• Stars
    star
    246
  • Rank 164,726 (Top 4 %)
  • Language
    C
  • License
    Other
  • Created over 7 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

safec libc extension with all C11 Annex K functions

Safe C Library - README

safeclib

Copying

This project's licensing restrictions are documented in the file 'COPYING' under the root directory of this release. Basically it's MIT licensed.

Overview

This library implements the secure C11 Annex K1 functions on top of most libc implementations, which are missing from them.

The ISO TR24731 Bounds Checking Interface documents indicate that the key motivation for the new specification is to help mitigate the ever increasing security attacks, specifically the buffer overrun.2

The rationale document says "Buffer overrun attacks continue to be a security problem. Roughly 10% of vulnerability reports cataloged by CERT from 01/01/2005 to 07/01/2005 involved buffer overflows. Preventing buffer overruns is the primary, but not the only, motivation for this technical report."3

The rationale document continues "that these only mitigate, that is lessen, security problems. When used properly, these functions decrease the danger buffer overrun attacks. Source code may remain vulnerable due to other bugs and security issues. The highest level of security is achieved by building in layers of security utilizing multiple strategies."3

The rationale document lists the following key points for TR24731:

  • Guard against overflowing a buffer
  • Do not produce unterminated strings
  • Do not unexpectedly truncate strings
  • Provide a library useful to existing code
  • Preserve the null terminated string datatype
  • Only require local edits to programs
  • Library based solution
  • Support compile-time checking
  • Make failures obvious
  • Zero buffers, null strings
  • Runtime-constraint handler mechanism
  • Support re-entrant code
  • Consistent naming scheme
  • Have a uniform pattern for the function parameters and return type
  • Deference to existing technology

and the following can be added...

  • provide a library of functions with like behavior
  • provide a library of functions that promote and increase code safety and security
  • provide a library of functions that are efficient

The C11 Standard adopted many of these points, and added some secure _s variants in the Annex K. The Microsoft Windows/MINGW secure API did the same, but deviated in some functions from the standard. Besides Windows (with its msvcrt, ucrt, reactos msvcrt and wine msvcrt variants) only the unused stlport, Android's Bionic, Huawei securec and Embarcadero implemented this C11 secure Annex K API so far. They are still missing from glibc, musl, FreeBSD, darwin and DragonFly libc, OpenBSD libc, newlib, dietlibc, uClibc, minilibc.

Design Considerations

This library implements since 3.0 all functions defined in the specifications.4 Included in the library are extensions to the specification to provide a complementary set of functions with like behavior.

This library is meant to be used on top of all the existing libc's which miss the secure C11 functions. Of course tighter integration into the system libc would be better, esp. with the printf, scanf and IO functions. See the seperate libc-overview document.

Austin Group Review of ISO/IEC WDTR 24731 http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1106.txt

C11 standard (ISO/IEC 9899:2011) http://en.cppreference.com/w/c

CERT C Secure Coding Standard5

Stackoverflow discussion: https://stackoverflow.com/questions/372980/do-you-use-the-tr-24731-safe-functions

DrDobbs review6 http://www.drdobbs.com/cpp/the-new-c-standard-explored/232901670

C17 reconsidered safeclib but looked only at the old incomplete Cisco version, not our complete and fixed version. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm

  • Use of errno

The TR24731 specification says an implementation may set errno for the functions defined in the technical report, but is not required to. This library does not set errno in most functions, only in bsearch_s, fscanf_s, fwscanf_s, gets_s, gmtime_s, localtime_s, scanf_s, sscanf_s, swscanf_s, strtok_s, vfscanf_s, vfwscanf_s, vsscanf_s, vswscanf_s, wcstok_s, wscanf_s.

In most cases the safeclib extended ES* errors do not set errno, only when the underlying insecure system call fails, errno is set. The library does use errno return codes as required by functional APIs. Specific Safe C String and Safe C Memory errno codes are defined in the safe_errno.h file.

  • Runtime-constraints

Per the spec, the library verifies that the calling program does not violate the function's runtime-constraints. If a runtime-constraint is violated, the library calls the currently registered runtime-constraint handler.

Per the spec, multiple runtime-constraint violations in the same call to a library function result in only one call to the runtime-constraint handler. The first violation encountered invokes the runtime-constraint handler.

With --disable-constraint-handler calling the runtime-constraint handler can be disabled, saving some memory, but not much run-time performance.

With --with-default-handler=<abort|ignore> you may set the default constraint handler at compile-time to abort_handler_s or ignore_handler_s.

The runtime-constraint handler might not return. If the handler does return, the library function whose runtime-constraint was violated returns an indication of failure as given by the function’s return. With valid dest and dmax values, dest is cleared. With the optional --disable-null-slack only the first value of dest is cleared, otherwise the whole dest buffer.

rsize_t The specification defines a new type. This type, rsize_t, is conditionally defined in the safe_lib.h header file.

RSIZE_MAX The specification defines the macro RSIZE_MAX which expands to a value of type rsize_t. The specification uses RSIZE_MAX for both the string functions and the memory functions. This implementation defines two macros: RSIZE_MAX_STR and RSIZE_MAX_MEM. RSIZE_MAX_STR defines the range limit for the safe string functions. RSIZE_MAX_MEM defines the range limit for the safe memory functions. The point is that string limits can and should be different from memory limits. There also exist RSIZE_MAX_WSTR, RSIZE_MAX_MEM16, RSIZE_MAX_MEM32.

  • Compile-time constraints

With supporting compilers the dmax overflow checks and several more are performed at compile-time. Currently only since clang-5 with diagnose_if support. This checks similar to _FORTIFY_SOURCE=2 if the __builtin_object_size of the dest buffer is the same size as dmax, and errors if dmax is too big. With the optional --enable-warn-dmax it prints a warning if the sizes are different, which is esp. practical as compile-time warning. It can be promoted via the optional --enable-error-dmax to be fatal. On unsupported compilers, the overflow check and optional equality warn-dmax check is deferred to run-time. This check is only possible with __builtin_object_size and -O2 when the dest buffer size is known at compile-time, otherwise only the simplier dest == NULL, dmax == 0 and dmax > RSIZE_MAX checks are performed.

  • Header Files

The specification states the various functions would be added to existing Standard C header files: stdio.h, string.h, etc. This implementation separates the memory related functions into the safe_mem_lib.h header, the string related functions into the safe_str_lib.h header, and the rest into the safe_lib.h header. There are also the internal safe_compile.h, safe_config.h safe_lib_errno.h and safe_types.h headers, but they do not need to be included. You can also include all safec API's with <safec.h>.

The make file builds a single library libsafec-VERSION.a and .so. Built but not installed are also libmemprims, libsafeccore and libstdunsafe.

It is possible to split the make such that a separate safe_mem_lib.so and safe_str_lib.so are built. It is also possible to integrate the prototypes into the Standard C header files, but that may require changes to your development tool chain.

Userspace Library

The build system for the userspace library is the well known GNU build system, a.k.a. Autotools. This system is well understood and supported by many different platforms and distributions which should allow this library to be built on a wide variety of platforms. See the Tested platforms section for details on what platforms this library was tested on during its development.

  • Building

For those familiar with autotools you can probably skip this part. For those not and want to get right to building the code see below. And, for those that need additional information see the INSTALL file in the same directory.

To build you do the following:

./build-aux/autogen.sh
./configure
make

autogen.sh only needs to be run if you are building from the git repository. Optionally, you can do make check if you want to run the unit tests.

  • Installing

Installation must be preformed by root, an Administrator on most systems. The following is used to install the library.

sudo make install

Safe Linux Kernel Module

The build for the kernel module has not been integrated into the autotools build infrastructure. Consequently, you have to run a different makefile to build the kernel module.

  • Building

.To build do the following:

./configure --disable-wchar
make -f Makefile.kernel

This assumes you are compiling on a Linux box and this makefile supports the standard kernel build system infrastructure documented in: /usr/src/linux-kernel/Documentation/kbuild/modules.txt

NOTE: If you build the kernel module then wish to build the userspace library or vice versa you will need to do a make clean otherwise a make check will fail to build.

  • Installing

The kernel module will be found at the root of the source tree called slkm.ko. The file testslkm.ko are the unit tests run on the userspace library but in Linux kernel module form to verify functionality within the kernel.

Tested Platforms

The library has been tested on the following systems:

  • Linux Fedora core 31 - 36 amd64/i386 glibc 2.28 - 2.36 (all gcc's + clang's)
  • Mac OS X 10.6-12 w/ Apple developer tools and macports (all gcc's + clang's)
  • Linux Debian 9 - 11 amd64/i386 glibc 2.24 - 2.28 (all gcc's + clang's)
  • Linux centos 7 amd64
  • Linux Void amd64 musl-1.1.16
  • x86_64-w64-mingw32 native and cross-compiled
  • i686-w64-mingw32 native, and cross-compiled and tested under wine
  • i386-mingw32 cross-compiled
  • cygwin32 gcc (newlib)
  • cygwin64 gcc -std=c99 (newlib)
  • freebsd 10 - 13 amd64
  • linux docker images under qemu: i386/debian, x86_64/rhel, arm32v7/debian, aarch64: arm64v8/{debian,centos,rhel,fedora}, s390x/fedora (the only big endian test I could find), ppc64le/{debian,ubuntu,fedora,centos,rhel}
  • User Mode Linux (UML), Linux kernel version v3.5.3 w/ Debian Squeeze rootfs

with most available compilers. See build-aux/smoke.sh and the various CI configs.

Known Issues

  1. If you are building the library from the git repository you will have to first run build-aux/autogen.sh which runs autoreconf to install the autotools files and create the configure script.

  2. If you use cmake, you'd need to add -DCMAKE_APPLE_SILICON_PROCESSOR=$(uname -m) for Apple Silicon M1 or M2 processors.

References

Footnotes

  1. C11 Standard (ISO/IEC 9899:2011) Annex K

  2. Programming languages, their environments and system software interfaces, Extensions to the C Library, Part I: Bounds-checking interfaces, ISO/IEC TR 24731-1.

  3. Rationale for TR 24731 Extensions to the C Library Part I: Bounds-checking interfaces, ISO/IEC JTC1 SC22 WG14 N1225. 2

  4. The Open Group Base Specifications Issue 7 http://pubs.opengroup.org/onlinepubs/9699919799/functions/contents.html

  5. CERT C Secure Coding Standard https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard

  6. DrDobbs review http://www.drdobbs.com/cpp/the-new-c-standard-explored/232901670

More Repositories

1

smhasher

Hash function quality and speed tests
C++
1,417
star
2

Perfect-Hash

generate perfect hashes (alpha)
C
73
star
3

perl-compiler

B::C - Moved over from googlecode
Perl
59
star
4

Cpanel-JSON-XS

Improved fork of JSON-XS
Perl
37
star
5

Jit

JIT the perl5 runloop
C
21
star
6

linasm

fast and safe base library for x86-64 Linux SSE4.2 in asm (non-official patches)
Assembly
21
star
7

App-perlall

create and work with /usr/local/bin/perl5.*
Perl
20
star
8

illguts

Perl illustrated guts
HTML
20
star
9

perl-hash-stats

Counting the collisions with perl hash tables per function
Roff
12
star
10

distroprefs

perl CPAN yml and patches
Perl
11
star
11

picat-lang

git mirror with some local fixes. currently not uptodate
C
11
star
12

libu8ident

unicode security guidelines for identifiers
C
11
star
13

coretypes

perl5 int, double, string type implementations without checks
Perl
10
star
14

nbperf

Improved NetBSD's Perfect Hash Generation Tool v3
C
9
star
15

b-generate

perl5 B::Generate module
C
8
star
16

clisp

CI's and patches for https://gitlab.com/gnu-clisp/clisp
Common Lisp
8
star
17

rmsbolt

pony mode WIP
Emacs Lisp
7
star
18

pcre

mirror of https://github.com/PhilipHazel/pcre2/, updated daily
C
6
star
19

Filter

perl5 Filter
Perl
5
star
20

fast-hash

Automatically exported from code.google.com/p/fast-hash
C
5
star
21

optimizer

perl5 optimizer module
C
5
star
22

c-dynalib

perl5 C::DynaLib module
Perl
4
star
23

B-Stats

print optree statistics
Perl
4
star
24

p5-spy

Sampling perl profiler with low overhead (WIP)
C++
4
star
25

cannes-ratings

Dancer app for collected film festival reviews and ratings
Perl
4
star
26

libbf

mirror of Fabrice Bellard's libbf tar releases
C
4
star
27

dgnlib

Fork of dgnlib-1.11, old DGN v7 support only
C++
3
star
28

cmph

fork of the sf.net project, with fixed algos bmz8 chd chd_ph and hashes
C
3
star
29

ffcall

git version of http://cvs.savannah.gnu.org/viewvc/ffcall/?root=libffcall with history (not uptodate!)
C
3
star
30

Fuzzer

Clone of https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer
C++
2
star
31

stricter

- than strict, a perl pragma
Perl
2
star
32

gperf

mirror of git.savannah.gnu.org/gperf.git with more features. gitlab has the issues
C++
2
star
33

types

perl5 types - checks and optimizations
Perl
2
star
34

tiny-matcher

Dynamic (no compilation), bounded recursive.
C
2
star
35

libffcall

r/o fork of libffcall with some fixes
C
2
star
36

crcutil

Automatically exported from code.google.com/p/crcutil
C++
2
star
37

cannes-critics-ratings

Collected critics ratings from the Cannes film festival
Perl
2
star
38

PractRand

Unofficial fork of PractRand with collected fixes
C++
2
star
39

Opcodes

perl5 Opcodes module
Perl
1
star
40

perl-euler-solutions

Some of my solutions for https://projecteuler.net/ Do not look!
Perl
1
star
41

home-bin

copy of my ~/bin
Shell
1
star
42

sdcc

svn mirror (daily, read-only) of the http://sdcc.sourceforge.net/ Small Device C Compiler
C
1
star
43

txr

http://www.kylheku.com/cgit/txr/
C
1
star
44

Storable

Release history of Storable
Perl
1
star
45

b-flags

perl5 B::Flags module
C
1
star
46

B-Graph

Release history of B-Graph
Perl
1
star
47

gsl

Fixes for the GNU Scientific Library
C
1
star
48

Socket6

perl5 Socket6 patches
XS
1
star
49

qbe

Minor qbe fixes
C
1
star
50

JSON-Safe

todo
1
star
51

re-engine-PCRE2

use pcre-jit instead of slow perl regex
Perl
1
star
52

optimize

perl5 optimize module
Perl
1
star
53

DBD-SQLite2

Release history of DBD-SQLite2
C
1
star
54

Coro

5.22 and cperl fixes for Coro
Perl
1
star
55

b-debug

perl5 B::Debug module
Perl
1
star
56

Compress-Bzip2

Release history of Compress-Bzip2
C
1
star