SEI CERT C Coding Standard

Space shortcuts

Page tree

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 28 Next »

Many applications need to handle sensitive data either in memory or on disk. If this sensitive data is not protected properly, it might lead to loss of secrecy or integrity of the data. It is very difficult (or expensive) to completely secure all the sensitive data. Users tend to use the same passwords everywhere. So, even if your program is a simple game which stores the user's profile information and requires the user to enter a password, the user might choose the same password he uses for his online bank account for your game program. Now the user's bank account is only as secure as your program enables it to be.

There are simple steps you can take to secure sensitive data in your programs.

Prefer the system's authentication dialog (or any other mechanism provided by the OS) for authentication to privileged services.

If you are accessing some privileged service already installed on the system, most likely that service will have some mechanism to take a password from the user. Before asking the user for a user name and password from your application, check if the service itself authenticates the user in some way. If so, let the service handle the authentication, as doing so would at least not increase the footprint of the sensitive data.

Do not hard code sensitive data in programs.

This is considered very bad programming practice, as it enforces the requirement of the development environment to be secure.

Disable memory dumps.

Memory dumps are automatically created when your program crashes. These memory dumps can contain information stored in any part of program memory. Therefore memory dumps should be disabled before an application is shipped to users. See MEM06-C. Ensure that sensitive data is not written out to disk for details.

Do not store sensitive data beyond its time of use in a program.

Sensitive data that is stored in memory can get written to disk (see next point for details with respect to keeping sensitive data on disk) when a page is swapped out of the physical memory. You may be able to "lock" your data to keep it from swapping out. Your program will generally need administrative privileges to do this successfully, but it never hurts to try. See MEM06-C. Ensure that sensitive data is not written out to disk for details.

Do not store sensitive data in plaintext (neither on disk nor in memory).

See MEM06-C. Ensure that sensitive data is not written out to disk.
While using a password, consider storing its hash instead of plaintext. Use the hash for comparisons and other purposes. The following code [Viega 01] illustrates this:

int validate(char *username) {
  char *password;
  char *checksum;
  password = read_password();
  checksum = compute_checksum(password);
  erase(password);  /* securely erase password */
  return !strcmp(checksum, get_stored_checksum(username));
}
If you must store sensitive data, encrypt it first.
  1. If encrypting or hashing sensitive data, do not implement your own encryption functions (or library). Use proven secure crypto libraries which have been extensively tested for security.
  2. If using standard crypto libraries, be aware that there are certain requirements (documented with the library) for the key sizes and other properties. Choose keys satisfying these conditions.
  3. Do not store the encryption keys (you can derive the key from the hash of the user's password or any other cryptographic mechanism, provided the above condition holds). If the key is to be stored, store it securely.
Securely erase sensitive data from disk and memory.
  1. Be aware of compiler optimization when erasing memory (see MSC06-C. Be aware of compiler optimization when dealing with sensitive data).

  2. Use secure erase methods specified in US Department of Defense Standard 5220 [DOD 5220] or Peter Gutmann's paper [Gutmann 96].

Risk Assessment

If sensitive data is not handled correctly in a program, an attacker can gain access to it.

Recommendation

Severity

Likelihood

Remediation Cost

Priority

Level

MSC18-C

medium

probable

medium

P8

L2

Related Vulnerabilities

Search for vulnerabilities resulting from the violation of this rule on the CERT website.

Other Languages

This rule appears in the Java Secure Coding Standard as MSC31-J. Never hardcode sensitive information.

Bibliography

[MITRE 07] CWE-798, "Use of Hard-coded Credentials," CWE-326, "Inadequate Encryption Strength," CWE-311, "Missing Encryption of Sensitive Data"
[DOD 5220]
[Gutmann 96]
[Lewis 06]
[Viega 01]

      49. Miscellaneous (MSC)      

  • No labels