The purpose of ISO/IEC TS 17961 17961 [ISO/IEC TS 17961:2013] is to establish a baseline set of requirements for analyzers, including static analysis tools and C language compilers, to be applied by vendors that wish to diagnose insecure code beyond the requirements of the language standard. All rules are meant to be enforceable by static analysis. The criterion for selecting these rules is that analyzers that implement these rules must be able to effectively discover secure coding errors without generating excessive false positives.
To date, the application of static analysis to security has been performed in an ad-hoc manner by different vendors, resulting in nonuniform non-uniform coverage of significant security issues. ISO/IEC TS 17961 enumerates secure coding rules and requires analysis engines to diagnose violations of these rules as a matter of conformance to the specification [ISO/IEC TS 17961:2013]. These rules may be extended in an implementation-dependent manner, which provides a minimum coverage guarantee to customers of any and all conforming static analysis implementations.
...
ISO/IEC TS 17961 Compared with Other Standards
Coding Standard | C Standard | Security Standard | Safety Standard | International Standard | Whole Language |
---|---|---|---|---|---|
CWE | None/all | Yes | No | No | N/A |
MISRA C2 | C89 | No | Yes | No | No |
MISRA C3 | C99 | No | Yes | No | No |
CERT C99 | C99 | Yes | No | No | Yes |
CERT C11 | C11 | Yes |
No | No | Yes | |||
ISO/IEC TS 17961 | C11 | Yes | No | Yes | Yes |
A conforming analyzer must be capable of producing a diagnostic for each distinct rule in the technical specification upon detecting a violation of that rule in isolation. If the same program text violates multiple rules simultaneously, a conforming analyzer may aggregate diagnostics but must produce at least one diagnostic. The diagnostic message might be of the form
...
ISO/IEC TS 17961 does not require an analyzer to produce a diagnostic message for any violation of any syntax rule or constraint specified by the C Standard Standard [ISO/IEC TS 17961:2013]. Conformance is defined only with respect to source code that is visible to the analyzer. Binary-only libraries, and calls to them, are outside the scope of these rules.
An interesting aspect of the technical specification is the portability assumptions, known within the group as the “San Francisco rule” because the assumptions evolved at a meeting hosted by Coverity at its headquarters. The San Francisco rule states that a conforming analyzer must be able to diagnose violations of guidelines for at least one C implementation but does not need to diagnose a rule violation if the result is documented for the target implementation and does not cause a security flaw. Variations in quality of implementation permit an analyzer to produce diagnostics concerning portability issues. For example, the following program fragment can produce a diagnostic, such as the mismatch between %d and long int
:
long i; printf ("i = %d", i);
This mismatch might not be a problem for all target implementations, but it is a portability problem because not all implementations have the same representation for int
and long
.
In addition to other goals already stated, the CERT C Coding Standard has been updated for consistency with ISO/IEC TS 17961. Although the documents serve different audiences, consistency between the documents should improve the ability of developers to use ISO/IEC TS 17961–conforming analyzers to find violations of rules from this coding standard. The Secure Coding Validation Suite (https://github.com/SEI-CERT/scvs) is a set of tests developed by CERT to validate the rules defined in ISO/IEC TS 17961. These tests are based on the examples in this technical specification and are distributed with a BSD-style license.