sei-cert-c-coding-standard-2016-v01.pdf

需积分: 50 19 浏览量更新于2023-03-03 收藏 3.65MB PDF 举报

C 编码规范,描述一些规范,实际编码中注意的问题. SEI CERTC Coding StandardRules for Developing Safe, Reliable, and Secure Systems

SEI CERT

C Coding Standard

Rules for Developing Safe, Reliable, and Secure Systems

2016 Edition

v2016-06-29-1140

This material is based upon work funded and supported by the Department of Defense under Contract No.

FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a

federally funded research and development center.

Any opinions, findings and conclusions or recommendations expressed in this material are those of the au-

thor(s) and do not necessarily reflect the views of the United States Department of Defense.

This report was prepared for the

SEI Administrative Agent

AFLCMC/PZM

20 Schilling Circle, Bldg. 1305, 3rd floor

Hanscom AFB, MA 01731-2125

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE

MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO

WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT

NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR

RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT

MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK,

OR COPYRIGHT INFRINGEMENT.

[Distribution Statement A] This material has been approved for public release and unlimited distribution.

Please see Copyright notice for non-US Government use and distribution.

Internal use:* Permission to reproduce this material and to prepare derivative works from this material for in-

ternal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions

and derivative works.

External use:* This material may be reproduced in its entirety, without modification, and freely distributed in

written or electronic form without requesting formal permission. Permission is required for any other external

and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at

permission@sei.cmu.edu.

hese restrictions do not apply to U.S. government entities.

Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University.

DM-0003560

SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems i

Software Engineering Institute | Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

Table of Contents

1 Introduction 1

1.1 Scope 2

1.2 Audience 3

1.3 History 4

1.4 ISO/IEC TS 17961 C Secure Coding Rules 5

1.5 Tool Selection and Validation 7

1.6 Taint Analysis 9

1.7 Rules Versus Recommendations 10

1.8 Conformance Testing 11

1.9 Development Process 12

1.10 Usage 13

1.11 System Qualities 13

1.12 Vulnerability Metric 13

1.13 How This Coding Standard Is Organized 14

1.14 Automatically Generated Code 18

1.15 Government Regulations 19

1.16 Acknowledgments 20

2 Preprocessor (PRE) 23

2.1 PRE30-C. Do not create a universal character name through concatenation 23

2.2 PRE31-C. Avoid side effects in arguments to unsafe macros 25

2.3 PRE32-C. Do not use preprocessor directives in invocations of function-like macros 30

3 Declarations and Initialization (DCL) 32

3.1 DCL30-C. Declare objects with appropriate storage durations 32

3.2 DCL31-C. Declare identifiers before using them 36

3.3 DCL36-C. Do not declare an identifier with conflicting linkage classifications 40

3.4 DCL37-C. Do not declare or define a reserved identifier 43

3.5 DCL38-C. Use the correct syntax when declaring a flexible array member 50

3.6 DCL39-C. Avoid information leakage when passing a structure across a trust boundary 53

3.7 DCL40-C. Do not create incompatible declarations of the same function or object 60

3.8 DCL41-C. Do not declare variables inside a switch statement before the first case label 66

4 Expressions (EXP) 68

4.1 EXP30-C. Do not depend on the order of evaluation for side effects 68

4.2 EXP32-C. Do not access a volatile object through a nonvolatile reference 74

4.3 EXP33-C. Do not read uninitialized memory 76

4.4 EXP34-C. Do not dereference null pointers 85

4.5 EXP35-C. Do not modify objects with temporary lifetime 90

4.6 EXP36-C. Do not cast pointers into more strictly aligned pointer types 93

4.7 EXP37-C. Call functions with the correct number and type of arguments 98

4.8 EXP39-C. Do not access a variable through a pointer of an incompatible type 103

4.9 EXP40-C. Do not modify constant objects 109

4.10 EXP42-C. Do not compare padding data 111

4.11 EXP43-C. Avoid undefined behavior when using restrict-qualified pointers 114

SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems ii

Software Engineering Institute | Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

4.12 EXP44-C. Do not rely on side effects in operands to sizeof, _Alignof, or _Generic 122

4.13 EXP45-C. Do not perform assignments in selection statements 126

4.14 EXP46-C. Do not use a bitwise operator with a Boolean-like operand 131

5 Integers (INT) 132

5.1 INT30-C. Ensure that unsigned integer operations do not wrap 132

5.2 INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data 138

5.3 INT32-C. Ensure that operations on signed integers do not result in overflow 147

5.4 INT33-C. Ensure that division and remainder operations do not result in divide-by-zero

errors 157

5.5 INT34-C. Do not shift an expression by a negative number of bits or by greater than or

equal to the number of bits that exist in the operand 160

5.6 INT35-C. Use correct integer precisions 166

5.7 INT36-C. Converting a pointer to integer or integer to pointer 169

6 Floating Point (FLP) 173

6.1 FLP30-C. Do not use floating-point variables as loop counters 173

6.2 FLP32-C. Prevent or detect domain and range errors in math functions 176

6.3 FLP34-C. Ensure that floating-point conversions are within range of the new type 185

6.4 FLP36-C. Preserve precision when converting integral values to floating-point type 189

6.5 FLP37-C. Do not use object representations to compare floating-point values 191

7 Array (ARR) 193

7.1 ARR30-C. Do not form or use out-of-bounds pointers or array subscripts 193

7.2 ARR32-C. Ensure size arguments for variable length arrays are in a valid range 203

7.3 ARR36-C. Do not subtract or compare two pointers that do not refer to the same array 207

7.4 ARR37-C. Do not add or subtract an integer to a pointer to a non-array object 209

7.5 ARR38-C. Guarantee that library functions do not form invalid pointers 212

7.6 ARR39-C. Do not add or subtract a scaled integer to a pointer 222

8 Characters and Strings (STR) 226

8.1 STR30-C. Do not attempt to modify string literals 226

8.2 STR31-C. Guarantee that storage for strings has sufficient space for character

data and the null terminator 230

8.3 STR32-C. Do not pass a non-null-terminated character sequence to a library function

that expects a string 242

8.4 STR34-C. Cast characters to unsigned char before converting to larger integer sizes 247

8.5 STR37-C. Arguments to character-handling functions must be representable as an

unsigned char 251

8.6 STR38-C. Do not confuse narrow and wide character strings and functions 253

9 Memory Management (MEM) 256

9.1 MEM30-C. Do not access freed memory 256

9.2 MEM31-C. Free dynamically allocated memory when no longer needed 262

9.3 MEM33-C. Allocate and copy structures containing a flexible array member

dynamically 264

9.4 MEM34-C. Only free memory allocated dynamically 269

9.5 MEM35-C. Allocate sufficient memory for an object 273

9.6 MEM36-C. Do not modify the alignment of objects by calling realloc() 277

SEI CERT C Coding Standard: Rules for Developing Safe, Reliable, and Secure Systems iii

Software Engineering Institute | Carnegie Mellon University

[DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.

10 Input/Output (FIO) 281

10.1 FIO30-C. Exclude user input from format strings 281

10.2 FIO32-C. Do not perform operations on devices that are only appropriate for files 285

10.3 FIO34-C. Distinguish between characters read from a file and EOF or WEOF 291

10.4 FIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when

successful 296

10.5 FIO38-C. Do not copy a FILE object 299

10.6 FIO39-C. Do not alternately input and output from a stream without an intervening

flush or positioning call 301

10.7 FIO40-C. Reset strings on fgets() or fgetws() failure 304

10.8 FIO41-C. Do not call getc(), putc(), getwc(), or putwc() with a stream argument that

has side effects 306

10.9 FIO42-C. Close files when they are no longer needed 309

10.10 FIO44-C. Only use values for fsetpos() that are returned from fgetpos() 313

10.11 FIO45-C. Avoid TOCTOU race conditions while accessing files 315

10.12 FIO46-C. Do not access a closed file 319

10.13 FIO47-C. Use valid format strings 321

11 Environment (ENV) 326

11.1 ENV30-C. Do not modify the object referenced by the return value of certain functions 326

11.2 ENV31-C. Do not rely on an environment pointer following an operation that may

invalidate it 331

11.3 ENV32-C. All exit handlers must return normally 336

11.4 ENV33-C. Do not call system() 340

11.5 ENV34-C. Do not store pointers returned by certain functions 347

12 Signals (SIG) 353

12.1 SIG30-C. Call only asynchronous-safe functions within signal handlers 353

12.2 SIG31-C. Do not access shared objects in signal handlers 363

12.3 SIG34-C. Do not call signal() from within interruptible signal handlers 367

12.4 SIG35-C. Do not return from a computational exception signal handler 371

13 Error Handling (ERR) 374

13.1 ERR30-C. Set errno to zero before calling a library function known to set errno,

and check errno only after the function returns a value indicating failure 374

13.2 ERR32-C. Do not rely on indeterminate values of errno 381

13.3 ERR33-C. Detect and handle standard library errors 386

14 Concurrency (CON) 403

14.1 CON30-C. Clean up thread-specific storage 403

14.2 CON31-C. Do not destroy a mutex while it is locked 407

14.3 CON32-C. Prevent data races when accessing bit-fields from multiple threads 410

14.4 CON33-C. Avoid race conditions when using library functions 414

14.5 CON34-C. Declare objects shared between threads with appropriate storage durations 418

14.6 CON35-C. Avoid deadlock by locking in a predefined order 426

14.7 CON36-C. Wrap functions that can spuriously wake up in a loop 431

14.8 CON37-C. Do not call signal() in a multithreaded program 435

14.9 CON38-C. Preserve thread safety and liveness when using condition variables 437

14.10 CON39-C. Do not join or detach a thread that was previously joined or detached 445

剩余533页未读，继续阅读

carl_wang_123

粉丝: 58
资源: 6

sei-cert-c-coding-standard-2016-v01.pdf

sei-cert-cpp-coding-standard-2016-v01_c_安全编程

sei-cert-cpp-coding-standard-2016-v01.pdf

联合国&SEI-生产差距报告：将气候变暖限制在1.5℃和2℃所需的全球产量水平之间的巨大差异（英文）-2020.11-76页精品报告2020.pdf

sei-cert-c-coding-standard-2016-v01.zip

sei-cert-cpp-coding-standard-2016-v01_c_安全编程_sei-cert-c-coding_S

sei-cert-c-coding-standard-2016-v01_c_groundh88_安全编程_sei-cert-c-

sei-cert-c-coding-standard-2016-v01_cstandard_

sei-cert-c-coding-standard-2016-v01_c_groundh88_安全编程

sei cert c coding standard 2016 v01f

C语言编程标准 - SEI CERT C Coding Standard 2016

最新资源