SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 32

changes.mady.by.user Gina DeCola

Saved on

compared with

New Version Current

changes.mady.by.user Anirban Gangopadhyay

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Developers should take steps to prevent sensitive information such as passwords, cryptographic keys, and other secrets from being inadvertently visible to other applications. This includes leaked. Preventive measures include attempting to prevent keep such data from being written to disk.

Two common mechanisms by which data is inadvertently be written to disk are swapping and core dumps.

Many general-purpose operating systems implement a virtual-memory-management technique called paging (also referred to as also called swapping) to transfer pages between main memory and an auxiliary store, such as a disk drive. This feature is typically implemented as a task running in the kernel of the operating system, and its operation is invisible to the running program.

A core dump is the recorded state of process memory written to disk for later examination by a debugger. Core dumps are typically generated when a program has terminated abnormally, either through an error resulting in a crash or by receiving a signal that causes such a termination.

The POSIX standard system call for controlling resource limits, setrlimit(), can be used to disable the creation of core dumps. This , which prevents an attacker with the ability to halt the program from gaining access to sensitive data that might be contained in the dump.

...

In this noncompliant code example, sensitive information generated by create_secret() is supposedly stored in the dynamically allocated buffer, secret, which is processed and eventually deallocated cleared by a call to freememset_s(). The memory page containing secret can be swapped out to disk. If the program crashes before the call to freememset_s() completes, the information stored in secret may be stored in the core dump.

Code Block
bgColor#FFcccc
langc

char *secret;

secret = (char *)malloc(size+1);
if (!secret) {
  /* Handle error */
}

/* Perform operations using secret... */

memset_s(secret, '\0', size+1);
free(secret);
secret = NULL;

...

To prevent the information from being written to a core dump, the size of core dumps that the program will generate should be set to 0 . This can be accomplished by using setrlimit().:

Code Block
bgColor#ccccff
langc

#include <sys/resource.h>
/* ... */
struct rlimit limit;
char *secret;

limit.rlim_cur = 0;
limit.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &limit) != 0) {
    /* Handle error */
}

/* Create or otherwise obtain some sensitive data */char *secret;

secret = (char *)malloc(size+1);
if (fgets(secret, sizeof(secret), stdin) == EOF!secret) {
  /* Handle error */
}

/* Perform operations using secret... */

memset_s(secret, '\0', size+1);
free(secret);
secret = NULL;

Compliant Solution (Privileged Process, POSIX)

The added security from using mlock() is limited. (See the sidebar by Nick Stoughton.)

Processes with elevated privileges can disable paging by " locking " memory in place using either the POSIX mlock() (POSIX) or [Open Group 04]. This function [IEEE Std 1003.1:2013]. Disabling paging ensures that memory is never copied to the hard drive, where it may be retained indefinitely in nonvolatile storage.

This compliant solution not only disables the creation of core files , but also ensures that the buffer is not swapped to hard disk.:

Code Block
bgColor#CCCCFF
langc

#include <sys/resource.h>
/* ... */
struct rlimit limit;
char *secret;

limit.rlim_cur = 0;
limit.rlim_max = 0;
if (setrlimit(RLIMIT_CORE, &limit) != 0) {
    /* Handle error */
}

long pagesize = sysconf(_SC_PAGESIZE);
if (pagesize == -1) {
  /* Handle error */
}

char *secret_buf;
char *secret;

secret_buf = (char *)malloc(size+1+pagesize);
if (!secret_buf) {
  /* Handle error */
}

/* mlock(secret, sizeof(secret)) may require that address be a multiple of PAGESIZE */
secret = (char *)((((intptr_t)secret_buf + pagesize - 1) / pagesize) * pagesize);

if (mlock(secret, size+1) != 0) {
    /* Handle error */
}

/* CreatePerform oroperations otherwise obtain some sensitive data using secret... */

if (fgetsmunlock(secret, sizeof(secret), stdin) == EOFsize+1) != 0) {
    /* Handle error */
}
secret = NULL;

memset_s(secret_buf, '\0', size+1+pagesize);
free(secret_buf);
secret_buf = NULL;

Compliant Solution (

...

Windows)

Windows processes running with elevated privileges can disable paging by locking memory in place using VirtualLock() (Windows) [MSDN]:

Code Block
bgColor#CCCCFF
langc

char *secret;

ifsecret = (VirtualLock(secret, sizeof(secret)) != 0char *)VirtualAlloc(0, size + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
if (!secret) {
  /* Handle error */
}

if (!VirtualLock(secret, size+1)) {
    /* Handle error */
}

/* CreatePerform oroperations otherwise obtain some sensitive data using secret... */
if (fgets
SecureZeroMemory(secret, sizeof size + 1);
VirtualUnlock(secret), stdin)size ==+ EOF1) {
  /* Handle error */
}
;
VirtualFree(secret, 0, MEM_RELEASE);
secret = NULL;

Note that locking pages of memory on Windows may fail because the operating system allows the process to lock only a small number of pages. If an application requires additional locked pages, the SetProcessWorkingSetSize() API can be used to increase the application's minimum working set size. Locking pages has severe performance consequences and should be used sparingly.

Risk Assessment

Writing sensitive data to disk preserves it for future retrieval by an attacker, who may even be able to bypass the access restrictions of the operating system by using a disk maintenance program.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MEM06-C

medium

Medium

unlikely

Unlikely

high

High

P2

L3

Automated Detection

Tool

Version

Checker

Description

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rec. MEM06-C

Checks for sensitive data printed out (rec. partially covered)

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

References

Wiki Markup
\[[ISO/IEC PDTR 24772|AA. C References#ISO/IEC PDTR 24772]\] "XZX Memory Locking"
\[[MITRE 07|AA. C References#MITRE 07]\] [CWE ID 591|http://cwe.mitre.org/data/definitions/591.html], "Sensitive Data Storage in Improperly Locked Memory," and [CWE ID 528|http://cwe.mitre.org/data/definitions/528.html], "Information Leak Through Core Dump Files"
\[[Open Group 04|AA. C References#AA. CReferences-OpenGroup04]\]{{mlock(), setrlimit()}}
\[[Wheeler 03|AA. C References#Wheeler 03]\] Sections 7.14 and 11.4

Related Guidelines

SEI CERT C++ Coding StandardVOID MEM06-CPP. Ensure that sensitive data is not written out to disk
ISO/IEC TR 24772:2013Memory Locking [XZX]
MITRE CWECWE-591, Sensitive data storage in improperly locked memory
CWE-528, Information leak through core dump files

Bibliography

[IEEE Std 1003.1:2013]XSH, System Interface, mlock
XSH, System Interface, setrlimit
[Wheeler 2003]Section 7.14
Section 11.4


...

Image Added Image Added Image AddedImage Removed      08. Memory Management (MEM)       MEM07-C. Ensure that the arguments to calloc() when multiplied can be represented as a size_t