SSI Secure Software Test for C

25 Nov 2007

As mentioned in the last post, the Secure Software Institute is granting Secure Software Programmers certification. i took the C sample test online. While I can't cut-n-paste from the sample test, the questions for the C/C++ are similar to this:

What line contains a security issue:

1   #include 
2   int main(int argc, char** argv) {
3       printf("%d\n", argc);
4       printf(argv[1]);
5       return 0;
6  }

The answer is line 4, since the "format string" is coming from the user. If the string contains "%d" and "%s" formats in it, C will start filling in values off the stack which can lead to nastiest. You want to change line 4 to printf("%s\n", argv[1]);, or in this bad example if (argc > 1) { printf("%s\n", argv[1]); } Ok, so now you know. The other questions are more obscure.

So are you suppose to go through all your code and make these nit-picky changes? Like that's going to work. Like you're going to have time to even do that. Even if you did "fix your existing" code, new code, patches, changes are constantly coming in. And humans aren't so good with details -- they'll make mistakes. Certification in secure programming is just a start in security.

For this example, the issue can be caught automatically with gcc, by adding -Wformat-security or -Wformat=2. It's not caught with -Wall -Wextra -pedantic

$gcc -v
... gcc version 4.0.1 ...

$ gcc -Wformat=2 -Wall -Wextra -Werror -pedantic foo.c
cc1: warnings being treated as errors
foo.c: In function ‘main’:
foo.c:4: warning: format not a string literal and no format arguments

Ok, that does it. I'm writing a new book on C/C++ and software engineering. Really. Stay tuned for details.