Security and C language: fix it don't nix it
Critics who claim that the decades-old C programming language is inherently insecure; not so, argues E&T - as with any other software environment, programmers just have to ensure that they use security tools to fix vulnerabilities.
In this day and age when hackers are working dedicatedly round the global clock to compromise global IT systems, it is tempting to believe that everything - from the software languages used in operating systems and applications on - up are best replaced. Indeed, in his recent E&T article 'A Unified Framework for IT Security' (Vol4, #11), incoming Cyber Security KTN director Tony Dyhouse argues that the "use of secure coding languages for new software must also be increased". Replacing legacy programming languages with 'security-aware' languages aims' to prevent the programmer from producing code containing vulnerabilities that can be easily exploited by third parties.
This may be a laudable long-term goal, but it does nothing to help secure systems already in service. These systems make extensive use of programming languages such as C and C++, and are often implemented by programmers with limited experience of the techniques necessary to produce robust, secure code. The continued use of these legacy languages can, in fact, be justified if appropriate coding guidelines and techniques are adopted and compliance demonstrated.
Research in recent years has identified the root cause of many of the vulnerabilities typically found in C/C++ code. Coding standards such as the CERT C Secure Coding Standard help programmers avoid the associated pitfalls. However, without automated tools to check for non-compliance, it is, arguably, more or less impossible for a programmer to deliver fault-free code.
This may seem like a depressing prospect to have to face, but it is far from the end of the story, because what technology got us into, technology can get us out of.
Let's begin with software analysis tools for static code analysis. Fortunately, such tools are now available to enforce compliance with the guidelines recommended by these established coding standards. They can perform in-depth, system-wide analysis of the code, and can utilise formal algebras ('formal methods') to ensure that system security is not compromised.
These methods include control, data, and information flow modelling, heuristically constrained, side-effect and exact semantic analysis, and the detection of unnecessary code.
Errors and error checking
Most defects within C and C++ code that give rise to exploitable vulnerabilities relate to memory errors, file errors and the blind acceptance of data coming from untrusted sources. These defects have previously been difficult for tools to detect; but formal algebras used for in-depth, system-wide analysis of the code have made this significantly easier in recent times.
Memory and file errors, which are very closely related, can be detected by applying data flow analysis to the pointers and file descriptors within a program. For example, it is possible to detect attempts to free memory more than once (or not at all), and also to detect writes to a file that is not currently open for writing.
Similarly, information flow analysis can be used to ensure that input data is sanitised before it is used. This analysis can then be made more precise by means of assertions which are checked during exact semantic analysis.
These techniques can be used to improve the security aspects of other legacy languages, such as PHP (or Hypertext Preprocessor, is a scripting language designed for Web development for the production of dynamic Web pages). This effort will most likely become increasingly important as contracts with powerful organisations such as the US federal government begin mandating proof of security for all IT systems.
CERT C adoption
One of the most sizeable challenges facing the software industry will be in getting IT professionals to buy-in to the culture change that is necessary to ensure that systems are properly secure within the context under discussion here; however, as companies adopt coding standards like CERT C, secure programming will become the norm rather than the exception.
This approach would allow the many diverse systems that now exist to be hardened, rather than pretending that they can simply be thrown out along with the bath water, and demonstrate that there's security in the old code yet.
Chris Tapp is a field applications engineer at LDRA