These checkers enforce the CERT C Secure Coding rules, and are freely available .
Running the ROSE CERT C Checkers
The ROSE CERT C Checkers are built into a program called 'diagnose'.
To run the diagnose program on a C or C++ file, simply pass the file as an argument:
| Code Block |
|---|
diagnose hello.c
|
If the C file violates some secure coding rules, the diagnose program will print them out. If the diagnose program can not find any violations, it prints nothing.
Diagnose actually takes the same arguments as gcc. So if your code has special flags that must be passed to the compiler, such as locations of include files, you can pass them to diagnose in the same manner as gcc. Likewise, if you have a makefile that indicates how your program is to be built, you can run ROSE on your source code merely by instructing to your make command to use diagnose as a drop-in replacement for gcc. One way to do this is:
| Code Block |
|---|
make CC=diagnose
|
There are three ways to run the ROSE CERT C checkers. They are available on CMU's Andrew system. In addition you can run them using a downloadable VM. Finally, you can build the CERT checkers, as well as ROSE itself, from source.
ROSE CERT C Checkers on Andrew
To run these checkers, you must have an Andrew account at CMU. The diagnose program is available in:
| Code Block |
|---|
/afs/andrew/usr/svoboda/public/c_rules
|
To run diagnose, you simply add this directory to your PATH environment variable.
ROSE CERT C Checkers on a Virtual Machine
To run these checkers, you must use a virtualization system such as VMWare. Contact David Svoboda in order to download the virtual machine containing the ROSE CERT C Checkers, as well as the VM's login userid and password.
You will need 7zip to uncompress the VM file, which is freely available from sourceforge.com. The command will look like this:
| Code Block |
|---|
mkdir rosebud
cd rosebud
7zr x ../rosebud.7z
|
Once extracted, the rosebud directory is a VM image that can be powered on by VMWare. After logging in, you'll need to enter your login password again when the system asks for a sudo password. This is so the VM image can generate a unique SSH key.
After that, you should be able to access the VM from your host machine remotely using SSH. You'll need the VM's IP address for this, which you can learn with this command from the VM:
| Code Block |
|---|
ip addr | grep /24
|
If it provides multiple IP addresses, select the one that begins
/192.168.../.
In the VM's home directory, there is a README file explaining what
software is available there. It includes both ROSE and the CERT Secure
Coding rule checkers.
Building ROSE and the CERT C Checkers
The source code was developed by the CERT Secure Coding Group, and is freely available.
This code has been developed and tested on an i386 workstation running Linux (2.6.16.60) and g++ (3.4.4). It depends on ROSE 0.9.3a, which is available for free download from http://rosecompiler.org
ROSE 0.9.3a also depends on the BOOST C++ library, version 1.3.5, which is available for free download from http://www.boost.org/
Both Boost and ROSE contain build instructions.
Building Diagnose
To build the diagnose program from the CERT C Checkers, first make sure that the ROSE environment variable points to the build directory of ROSE:
| Code Block |
|---|
export ROSE=/usr/local/rose/compileTree
|
Then type:
| Code Block |
|---|
make pgms
|
To test diagnose on the code samples from the CERT C Secure Coding Rules:
| Code Block |
|---|
make tests
|
To build API documentation pages, you must have doxygen installed:
| Code Block |
|---|
make doc
|
To clean documentation pages and build files:
| Code Block |
|---|
make clean
|
Secure Coding Rules Enforced by Diagnose
from Rosecheckers Github project. For questions regarding the CERT ROSE checkers, contact info@sei.cmu.edu.
Getting Rosecheckers code from source or container
You can get the rosecheckers code from source or a container from Rosecheckers Github project.
Follow the instructions on the Readme of that project site.
Secure Coding Rules Enforced by Rosecheckers
The SEI CERT C Secure Coding Standard is The C Secure Coding Rules are freely available.
Here is a breakdown of how thoroughly diagnose Rosecheckers enforces the C Secure Coding Rules and Recommendations:
Complete | 57 |
Rosecheckers catches all violations of these rules | |
Partial | 45 |
Rosecheckers catches some, but not all violations of these rules | ||
false-positive | 9 | These rules could be checked by |
Rosecheckers, but they will also catch some false positives. | ||
Potential | 29 | These rules are not checked by |
Rosecheckers, but could be | ||
Undoable | 32 | These rules could not be checked by |
Rosecheckers due to various limitations in ROSE. | ||
Unenforceable | 48 | These rules could not be checked by any tool that relies purely on unaided static analysis. |
TOTAL | 220 |