There are two basic approaches for managing strings in C programs: the first is to maintain strings in statically allocated arrays; the second is to dynamically allocate memory as required. Each approach has advantages and disadvantages. However, it generally makes sense to select a single approach to managing strings and apply it consistently across a project. Otherwise, the decision is left to individual programmers who are likely to make different, inconsistent choices.
Statically allocated strings assume a fixed size character array, meaning that it is impossible to add data after the buffer is filled. Because the static approach discards excess data, actual program data can be lost. Consequently, the resulting string must be fully validated.
Dynamically allocated buffers dynamically resize as additional memory is required. Dynamic approaches scale better and do not discard excess data. The major disadvantage is that, if inputs are not limited, they can exhaust memory on a machine and, consequently, be used in denial-of-service attacks.
Dynamic allocation is often disallowed in safety critical systems. For example, the MISRA standard requires that "Dynamic heap memory allocation shall not be used" [MISRA 2004]. Some safety critical systems can take advantage of dynamic memory allocation during initialization but not during operations. For example, avionics software may dynamically allocate memory while initializing the aircraft, but not during flight.
There are a number of existing libraries available for managing string data; the library selected depends on the approach adopted for managing null-terminated byte strings. The functions defined by C99, Section 7.21, "String handling <string.h
>" [ISO/IEC 9899:1999] are primarily intended for managing statically allocated strings. However, these functions are problematic because many of them are insufficiently bounded. Consequently, this standard recommends use of the ISO/IEC TR 24731-1 [ISO/IEC TR 24731-1:2007] functions for use with statically allocated arrays. (See recommendation STR07-C. Use the bounds-checking interfaces for remediation of existing string manipulation code.) These functions provide bounds-checking interfaces to protect against buffer overflows and other runtime constraint violations.
ISO/IEC TR 24731-2 (in progress) offers another approach, supplying functions that allocate enough memory for their results [ISO/IEC TR 24731-2]. ISO/IEC TR 24731-2 provides an API that dynamically allocates the results of string functions, as needed. Almost all of the APIs in this TR are also in a current International Standard. For example, TR 24731-2 includes POSIX functions, such as strdup()
[ISO/IEC 9945:2003], as well as functions from the Linux Standard Base Core Specification such as asprintf()
[ISO/IEC 23360-1:2006].
Risk Assessment
Failing to adopt a consistent plan for managing strings within an application can lead to inconsistent decisions, which may make it difficult to ensure system properties, such as adhering to safety requirements.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
STR01-C |
low |
unlikely |
high |
P1 |
L3 |
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Related Guidelines
CERT C++ Secure Coding Standard: STR01-CPP. Adopt and implement a consistent plan for managing strings
ISO/IEC 9899:1999 Section 7.21, "String handling <string.h
>"
MISRA Rule 20.4
Bibliography
[CERT 2006c]
[Seacord 2005a] Chapter 2, "Strings"