Abstract data types are not restricted to object-oriented languages like C++ and Java and should be created and used in C language programs as well. Abstract data types are most effective when used with private (opaque) data types and information hiding.
Noncompliant Code Example
This noncompliant code example is based on the managed string library developed by CERT [[Burch 06]]. In this example, the managed string type, and functions that operate on this type, are defined in the string_m.h
header file as follows:
struct string_mx { size_t size; size_t maxsize; unsigned char strtype; char *cstr; }; typedef struct string_mx *string_m; /* Function declarations */ extern errno_t strcpy_m(string_m s1, const string_m s2); extern errno_t strcat_m(string_m s1, const string_m s2) ; /* etc. */
The implementation of the string_m
type is fully visible to the user of the data type after including the string_m.h
file. Programmers are consequently more likely to directly manipulate the fields within the structure, violating the software engineering principles of information hiding and data encapsulation and increasing the probability of developing incorrect or nonportable code.
Compliant Solution
This compliant solution reimplements the string_m
type as a private type, hiding the implementation of the data type from the user of the managed string library. To accomplish this, the developer of the private data type creates two header files: an external "string_m.h"
header file that is included by the user of the data type and an internal file that is included only in files that implement the managed string abstract data type.
In the external string_m.h
file, the string_m
type is declared as a pointer to a struct string_mx
, which in turn is declared as an incomplete type.
struct string_mx; typedef struct string_mx *string_m;
In the internal header file, struct string_mx
is fully defined but not visible to a user of the data abstraction.
struct string_mx { size_t size; size_t maxsize; unsigned char strtype; char *cstr; }; /* Function declarations */ extern errno_t strcpy_m(string_m s1, const string_m s2); extern errno_t strcat_m(string_m s1, const string_m s2) ; /* etc. */
Modules that implement the abstract data type include both the external and internal definitions, while users of the data abstraction include only the external string_m.h
file. This allows the implementation of the string_m
data type to remain private.
Risk Assessment
The use of opaque abstract data types, while not essential to secure programming, can significantly reduce the number of defects and vulnerabilities introduced in code, particularly during ongoing maintenance.
Recommendation |
Severity |
Likelihood |
Remediation Cost |
Priority |
Level |
---|---|---|---|---|---|
DCL12-C |
low |
unlikely |
high |
P1 |
L3 |
Automated Detection
The LDRA tool suite V 7.6.0 can detect violations of this recommendation.
Related Vulnerabilities
Search for vulnerabilities resulting from the violation of this rule on the CERT website.
Other Languages
This rule appears in the C++ Secure Coding Standard as DCL12-CPP. Implement abstract data types using opaque types.
References
[[Burch 06]]
[[ISO/IEC 9899:1999]] Section 6.2.5, "Types"
DCL11-C. Ensure type consistency when using variadic functions 02. Declarations and Initialization (DCL)