SEI CERT C Coding Standard

Space shortcuts

Page tree

Warning

This section is under construction.

Information for Editors
To have a new guideline automatically listed above be sure to label it api and recommendation.

Risk Assessment Summary

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

API00-CMediumUnlikelyHigh

P2

L3

API01-CHighLikelyHigh

P9

L2

API02-CHighLikelyHigh

P9

L2

API03-CMediumUnlikelyMedium

P4

L3

API04-CMediumUnlikelyMedium

P4

L3

API05-CHighProbableMedium

P12

L1

API07-CMediumUnlikelyMedium

P4

L3

API09-CLowUnlikelyHigh

P1

L3

API10-CMediumLikelyHigh

P12

L1


4 Comments

  1. Chris Newman

    How does one suggest a new rule? I'd like to suggest API10-C. APIs should have security options enabled by default

    Non-compliant example:

    Non-compliant
    int tls_connect_by_name(const char *host, int port, int option_bitmask);
#define TLS_DEFAULT_OPTIONS 0
#define TLS_VALIDATE_HOST 0x0001
#define TLS_DISABLE_V1_0 0x0002
#define TLS_DISABLE_V1_1 0x0004

    If the caller of this API doesn't understand what the options mean, they will pass 0 or TLS_DEFAULT_OPTIONS and get a connection vulnerable to man-in-the-middle attacks and using old versions of TLS.

    Compliant example:

    Compliant Example
    int tls_connect_by_name(const char *host, int port, int option_bitmask);
#define TLS_DEFAULT_OPTIONS 0
#define TLS_DISABLE_HOST_VALIDATION 0x0001  // use rarely, subject to man-in-the-middle attack
#define TLS_ENABLE_V1_0 0x0002
#define TLS_ENABLE_V1_1 0x0004

    If the caller of this API doesn't understand the options and passes 0 or TLS_DEFAULT_OPTIONS they will get certificate validation with only the current version of TLS enabled.

    This API design principle can be extended to cover other security properties – for example, having best practice cipher suites enabled by default (something that changes over time) while disabling out-of-favor cipher suites by default. When interface stability is also a design requirement, an interface can meet both goals by providing off-by-default options that produce stable behavior, such as TLS_ENABLE_Y2015_BEST_PRACTICE_CIPHERS_ONLY.

    1. Robert Seacord

      seems like a reasonable recommendation; possibly difficult to enforce.  i'll try to add something.

    2. Robert Seacord

      OK, stubbed out as API02-C. APIs should have security options enabled by default

  2. Volker Erben

    only for completeness: In table "Risk Assessment Summary" the items API02-C, API05-C and API10-C are missing. Please correct.