Assertions are a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities (see MSC11-AC. Incorporate diagnostic tests using assertions). The runtime assert() macro has some limitations, however, in that it incurs a runtime overhead and, because it calls abort(), is only useful for identifying incorrect assumptions and is not intended for runtime error checking. Consequently, runtime assertions are generally unsuitable for server programs or embedded systems.
...
Static assertion is not available in C99, but the facility is being considered for inclusion in C1X by the ISO/IEC WG14 international standardization working group.
...
Noncompliant Code Example
This non-compliant noncompliant code uses the assert() macro to assert a property concerning a memory-mapped structure that is essential for the code that uses this structure to behave correctly.
...
While the use of the runtime assertion is better than nothing, it needs to be placed in a function and executed, typically removed from the actual structure to which it refers. The diagnostic only occurs at runtime, and only if the code path containing the assertion is executed.
Compliant Solution
For assertions involving only constant expressions, some implementations allow the use of a preprocessor conditional statement, as in this example:
...
Unfortunately, this solution is not portable. C99 does not require that implementations support sizeof, offsetof, or enumeration constants in #if conditions. According to Section 6.10.1, "Conditional inclusion," all identifiers in the expression that controls conditional inclusion either are or are not macro names. Some compilers allow these constructs in conditionals as an extension, but most do not.
Compliant Solution
This compliant solution mimics the behavior of static_assert in a portable manner.
...
Other uses of static assertion are shown in STR07-AC. Use TR 24731 for remediation of existing string manipulation code and FIO35-C. Use feof() and ferror() to detect end-of-file and file errors when sizeof(int) == sizeof(char).
Automated Detection
Compass/ROSE could detect violations of this rule merely by looking for calls to assert(), and if it is able to can evaluate the assertion (due to all values being known at compile time), then the code should use static-assert instead.
This assumes ROSE can recognize macro invocation.
Risk Assessment
Static assertion is a valuable diagnostic tool for finding and eliminating software defects that may result in vulnerabilities at compile time. The absence of static assertions, however, does not mean that code is incorrect.
Recommendation | Severity | Likelihood | Remediation Cost | Priority | Level |
|---|---|---|---|---|---|
DCL03-A C | low | unlikely | high | P1 | L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
References
| Wiki Markup |
|---|
\[[Becker 08|AA. C References#Becker 08]\] \[[Eckel 07|AA. C References#Eckel 07]\] \[[ISO/IEC 9899:1999|AA. C References#ISO/IEC 9899-1999]\] Section 6.10.1, "Conditional inclusion," and Section 6.10.3.3, "The ## operator," and Section 7.2.1, "Program diagnostics" \[[Klarer 04|AA. C References#Klarer 04]\] \[[Saks 05|AA. C References#Saks 05]\] \[[Saks 08|AA. C References#Saks 08]\] |
...
02. Declarations and Initialization (DCL) DCL04-A. Do not declare more than one variable per declaration