[C-safe-secure-studygroup] Meeting Notes from 09 August 2017
Laurence Urhegyi
laurence.urhegyi at codethink.co.uk
Thu Aug 17 10:59:33 UTC 2017
Apologies for the delay in writing these up, but some detailed notes
from last week's meeting are below, and also added to the wiki of course.
We have two things to discuss in the next meeting before getting into
the rules themselves:
1) Criteria for rule inclusion for the different profiles.
- Martin has raised the need for a set of criteria for rule inclusion in
order to create a more objective environment for a vote.
- Especially in regard to rules that have to do with readability. For
example, Martin has said that Rule 8.13 is generally a good practice to
follow in any code-base for any software, so should be included in any
profile. Therefore it seems that if we are going to exclude a rule such
as that from either profile, we should be clear on why.
- Currently the distinction is somewhat unclear in general, not just
this rule: although it's a good example because, in summary: this rule
is good practice, but it is so subjective that it would be totally wrong
for a project to fail a security audit because of it.
2) Required Visualisation Mechanisms: a potential category of rules
which inform the programmer what they have done and ask whether it was
intended.
## Rule 8.13 - Reviewed, no consensus for security profile yet
https://gitlab.com/trustable/C_Safety_and_Security_Rules_Study_Group/wikis/misrarule8.13
Martin: this rule is certainly sound but unlikely to be seen followed in
practice. It's actually very uncommon to see local pointers declared
*const* if they aren't being used to modify an object. Seems that
applying it as strictly as is suggested is not practical. The limited
scope of the rule makes perfect sense. Would be sensible in both
profiles, but it should be an advisory rule, as MISRA have outlined it.
Aaron: One thing I am not clear on is that I read this rule as requiring
all *const* qualifiers on all intermediate pointers as well as the top
level type, so where you have a pointer that points to another pointer,
does the first level pointer need to be *const* also?
Whilst I agree with the logic that the final object to be pointed to
should be *consts* wherever possible, this is not feasible for a
situation where you have multiple levels of pointers. This will make a
lot of negative noise. It's rare to see the the pointer type be *const*
as well as the final object.
Fulvio: that is my understanding of the rule.
Clive: that's how I interpret it also.
Aaron: this rule would need a lot of thinking for a security profile.
Certainly can't go in in its current form.
**Vote**
Should this rule be included in the Safety Profile?
**Consensus to include this rule in the Safety Profile.**
No consensus on Security Profile.
Aaron: In summary: this rule is good practice, but it is so subjective
that it would be totally wrong for a project to fail a security audit
because of it.
## Rule 8.10 - Reviewed, no consensus for security profile yet
https://gitlab.com/trustable/C_Safety_and_Security_Rules_Study_Group/wikis/misrarule8.10
Gavin: If we agree this points to undefined behaviour, we should
prohibit it.
Martin: The rationale of the rule is not clear to me, the undefined
behaviour in the first paragraph does not seem specific to inline
functions, any symbol that declares itself undefined in a program makes
that program undefined, i don't see why the inline function is specific
to this problem. Second paragraph talks about the definition of a
function, and suggests that defining an inline function static has a
guaranteed impact on the timing of calls to the function, which is not
quite true. The inline keyword is just a hint to the optimiser to make
the calls to the function fast as possible. But without defining what
fast means. 'Fast' depends on not just the function itself but from the
context which it's called: which could be an inline function, which
itself could be inline function, etc etc. The compiler can make inline
decisions regardless of the presence / absence of the inline keyword.
Cannot see how static storage has any variant on the timing of an
application or calls to that function. So based on these two points
alone, I don't think this rule has any merit.
Aaron: Agreed. Looking at the C standard, I agree with the first
paragraph, this is correct. Second paragraph does not seem to make
sense: not sure what the benefit is in practice. Not valid from a
security profile. Not sure about Safety.
Martin: this is not specific to inline functions, declaring external
'foo' at the top of a translation unit without defining it makes a
program undefined. So it does not make sense to impose such a rule just
for inline functions without considering all of the others.
Aaron: the very first paragraph echoes the C standard, so therefore
there are only two choices presented here: you can use inline
definitions or external definitions. Compiler needs to pick one but it
is unspecified which one you get. C standard is explicit about this
regarding the behaviour.
**Vote**
Should this rule be included in the Safety Profile?
All in favour of including in a Safety profile.
Should this rule be included in the Security Profile?
* 2 votes against
* 1 vote to abstain
We lost Gavin and Martin from this section of the call, so we need to
re-visit this rule. Need to review this for security.
## Rule 9.3 - Reviewed, no consensus for either profile
https://gitlab.com/trustable/C_Safety_and_Security_Rules_Study_Group/wikis/misrarule9.3
Discussion as per meeting 09 August:
Gavin: this is one where you can have some garbage data, overlay a
partially initialised array on top of it and then you've planted data
into that array. This is a similar type of mechanism to a buffer over-run.
Fulvio: with partial initialisation, all the other elements are
initialised to 0.
Aaron: from a security point of view, exception number 2, where you can
explicitly do sparse initialisation, seems very strange.
Gavin: yes, this seems to boil down to the programmer knowing what they
are doing: ie. to use sparse initialisation and not use shortcuts.
Looking at the examples given in the MISRA rule, it can be unclear where
things are errors or deliberate. If we take the first example where x[ 3
] = { 0, 1, 2 }; then we know that's complete initialisation. Whereas on
the next line, y[ 3 ] { 0, 1 }; is incomplete initialisation, so it is
unclear if it's an error or is deliberate. Whereas when you get into the
next example, setting element 1, you have a four element array, and you
explicitly start setting the second element and then carry on with the
third element, the implicit initialisation will set it to 0, so it just
might be an error, rather than being deliberate. So the argument being
made here, if you look at the compliant example, where 1=1 and 25=2,
this implies that i can tell 0,2 to 24,26 to the end are excluded.
Aaron: thanks, that makes the logic clearer, this makes more sense now.
Because there is no way for you to tell the difference between 'I am
explicitly intending to initialise the next element' as opposed to 'I am
intending to initialise an element in the sparse array but I have not
specified which one'.
Clive: I am not convinced by this rule.
Gavin: this is one of those areas where I think the answer here should
be a requirement that the compiler repeats back to you what you have
done. So we're dealing with a class of rules that is asking the user 'is
this what you meant to do?' This question can't be answered by banning
something from occurring. So there's seems to be a need for explaining
to the programmer what they have done and whether that was what was
intended, so they can decide what to do.
Should this rule be included in the Safety profile?
* 2 votes for.
* 2 votes to abstain.
No consensus.
Should this rule be included in the Security profile?
* 2 votes against.
* 1 vote to abstain.
* 1 vote for.
No consensus.
Note that Gavin would like this rule to be included in the Safety
Profile with the above caveat only, UNLESS we are include a new category
of 'Required Visualisation Mechanisms' that explain to the programmer
what they have done, as explained above.
## Rule 9.5 - Reviewed: Consensus to include in both profiles.
https://gitlab.com/trustable/C_Safety_and_Security_Rules_Study_Group/wikis/misrarule9.5
Discussion during meeting on 09 August:
Should this rule be included in both profiles?
3 votes for, 1 vote against.
Consensus to include in both profiles.
More information about the C-safe-secure-studygroup
mailing list