[C-safe-secure-studygroup] Example of dilemma: strict vs loose - Dir 4.12 (dynamic memory allocation)

Fulvio Baccaglini fulvio_baccaglini at programmingresearch.com
Thu Jun 28 15:58:38 BST 2018


The particular dilemma we considered at the meeting of how strict or
loose a rule should be is associated with undecidability: whether a
tool should report situations where it cannot decide whether the
undecidable rule is violated or not.

I personally liked the suggestion of requiring the tool to be
configurable for either approach.

I think however that there is a different kind of dilemma that also
needs to be considered, of which Dir 4.12 "Dynamic memory allocation
shall not be used" could be an example.

Here is my understanding:

Dir 4.12 may come across as too strict, but its rationale says "if a
decision is made to use dynamic memory, care shall be taken to ensure
that the software behaves in a predictable manner".

So within a MISRA C context, a tool would alert the user when it
detects that dynamic memory allocation is used, and it would then be up
to the user to decide whether:

- not use dynamic memory allocation, or
- use dynamic memory allocation safely

In the field of Aviation there is a document DO-332/ED-217 which lists
7 typical vulnerabilities with dynamic memory allocation:

a. Ambiguous references
b. Fragmentation starvation
c. Deallocation starvation
d. Heap memory exhaustion
e. Premature deallocation
f. Lost update and stale reference
g. Time-bound allocation or deallocation

The rationale for Dir 4.12 lists d. and g. as examples (and also
mentions undefined behavious associated with the library).

If Dir 4.12 is deviated, static analysis tools may still help
downstream with certain aspects of preventing these and other
vulnerabilities, and how they would be expected to help can perhaps be
defined via a corresponding set of looser rules, like: "do not use
allocated memory after it has been released" and "do not leak memory".

However there are other aspects (like g.) that are beyond source code
analysis, but may still need to be assessed, and cleared by other
means, if necessary.

So in this context the notification by a tool that Dir 4.12 is violated
may be useful over and above any alternative set of looser rules.


More information about the C-safe-secure-studygroup mailing list