaluation of an expression may produce side effects. At specific points in the execution sequence called sequence points, all side effects of previous evaluations have completed, and no side effects of subsequent evaluations have yet taken place.
Changes in the state of the execution environment achieved by accessing a volatile object, modifying an object, modifying a file, or calling a function that does any of those operations.
Note: The IEC 60559 standard for binary floating-point arithmetic requires certain user-accessible status flags and control modes. Floating-point operations implicitly set the status flags; modes affect result values of floating-point operations. Implementations that support such floating-point state are required to regard changes to it as side effects. These are detailed in Annex F of the C Standard.
A strictly conforming program is one that uses only those features of the language and library specified in the international standard. Strictly conforming programs are intended to be maximally portable among conforming implementations and cannot, for example, depend on implementation-defined behavior.
Object representation that does not represent a value of the object type. Attempting to read the value of an object that has a trap representation other than by an expression that has a character type is undefined. Producing such a representation by a side effect that modifies all or any part of the object other than by an expression that has a character type is undefined.
Behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which the standard imposes no requirements. An example of undefined behavior is the behavior on integer overflow.
A function-like macro whose expansion causes one or more of its arguments not to be evaluated exactly once.
Behavior for which the standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance.
A valid value of the relevant type where the C Standard imposes no requirements on which value is chosen in any instance. An unspecified value cannot be a trap representation.
A pointer that refers to an element within an array or one past the last element of an array. For the purposes of this definition, a pointer to an object that is not an element of an array behaves the same as a pointer to the first element of an array of length one with the type of the object as its element type (Cf. C Standard, section 6.5.8, paragraph 3 [ISO/IEC 9899-2011]). For the purposes of this definition, an object can be considered to be an array of a certain number of bytes; that number is the size of the object, as produced by the
sizeof operator.Confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled.
Confirmation by examination and provision of objective evidence that the requirements have been fulfilled.
A set of conditions that allows an attacker to violate an explicit or implicit security policy.
analyzer
mechanism that diagnoses coding flaws in software programs
NOTE Analyzers may include static analysis tools, tools within a compiler suite, or tools in other contexts.
data flow analysis
tracking of value constraints along nonexcluded paths through the code
NOTE 1 Tracking can be performed intraprocedurally, with various assumptions made about what happens at function call boundaries, or interprocedurally, where values are tracked flowing into function calls (directly or indirectly) as arguments and flowing back out either as return values or indirectly through arguments.
NOTE 2 Data flow analysis may or may not track values flowing into or out of the heap or take into account global variables. When this specification refers to values flowing, the key point is contrast with variables or expressions, because a given variable or expression may hold different values along different paths, and a given value may be held by multiple variables or expressions along a path.
4.3
exploit
technique that takes advantage of a security vulnerability to violate an explicit or implicit security policy
4.4
in-band error indicator
a library function return value on error that can never be returned by a successful call to that library function
4.5
mutilated value
result of an operation performed on an untainted value that yields either an undefined result (such as the result of signed integer overflow), the result of right-shifting a negative number, implicit conversion to an integral type where the value cannot be represented in the destination type, or unsigned integer wrapping
EXAMPLE
int j = INT_MAX + 1; // j is mutilated
char c = 1234; // c is mutilated if char is eight bits
unsigned int u = 0U - 1; // u is mutilated
NOTE 1 A mutilated value can be just as dangerous as a tainted value because it can differ either in sign or magnitude from what the programmer expects.
4.7
nonpersistent signal handler
signal handler running on an implementation that requires the program to again register the signal handler after occurrences of the signal to catch subsequent occurrences of that signal
4.7
out-of-band error indicator
a library function return value used to indicate nothing but the error status
4.8
out-of-domain value
one of a set of values that is not in the domain of a particular operator or function
4.9
restricted sink
operands and arguments whose domain is a subset of the domain described by their types
NOTE 1 Undefined or unexpected behavior may occur if a tainted value is supplied as a value to a restricted sink.
NOTE 2 A diagnostic is required if a tainted value is supplied to a restricted sink.
NOTE 3 Different restricted sinks may impose different validity constraints for the same value; a given value can be tainted with respect to one restricted sink but sanitized (and consequently no longer tainted) with respect to a different restricted sink.
NOTE 4 Specific restricted sinks and requirements for sanitizing tainted values are described in specific rules dealing with taint analysis (see 5.8, 5.14, 5.24, 5.30, 5.39, and 5.46).
4.10
sanitize
assure by testing or replacement that a tainted or other value conforms to the constraints imposed by one or more restricted sinks into which it may flow
NOTE If the value does not conform, either the path is diverted to avoid using the value or a different, known-conforming value is substituted.
EXAMPLE Adding a null character to the end of a buffer before passing it as an argument to the
strlen function.
4.11
security flaw
defect that poses a potential security risk
4.12
security policy
set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources
4.13
static analysis
any process for assessing code without executing it [Chess 2007, p. 3]
4.14
tainted source
external source of untrusted data
NOTE Tainted sources include
parameters to the
main function,
the returned values from
localeconv, fgetc, getc, getchar, fgetwc, getwc, and getwchar, and
the strings produced by
getenv, fscanf, vfscanf, vscanf, fgets, fread, fwscanf, vfwscanf, vwscanf, wscanf, and fgetws.
4.15
tainted value
value derived from a tainted source that has not been sanitized
target implementation
implementation of the C programming language whose environmental limits and implementation-defined behavior are assumed by the analyzer during the analysis of a program
4.17
UB
undefined behavior
4.18
unexpected behavior
well-defined behavior that may be unexpected or unanticipated by the programmer; incorrect programming assumptions
4.19
unsigned integer wrapping
Either an unspecified value or a trap representation.
| Anchor | ||||
|---|---|---|---|---|
|
invalid pointer
A pointer that is not a valid pointer.
| Anchor | ||||
|---|---|---|---|---|
|
liveness
Every operation or method invocation executes to completion without interruptions, even if it goes against safety.
| Anchor | ||||
|---|---|---|---|---|
|
locale-specific behavior [ISO/IEC 9899:2011]
Behavior that depends on local conventions of nationality, culture, and language that each implementation documents.
| Anchor | ||||
|---|---|---|---|---|
|
lvalue [ISO/IEC 9899:2011]
An expression with an object type or an incomplete type other than
void. The name lvalue comes originally from the assignment expression E1 = E2, in which the left operand E1 is required to be a (modifiable) lvalue. It is perhaps better considered as representing an object "locator value."| Anchor | ||||
|---|---|---|---|---|
|
mitigation [Seacord 2005a]
Methods, techniques, processes, tools, or runtime libraries that can prevent or limit exploits against vulnerabilities.
| Anchor | ||||
|---|---|---|---|---|
|
mutilated value
Result of an operation performed on an untainted value that yields either an undefined result (such as the result of signed integer overflow), the result of right-shifting a negative number, implicit conversion to an integral type where the value cannot be represented in the destination type, or unsigned integer wrapping.
EXAMPLEint j = INT_MAX + 1; // j is mutilated
char c = 1234; // c is mutilated if char is eight bits
unsigned int u = 0U - 1; // u is mutilated
NOTE A mutilated value can be just as dangerous as a tainted value because it can differ either in sign or magnitude from what the programmer expects.
| Anchor | ||||
|---|---|---|---|---|
|
nonpersistent signal handler
Signal handler running on an implementation that requires the program to again register the signal handler after occurrences of the signal to catch subsequent occurrences of that signal.
| Anchor | ||||
|---|---|---|---|---|
|
normal termination [Open Group 2008]
Normal termination occurs by a return from
main(), when requested with the exit(), _exit(), or _Exit() functions, or when the last thread in the process terminates by returning from its start function, by calling the pthread_exit() function, or through cancellation. See also abnormal termination.| Anchor | ||||
|---|---|---|---|---|
|
object-like macro [ISO/IEC 9899:2011]
A
#define preprocessing directive that defines an identifier with no parentheses. Subsequent instances of the macro name in a translation unit are replaced by the replacement list of preprocessing tokens that constitute the remainder of the directive. See also function-like macro.| Anchor | ||||
|---|---|---|---|---|
|
out-of-band error indicator
A library function return value used to indicate nothing but the error status.
| Anchor | ||||
|---|---|---|---|---|
|
out-of-domain value
One of a set of values that is not in the domain of a particular operator or function.
| Anchor | ||||
|---|---|---|---|---|
|
reentrant [Dowd 2006]
A function is reentrant if multiple instances of the same function can run in the same address space concurrently without creating the potential for inconsistent states.
| Anchor | ||||
|---|---|---|---|---|
|
reliability [IEEE Std 610.12 1990]
The ability of a system or component to perform its required functions under stated conditions for a specified period of time.
| Anchor | ||||
|---|---|---|---|---|
|
restricted sink
Operands and arguments whose domain is a subset of the domain described by their types.
NOTE 1 Undefined or unexpected behavior may occur if a tainted value is supplied as a value to a restricted sink.
NOTE 2 A diagnostic is required if a tainted value is supplied to a restricted sink.
NOTE 3 Different restricted sinks may impose different validity constraints for the same value; a given value can be tainted with respect to one restricted sink but sanitized (and consequently no longer tainted) with respect to a different restricted sink.
NOTE 4 Specific restricted sinks and requirements for sanitizing tainted values are described in specific rules dealing with taint analysis (see ISO/IEC TS 17961 (Draft): 5.8, 5.14, 5.24, 5.30, 5.39, and 5.46).
| Anchor | ||||
|---|---|---|---|---|
|
robustness [IEEE Std 610.12 1990]
The degree to which a system or component can function correctly in the presence of invalid inputs or stressful environmental conditions.
| Anchor | ||||
|---|---|---|---|---|
|
rvalue [ISO/IEC 9899:2011]
Value of an expression.
| Anchor | ||||
|---|---|---|---|---|
|
sanitize
Assure by testing or replacement that a tainted or other value conforms to the constraints imposed by one or more restricted sinks into which it may flow.
NOTE If the value does not conform, either the path is diverted to avoid using the value or a different, known-conforming value is substituted.
EXAMPLE Adding a null character to the end of a buffer before passing it as an argument to the strlen function.
| Anchor | ||||
|---|---|---|---|---|
|
security flaw [Seacord 2005a]
Defect that poses a potential security risk.
| Anchor | ||||
|---|---|---|---|---|
|
security policy [Internet Society 2000]
Set of rules and practices that specify or regulate how a system or organization provides security services to protect sensitive and critical system resources.
| Anchor | ||||
|---|---|---|---|---|
|
sequence point [ISO/IEC 9899:2011]
Evaluation of an expression may produce side effects. At specific points in the execution sequence called sequence points, all side effects of previous evaluations have completed, and no side effects of subsequent evaluations have yet taken place.
| Anchor | ||||
|---|---|---|---|---|
|
| Anchor | ||||
|---|---|---|---|---|
|
side effect [ISO/IEC 9899:2011]
Changes in the state of the execution environment achieved by accessing a volatile object, modifying an object, modifying a file, or calling a function that does any of those operations.
NOTE The IEC 60559 standard for binary floating-point arithmetic requires certain user-accessible status flags and control modes. Floating-point operations implicitly set the status flags; modes affect result values of floating-point operations. Implementations that support such floating-point state are required to regard changes to it as side effects. These are detailed in Annex F of the C Standard.
| Anchor | ||||
|---|---|---|---|---|
|
static analysis
Any process for assessing code without executing it [Chess 2007, p. 3].
| Anchor | ||||
|---|---|---|---|---|
|
strictly conforming [ISO/IEC 9899:2011]
A strictly conforming program is one that uses only those features of the language and library specified in the international standard. Strictly conforming programs are intended to be maximally portable among conforming implementations and cannot, for example, depend on implementation-defined behavior.
| Anchor | ||||
|---|---|---|---|---|
|
tainted source
External source of untrusted data.
NOTE Tainted sources include
- parameters to the
mainfunction, - the returned values from
localeconv,fgetc,getc,getchar,fgetwc,getwc, andgetwchar, and - the strings produced by
getenv,fscanf,vfscanf,vscanf,fgets,fread,fwscanf,vfwscanf,vwscanf,wscanf, andfgetws.
- parameters to the
| Anchor | ||||
|---|---|---|---|---|
|
tainted value
Value derived from a tainted source that has not been sanitized.
| Anchor | ||||
|---|---|---|---|---|
|
target implementation
Implementation of the C programming language whose environmental limits and implementation-defined behavior are assumed by the analyzer during the analysis of a program.
| Anchor | ||||
|---|---|---|---|---|
|
trap representation [ISO/IEC 9899:2011]
Object representation that does not represent a value of the object type. Attempting to read the value of an object that has a trap representation other than by an expression that has a character type is undefined. Producing such a representation by a side effect that modifies all or any part of the object other than by an expression that has a character type is undefined.
| Anchor | ||||
|---|---|---|---|---|
|
undefined behavior (UB) [ISO/IEC 9899:2011]
Behavior, upon use of a nonportable or erroneous program construct or of erroneous data, for which the standard imposes no requirements. An example of undefined behavior is the behavior on integer overflow.
| Anchor | ||||
|---|---|---|---|---|
|
unexpected behavior
Well-defined behavior that may be unexpected or unanticipated by the programmer; incorrect programming assumptions.
| Anchor | ||||
|---|---|---|---|---|
|
unsafe function-like macro
A function-like macro whose expansion causes one or more of its arguments not to be evaluated exactly once.
| Anchor | ||||
|---|---|---|---|---|
|
unspecified behavior [ISO/IEC 9899:2011]
Behavior for which the standard provides two or more possibilities and imposes no further requirements on which is chosen in any instance.
| Anchor | ||||
|---|---|---|---|---|
|
unspecified value [ISO/IEC 9899:2011]
A valid value of the relevant type where the C Standard imposes no requirements on which value is chosen in any instance. An unspecified value cannot be a trap representation.
| Anchor | ||||
|---|---|---|---|---|
|
valid pointer
A pointer that refers to an element within an array or one past the last element of an array. For the purposes of this definition, a pointer to an object that is not an element of an array behaves the same as a pointer to the first element of an array of length one with the type of the object as its element type (Cf. C Standard, section 6.5.8, paragraph 3 [ISO/IEC 9899:2011]). For the purposes of this definition, an object can be considered to be an array of a certain number of bytes; that number is the size of the object, as produced by the
sizeof operator.| Anchor | ||||
|---|---|---|---|---|
|
validation [IEC 61508-4]
Confirmation by examination and provision of objective evidence that the particular requirements for a specific intended use are fulfilled.
| Anchor | ||||
|---|---|---|---|---|
|
verification [IEC 61508-4]
Confirmation by examination and provision of objective evidence that the requirements have been fulfilled.
| Anchor | ||||
|---|---|---|---|---|
|
vulnerability [Seacord 2005a]
A set of conditions that allows an attacker to violate an explicit or implicit security policy.
unsigned integer wrapping
computation involving unsigned operands whose result is reduced modulo the number that is one greater than the largest value that can be represented by the resulting type
4.20
untrusted data
data originating from outside of a trust boundary [ISO/IEC 11889-1:2009]
valid pointer
pointer that refers to an element within an array or one past the last element of an array
NOTE 1 For the purposes of this definition, a pointer to an object that is not an element of an array behaves the same as a pointer to the first element of an array of length one with the type of the object as its element type. (See C, sec. 6.5.8, paragraph 4.)
NOTE 2 For the purposes of this definition, an object can be considered to be an array of a certain number of bytes; that number is the size of the object, as produced by the sizeof operator. (See C, sec. 6.3.2.3, paragraph 7.)
vulnerability
set of conditions that allows an attacker to violate an explicit or implicit security policy
...