SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 182

changes.mady.by.user Arthur Hicken

Saved on

compared with

New Version Current

changes.mady.by.user Jon O'Donnell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Conformance of File Functions to Criteria for Temporary Files

 


tmpnam
(C)

tmpnam_s
(Annex K)

tmpfile
(C/POSIX)

tmpfile_s
(Annex K)

mktemp
(POSIX)

mkstemp
(POSIX)

Unpredictable Name

Not portably

Yes

Not portably

Yes

Not portably

Not portably

Unique Name

Yes

Yes

Yes

Yes

Yes

Yes

Atomic open

No

No

Yes

Yes

No

Yes

Exclusive Access

Possible

Possible

No

If supported by OS

Possible

If supported by OS

Appropriate Permissions

Possible

Possible

No

If supported by OS*

If supported by OS

Possible

Not portably

File Removed

No

No

Yes*

Yes*

No

No

* If the program terminates abnormally, this behavior is implementation-defined.

...

In many older implementations, the name is a function of process ID and time, so it is possible for the attacker to predict the name and create a decoy in advance. FreeBSD changed the mk*temp() family to eliminate the process ID component of the file name and replace the entire field with base-62 encoded randomness. This raises the number of possible temporary files for the typical use of six X's significantly, meaning that even mktemp() with six X's is reasonably (probabilistically) secure against guessing except under frequent usage [Kennaway 2000].

Exceptions

FIO21-C-EX1: The Annex K tmpfile_s() function can be used if all the targeted implementations create temporary files in secure directories.

...

Insecure temporary file creation can lead to a program accessing unintended files and permission escalation on local systems.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

FIO21-C

High

Medium

Probable

Medium

P12

P8

L1

L2

 Automated Detection

Tool

Version

Checker

Description

CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

BADFUNC.TEMP.*

BADFUNC.TMPFILE_S

BADFUNC.TMPNAM_S

A collection of checks that report uses of library functions associated with temporary file vulnerabilities

Use of tmpfile_s

Use of tmpnam_s

Compass/ROSE

 

 



Can detect violations of this recommendation. Specifically, Rose reports use of tmpnam(), tmpnam_s(), tmpfile(), and mktemp()

Coverity6.5SECURE_TEMPFully implemented
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C5016
LDRA tool suite
Include Page
LDRA_V
LDRA_V

44 S

Enhanced enforcement

Parasoft C/C++test
9.5SECURITY-19Partially implementedPRQA QA-C Include PagePRQA QA-C_vPRQA QA-C_vwarncall tmpnam, tmpfile, mktemp, tmpnam_sPartially implemented
Include Page
Parasoft_V
Parasoft_V
CERT_C-FIO21-a
Usage of functions prone to race is not allowed
Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. FIO21-CChecks for non-secure temporary file (rec. partially covered)


Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Related Guidelines

CERT C Secure Coding StandardFIO15-C. Ensure that file operations are performed in a secure directory
SEI CERT C++ Coding StandardVOID FIO19-CPP. Do not create temporary files in shared directories
CERT Oracle Secure Coding Standard for JavaFIO03-J. Remove temporary files before termination
ISO/IEC TR 24772:2013Path Traversal [EWR]
MITRE CWECWE-379, Creation of temporary file in directory with insecure permissions

Bibliography

[HP 2003]
 

[IEEE Std 1003.1:2013]XSH, System Interfaces: open
XSH, System Interfaces: mkdopen, mksopen
[ISO/IEC 9899:2011]Subclause K.3.5.1.2, "The tmpnam_s Function"
Subclause 7.21.4.4, "The tmpnam Function
[Kennaway 2000]
 

[Open Group 2004]mkstemp()
mktemp()
open()
[Seacord 2013]Chapter 3, "Pointer Subterfuge"
Chapter 8, "File I/O"
[Viega 2003]Section 2.1, "Creating Files for Temporary Use"
[Wheeler 2003]Chapter 7, "Structure Program Internals and Approach"

...


...

Image Modified Image Modified Image Modified