SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 159

changes.mady.by.user Will Snavely

Saved on

compared with

New Version 160

changes.mady.by.user Unknown User (lflynn)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

Key here (explains table format and definitions)

Taxonomy

Taxonomy item

Relationship

CERT C Secure Coding StandardENV03-C. Sanitize the environment when invoking external programs.Prior to 2018-01-12: CERT: Unspecified Relationship
SEI CERT C++ Coding StandardENV02-CPP. Do not call system() if you do not need a command processorPrior to 2018-01-12: CERT: Unspecified Relationship
CERT Oracle Secure Coding Standard for JavaIDS07-J. Sanitize untrusted data passed to the Runtime.exec() methodPrior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TR 24772:2013Unquoted Search Path or Element [XZQ]Prior to 2018-01-12: CERT: Unspecified Relationship
ISO/IEC TS 17961:2013Calling system [syscall]Prior to 2018-01-12: CERT: Unspecified Relationship
CWE 2.11MITRE CWECWE-78, Improper Neutralization of Special Elements Used in an OS Command (aka "OS Command Injection")CWE-88, Argument Injection or Modification2017-05-18: CERT: Partial overlap
CWE 2.11CWE-6762017-05-18: CERT: Rule subset of CWE

CERT-CWE Mapping Notes

Key here for mapping notes

CWE-88 and ENV33-C

Intersection( CWE-88, ENV33-C) =

Allowing an argument to be injected during a call to system()

CWE-88 = Intersection( CWE-88, ENV33-C, list) where list =

  • Allowing an argument to be injected during a call to a command interpreter besides system()

ENV33-C = Intersection( CWE-88, ENV33-C, list) where list =

  • Other exploits to a call to system(), which include:

  • Altering the pathname of the command to invoke (argv[0])

  • Injection of a second command

  • Redirection of standard input, output, or error

CWE-78 and ENV33-C

ENV33-C = Union( CWE-78, list), where list =

  • Invoking system() with completely trusted arguments

CWE-676 and ENV33-C

  • Independent( ENV33-C, CON33-C, STR31-C, EXP33-C, MSC30-C, ERR34-C)

  • ENV33-C forbids calling system().

  • CWE-676 does not indicate what functions are ‘potentially dangerous’; it only addresses strcpy() in its examples. Any C standard library function could be argued to be dangerous, and rebutted by saying that the function is safe when used properly. We will assume that CERT rules mapped to CWE-676 specify dangerous functions. So:

  • CWE-676 = Union( ENV33-C, list) where list =

  • Invocation of other dangerous functions, besides system().

Bibliography

[IEEE Std 1003.1:2013]XSH, System Interfaces, exec
XSH, System Interfaces, popen
XSH, System Interfaces, unlink
[Wheeler 2004] 

...