Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Hard coding sensitive information also increases the need to manage and accommodate changes to the code. For example, changing a hard-coded password in a deployed program may require distribution of a patch [Chess 2007].

Noncompliant Code Example (Hard-Coded Database Password)

The user name and password fields in the SQL connection request are hard coded in this noncompliant code example:This noncompliant code example must authenticate to a remote service with a code, using the authenticate() function declared below. It passes the authentication code to this function as a string literal.

Code Block
bgColor#FFcccc
languagecpp
/* Returns nonzero if authenticated */
int authenticate(const char* code);

int main() public final Connection getConnection() throws SQLException {
  return DriverManager.getConnection(
  if (!authenticate("correct code")) {
    "jdbc:mysql://localhost/dbName", 
      "username", "password");
}


...

printf("Authentication error\n");
    return -1;
  }

  printf("Authentication successful\n");
  // ...Work with system...
  return 0;
}

The authentication code exists in the program's binary executable and can be easily discovered.

Implementation Details (Unix)

Many Unix platforms provide a strings utility that prints out all of the ASCII strings in a binary file. Here is the output of running strings on this program, on an Ubuntu 16.04 platform:

Code Block
languagebash
% strings a.out
...
AUATL
[]A\A]A^A_
correct code
Authentication error
Authentication successful
...
%

Compliant Solution

This compliant solution reads requires the user name and password from a configuration file located in a secure directory:to supply the authentication code, and securely erases it when done, using memset_s(), an optional function provided by C11's Annex K.


Code Block
bgColor#ccccff
public final Connection getConnection() throws SQLException {
  String username;
  String password;
  // Username and password are read at runtime from a secure config file
  return DriverManager.getConnection(
      "jdbc:mysql://localhost/dbName", username, password);
}

It is also permissible to prompt the user for the user name and password at runtime.

languagecpp
/* Returns nonzero if authenticated */
int authenticate(const char* code);

int main() {
#define CODE_LEN 50
  char code[CODE_LEN];
  printf("Please enter your authentication code:\n");
  fgets(code, sizeof(code), stdin);
  int flag = authenticate(code);
  memset_s(code, sizeof(code), 0, sizeof(code));
  if (!flag) {
    printf("Access denied\n");
    return -1;
  }
  printf("Access granted\n");
  // ...Work with system...
  return 0;
}

Alternatively, the program could read the authentication code from a file, letting file system security protect the file and the code from untrusted usersWhen possible, sensitive information such as passwords should be stored in character arrays rather than strings because the Java Virtual Machine may retain strings long after they are no longer needed. However, this example uses strings because DriverManager.getConnection() requires them.

Risk Assessment

Hard coding sensitive information exposes that information to attackers. The severity of this rule can vary depending on the kind of information that is disclosed. Frequently, the information disclosed is password or key information, which can lead to remote exploitation. Consequently, a high severity rating is given but may be adjusted downwards according to the nature of the sensitive data. 

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC31MSC41-C

High

Probable

Medium

P12

L1

Automated Detection

ToolVersionCheckerDescription
Astrée
Include Page
Astrée_V
Astrée_V


Supported
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V
HARDCODED.AUTH
HARDCODED.DNS
HARDCODED.KEY
HARDCODED.SALT
HARDCODED.SEED
Hardcoded Authentication
Hardcoded DNS Name
Hardcoded Crypto Key
Hardcoded Crypto Salt
Hardcoded Seed in PRNG
Helix QAC

Include Page
Helix QAC_V
Helix QAC_V

C3122

C++3842


Klocwork
Include Page
Klocwork_V
Klocwork_V

HCC
HCC.PWD
HCC.USER
CXX.SV.PWD.PLAIN
CXX.SV.PWD.PLAIN.LENGTH
CXX.SV.PWD.PLAIN.ZERO


Parasoft C/C++test

Include Page
Parasoft_V
Parasoft_V

CERT_C-MSC41-a

Do not hard code string literals

PC-lint Plus

Include Page
PC-lint Plus_V
PC-lint Plus_V

2460

Assistance provided: reports when a literal is provided as an argument to a function parameter with the ‘noliteral’ argument Semantic; several Windows API functions are marked as such and the ‘-sem’ option can apply it to other functions as appropriate

Polyspace Bug Finder

Include Page
Polyspace Bug Finder_V
Polyspace Bug Finder_V

CERT C: Rule MSC41-CChecks for hard coded sensitive data (rule partially covered)
RuleChecker

Include Page
RuleChecker_V
RuleChecker_V


Supported

Related Guidelines

javaMSC03-J. Never hard code sensitive information

ISO/IEC TR 24772:2010

Hard-coded Password [XYP]

MITRE CWE

CWE-259, Use of Hard-Coded Password
CWE-798, Use of Hard-Coded Credentials

Bibliography

[Chess 2007]

Section 11.2, "Outbound Passwords: Keep Passwords out of Source Code"

[Fortify 2006]

"Unsafe Mobile Code: Database Access"

...


...

MSC40-C. Do not violate constraints Rule 48. Miscellaneous (MSC) Rule 50. POSIX (POS)