SEI Cert C is a secure coding standard for the C programming language. To avoid software vulnerabilities in safety critical systems, adherence to a coding standard is required. Cert C puts forth a set of rules and recommendations that should be followed to help eliminate some of the undefined behavior of the C language.
Cert C has many of the same rules as other coding standards, like MISRA. For example, both standards have rules to prohibit expressions depending on the order of operation / evaluation for side effects. Some of the Cert C rules require more numerical analysis to determine code compliance. For example, INT30-C. “Ensure that unsigned integer operations do not wrap.” Unsigned integers cannot overflow, but they can wrap, which may have unintended consequences on the resulting code. The following code is not compliant:
unsigned int add_func(unsigned int a, unsigned int b) { unsigned int result; result = a + b: return result; } |
In order to be compliant with Cert C, a check either before or after the addition operation is needed to handle the case where the addition results in wrapping of the value.
unsigned int add_func(unsigned int a, unsigned int b) { unsigned int result; result = a + b: if ((result < a) || (result < b)) { /* error handling of wrap */ } return result; } |
Obviously, these additional conditionals would make the code less computationally efficient. In some circumstances if it can be determined that values cannot result in a wrap, then the check can be removed. Therefore, when developing Cert C compliant code, it is helpful to use static analysis tools to evaluate the code and identify potential code security vulnerabilities.