Skip to content

An embedded-focused banned.h / strsafe variant intended to assist for Secure Software Development Lifecycle for Embedded Developers

License

Notifications You must be signed in to change notification settings

riverloopsec/banned-h-embedded

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
 
 
 
 
 
 
 
 

Repository files navigation

Introduction

Developers on embedded systems can include this header file to help them and their colleagues:

  • avoid functions which are known to commonly lead to vulnerabilities
  • utilize functions designed to help developers be more explicit about their desired behavior
  • utilize functions that return data what the function did in edge cases
  • by improving buffer handling during development, reduce time spent reviewing/fixing based on alerts from static code analysis tools

Introducing safe libraries to development is nothing new, as was covered in the 2007 presentation on SDL for Windows Vista (slide 7). However, these basic libraries have been shown to provide significant value - as discussed later in the deck, 41% of bugs that Microsoft knew they removed in Vista early on were due to removal of 'banned' API function calls.

The repository includes some example programs that demonstrate unsafe coding that can be improved or warned against using this header. Below is a brief example of how to build and run the example programs.

Example

Looking at the examples should help a developer understand the usage of this header.

To build them:

cd examples
clear; ./build.sh

If the header isn't used, the program may missbehave or crash:

$ ./overflow_insecure
Original other value= 2
Source buffer content= 123456789
Abort trap: 6

In the example when the library is set to warn, via EMBD_STRSAFE_WARN_ONLY, gives warnings at compile time recommending a better function:

overflow.c:32:3: warning: 'strcpy' is deprecated: This function isn't considered secure. [-Wdeprecated-declarations]
                strcpy(buffer, input);
                ^~~~~~
                strncpy_strsafe
...

When this program is run, it is still vulnerable to an overflow:

$ ./overflow_warn 
Original other value= 2
Source buffer content= 123456789
Destination buffer content= 123456789
Final other value= 959985462
strcpy() executed...
NOTE: The other value variable was overflowed into!!!

If the developer changes to use the safe function, the string will be safely truncated and terminated with a null byte:

$ ./overflow_fixed
Original other value= 2
Source buffer content= 123456789
Destination buffer content= 1234
Final other value= 2
strcpy() executed...

Note that simply using strncpy in this case would not terminate the buffer, and thus the printf may read off the end of the string.

Frequenently Asked Questions

Why are some 'n' functions banned?

These variants are sometimes banned because they are tough to call correctly. As Microsoft learned when making the original banned.h, there are numerous errors observed when people call those. The replacement functions attempt to helping fix some issues such as how the default 'n' functions can fail to not null-terminate on overflowed buffers and will not return an error code on overflow.

Will this make my code 100% secure?

No. Simply replacing a banned function call with a better replacement does not guarantee that the code is secure. You can still use the functions incorrectly, but based on learnings from passed banned.h files and from our team's experience, they should help produce more secure code with less buffer-overruns if used thoughtfully.

What are other methods?

In Windows development, developers get the benefit often other ways than banned.h today, such as using Safe CRT if the compiler supports it (introduced in Visual Studio 2005). This will warn of deprecated functions like this file does, and sometimes change calls to safe variants for the user at compile time. We do not know of equivalent methods being used in embedded compilers at this time.

Have another question?

Reach out to us on GitHub Issues or by emailing team [at] riverloopsecurity [com].

Prior Work

A number of tools exist to look for these 'banned' functions, including some listed below. These however, are not focused on the unique needs of the embedded development environment.

About

An embedded-focused banned.h / strsafe variant intended to assist for Secure Software Development Lifecycle for Embedded Developers

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages