SEI CERT C++ Coding Standard Rules for Developing Safe, Reliable, and Secure Systems in C++ 2016 Edition Aaron Ballman Copyright 2017 Carnegie Mellon University This material is based upon work funded and supported by the Department of Defense under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. Any opinions, findings and conclusions or recommendations expressed in this material are those of the au- thor(s) and do not necessarily reflect the views of the United States Department of Defense. References herein to any specific commercial product, process, or service by trade name, trade mark, manu- facturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by Carnegie Mellon University or its Software Engineering Institute. This report was prepared for the SEI Administrative Agent AFLCMC/PZM 20 Schilling Circle, Bldg 1305, 3rd floor Hanscom AFB, MA 01731-2125 NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. [Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution. Internal use:* Permission to reproduce this material and to prepare derivative works from this material for in- ternal use is granted, provided the copyright and “No Warranty” statements are included with all reproductions and derivative works. External use:* This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other external and/or commercial use. Requests for permission should be directed to the Software Engineering Institute at [email protected]. *These restrictions do not apply to U.S. government entities. Carnegie Mellon® and CERT® are registered marks of Carnegie Mellon University. DM-0004501 V01-20170309-0910 Table of Contents 1 Introduction 1 1.1 Scope 1 1.2 Audience 3 1.3 Usage 3 1.4 How this Coding Standard Is Organized 4 1.5 Relation to the CERT C Coding Standard 9 1.6 Rules Versus Recommendations 10 1.7 Tool Selection and Validation 11 1.8 Conformance Testing 12 1.9 Development Process 13 1.10 System Qualities 14 1.11 Automatically Generated Code 14 1.12 Government Regulations 15 1.13 Acknowledgments 17 2 Declarations and Initialization (DCL) 18 2.1 DCL50-CPP. Do not define a C-style variadic function 18 2.2 DCL51-CPP. Do not declare or define a reserved identifier 22 2.3 DCL52-CPP. Never qualify a reference type with const or volatile 28 2.4 DCL53-CPP. Do not write syntactically ambiguous declarations 31 2.5 DCL54-CPP. Overload allocation and deallocation functions as a pair in the same scope 37 2.6 DCL55-CPP. Avoid information leakage when passing a class object across a trust boundary 41 2.7 DCL56-CPP. Avoid cycles during initialization of static objects 51 2.8 DCL57-CPP. Do not let exceptions escape from destructors or deallocation functions 57 2.9 DCL58-CPP. Do not modify the standard namespaces 63 2.10 DCL59-CPP. Do not define an unnamed namespace in a header file 69 2.11 DCL60-CPP. Obey the one-definition rule 76 3 Expressions (EXP) 83 3.1 EXP50-CPP. Do not depend on the order of evaluation for side effects 83 3.2 EXP51-CPP. Do not delete an array through a pointer of the incorrect type 90 3.3 EXP52-CPP. Do not rely on side effects in unevaluated operands 92 3.4 EXP53-CPP. Do not read uninitialized memory 96 3.5 EXP54-CPP. Do not access an object outside of its lifetime 101 3.6 EXP55-CPP. Do not access a cv-qualified object through a cv-unqualified type 112 3.7 EXP56-CPP. Do not call a function with a mismatched language linkage 117 3.8 EXP57-CPP. Do not cast or delete pointers to incomplete classes 120 SEI CERT C++ CODING STANDARD (2016 EDITION) | V01 i Software Engineering Institute | Carnegie Mellon University [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. 3.9 EXP58-CPP. Pass an object of the correct type to va_start 126 3.10 EXP59-CPP. Use offsetof() on valid types and members 130 3.11 EXP60-CPP. Do not pass a nonstandard-layout type object across execution boundaries 134 3.12 EXP61-CPP. A lambda object must not outlive any of its reference captured objects 139 3.13 EXP62-CPP. Do not access the bits of an object representation that are not part of the object’s value representation 142 3.14 EXP63-CPP. Do not rely on the value of a moved-from object 147 4 Integers (INT) 153 4.1 INT50-CPP. Do not cast to an out-of-range enumeration value 153 5 Containers (CTR) 157 5.1 CTR50-CPP. Guarantee that container indices and iterators are within the valid range 157 5.2 CTR51-CPP. Use valid references, pointers, and iterators to reference elements of a container 163 5.3 CTR52-CPP. Guarantee that library functions do not overflow 170 5.4 CTR53-CPP. Use valid iterator ranges 174 5.5 CTR54-CPP. Do not subtract iterators that do not refer to the same container 177 5.6 CTR55-CPP. Do not use an additive operator on an iterator if the result would overflow 182 5.7 CTR56-CPP. Do not use pointer arithmetic on polymorphic objects 184 5.8 CTR57-CPP. Provide a valid ordering predicate 189 5.9 CTR58-CPP. Predicate function objects should not be mutable 193 6 Characters and Strings (STR) 198 6.1 STR50-CPP. Guarantee that storage for strings has sufficient space for character data and the null terminator 198 6.2 STR51-CPP. Do not attempt to create a std::string from a null pointer 201 6.3 STR52-CPP. Use valid references, pointers, and iterators to reference elements of a basic_string 205 6.4 STR53-CPP. Range check element access 209 7 Memory Management (MEM) 213 7.1 MEM50-CPP. Do not access freed memory 213 7.2 MEM51-CPP. Properly deallocate dynamically allocated resources 220 7.3 MEM52-CPP. Detect and handle memory allocation errors 233 7.4 MEM53-CPP. Explicitly construct and destruct objects when manually managing object lifetime 238 7.5 MEM54-CPP. Provide placement new with properly aligned pointers to sufficient storage capacity 243 7.6 MEM55-CPP. Honor replacement dynamic storage management requirements 249 7.7 MEM56-CPP. Do not store an already-owned pointer value in an unrelated smart pointer 253 7.8 MEM57-CPP. Avoid using default operator new for over-aligned types 258 SEI CERT C++ CODING STANDARD (2016 EDITION) | V01 ii Software Engineering Institute | Carnegie Mellon University [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. 8 Input Output (FIO) 261 8.1 FIO50-CPP. Do not alternately input and output from a file stream without an intervening positioning call 261 8.2 FIO51-CPP. Close files when they are no longer needed 264 9 Exceptions and Error Handling (ERR) 267 9.1 ERR50-CPP. Do not abruptly terminate the program 267 9.2 ERR51-CPP. Handle all exceptions 273 9.3 ERR52-CPP. Do not use setjmp() or longjmp() 276 9.4 ERR53-CPP. Do not reference base classes or class data members in a constructor or destructor function-try-block handler 280 9.5 ERR54-CPP. Catch handlers should order their parameter types from most derived to least derived 282 9.6 ERR55-CPP. Honor exception specifications 284 9.7 ERR56-CPP. Guarantee exception safety 288 9.8 ERR57-CPP. Do not leak resources when handling exceptions 292 9.9 ERR58-CPP. Handle all exceptions thrown before main() begins executing 298 9.10 ERR59-CPP. Do not throw an exception across execution boundaries 303 9.11 ERR60-CPP. Exception objects must be nothrow copy constructible 307 9.12 ERR61-CPP. Catch exceptions by lvalue reference 312 9.13 ERR62-CPP. Detect errors when converting a string to a number 316 10 Object Oriented Programming (OOP) 320 10.1 OOP50-CPP. Do not invoke virtual functions from constructors or destructors 320 10.2 OOP51-CPP. Do not slice derived objects 325 10.3 OOP52-CPP. Do not delete a polymorphic object without a virtual destructor 333 10.4 OOP53-CPP. Write constructor member initializers in the canonical order 336 10.5 OOP54-CPP. Gracefully handle self-copy assignment 340 10.6 OOP55-CPP. Do not use pointer-to-member operators to access nonexistent members 345 10.7 OOP56-CPP. Honor replacement handler requirements 350 10.8 OOP57-CPP. Prefer special member functions and overloaded operators to C Standard Library functions 353 10.9 OOP58-CPP. Copy operations must not mutate the source object 360 SEI CERT C++ CODING STANDARD (2016 EDITION) | V01 iii Software Engineering Institute | Carnegie Mellon University [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. 11 Concurrency (CON) 365 11.1 CON50-CPP. Do not destroy a mutex while it is locked 365 11.2 CON51-CPP. Ensure actively held locks are released on exceptional conditions 368 11.3 CON52-CPP. Prevent data races when accessing bit-fields from multiple threads 371 11.4 CON53-CPP. Avoid deadlock by locking in a predefined order 375 11.5 CON54-CPP. Wrap functions that can spuriously wake up in a loop 380 11.6 CON55-CPP. Preserve thread safety and liveness when using condition variables 385 11.7 CON56-CPP. Do not speculatively lock a non-recursive mutex that is already owned by the calling thread 391 12 Miscellaneous (MSC) 395 12.1 MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers 395 12.2 MSC51-CPP. Ensure your random number generator is properly seeded 398 12.3 MSC52-CPP. Value-returning functions must return a value from all exit paths 402 12.4 MSC53-CPP. Do not return from a function declared [[noreturn]] 405 12.5 MSC54-CPP. A signal handler must be a plain old function 407 Appendix A: Bibliography 411 Appendix B: Definitions 419 Appendix C: Related Guidelines 425 Appendix D: Risk Assessments 427 SEI CERT C++ CODING STANDARD (2016 EDITION) | V01 iv Software Engineering Institute | Carnegie Mellon University [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. Introduction - Scope 1 Introduction This standard provides rules for secure coding in the C++ programming language. The goal of these rules is to develop safe, reliable, and secure systems, for example by eliminating undefined behaviors that can lead to undefined program behaviors and exploitable vulnerabilities. Conformance to the coding rules defined in this standard are necessary (but not sufficient) to ensure the safety, reliability, and security of software systems developed in the C++ programming language. It is also necessary, for example, to have a safe and secure design. Safety-critical systems typically have stricter requirements than are imposed by this coding standard, for example requiring that all memory be statically allocated. However, the application of this coding standard will result in high-quality systems that are reliable, robust, and resistant to attack. Each rule consists of a title, a description, noncompliant code examples, and compliant solutions, as well as other information as described in How this Coding Standard Is Organized. The title is a concise, but sometimes imprecise, description of the rule. The description specifies the normative requirements of the rule. The noncompliant code examples are examples of code that would constitute a violation of the rule. The accompanying compliant solutions demonstrate equivalent code that does not violate the rule or any other rules in this coding standard. A well-documented and enforceable coding standard is an essential element of coding in the C++ programming language. Coding standards encourage programmers to follow a uniform set of rules determined by the requirements of the project and organization rather than by the programmers’ individual preferences. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes). The SEI CERT C++ Coding Standard wiki contains ongoing updates of the standard between official published releases. If you are interested in contributing to these rules, create an account on the wiki and then request contributor privileges by sending a request to [email protected]. The Secure Coding eNewsletter contains news from the CERT Secure Coding Initiative as well as summaries of recent updates to the standard rules. If you are interested in receiving updates directly, subscribe to the eNewsletter through our website or send a request to [email protected]. 1.1 Scope The CERT C++ Coding Standard was developed specifically for versions of the C++ programming language defined by the following: • ISO/IEC 14882-2014, Programming Languages—C++, Fourth Edition, 2014 [ISO/IEC 14882-2014] Although the guidelines for this standard were developed for C++14, they can also be applied to earlier versions of the C++ programming language, including C++11. Variations between SEI CERT C++ CODING STANDARD (2016 EDITION) | V01 1 Software Engineering Institute | Carnegie Mellon University [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. Introduction - Scope versions of the C++ Standard that would affect the proper application of these guidelines are noted where applicable. Most guidelines have a noncompliant code example that is a C++14-conforming program to ensure that the problem identified by the guideline is within the scope of the standard. Most guidelines also include a compliant solution that applies to multiple platforms. Language and library extensions that have been published as ISO/IEC technical reports or technical specifications are frequently given precedence. Occasionally, interesting or illustrative implementation-specific behaviors are described. 1.1.1 Rationale A coding standard for the C++ programming language can create the highest value for the longest period of time by focusing on the C++ Standard (C++14) and any relevant post-C++14 technical reports. The C++ Standard documents existing practice where possible. That is, most features must be tested in an implementation before being included in the standard. The CERT C++ Coding Standard has a secondary purpose: to establish a set of best practices, which sometimes requires introducing new practices that may not be widely known or used when existing practices are inadequate. To put it a different way, the CERT C++ Coding Standard attempts to drive change rather than just document it. Some vendors have extensions to C++, and some have implemented only part of the C++ Standard before stopping development. Consequently, it is not possible to discuss only C++98, C++03, or C++11. The vendor support equation is too complicated to draw a line and say that a certain compiler supports exactly a certain standard. Whatever demarcation point is selected, different vendors are on opposite sides of it for different parts of the language. Supporting all possibilities would require testing the cross-product of each compiler with each language feature. Consequently, we have selected a demarcation point that is the most recent in time so that the rules and recommendations defined by the standard will be applicable for as long as possible. As a result of the variations in support, source-code portability is enhanced when the programmer uses only the features specified by C++14. This is one of many trade-offs between security and portability inherent to C++ language programming. The value of forward-looking information increases with time before it starts to decrease. The value of backward-looking information starts to decrease immediately. For all of these reasons, the priority of this standard is to support new code development using C++14. A close-second priority is supporting remediation of old code using C++11. This coding standard does make contributions to support older compilers when these contributions can be significant and doing so does not compromise other priorities. The intent is not to capture all deviations from the standard but to capture only a few important ones. SEI CERT C++ CODING STANDARD (2016 EDITION) | V01 2 Software Engineering Institute | Carnegie Mellon University [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. Introduction - Audience 1.1.2 Issues Not Addressed A number of issues are not addressed by this secure coding standard. 1.1.2.1 Coding Style Coding style issues are subjective, and it has proven impossible to develop a consensus on appropriate style guidelines. Consequently, the CERT C++ Secure Coding Standard does not require the enforcement of any particular coding style but only suggests that development organizations define or adopt style guidelines and apply these guidelines consistently. The easiest way to apply a coding style consistently is to use a code-formatting tool. Many interactive development environments (IDEs) provide such capabilities. 1.1.2.2 Controversial Rules In general, the CERT coding standards try to avoid the inclusion of controversial rules that lack a broad consensus. 1.2 Audience The CERT C++ Secure Coding Standard is primarily intended for developers of C++ language programs but may also be used by software acquirers to define the requirements for software. The standard is of particular interest to developers who are building high-quality systems that are reliable, robust, and resistant to attack. While not intended for C programmers, the standard may also be of some value to these developers because the vast majority of issues identified for C language programs are also issues in C++ programs, although in many cases the solutions are different. 1.3 Usage The rules in this standard are intended to improve the security of software by improving the knowledge, practices, and tools that software developers use. This standard can be used to develop tailored coding standards for projects and organizations, enabling a consistent approach to software development security. It may be extended with organization-specific rules. However, the rules in this standard must be obeyed to claim conformance with the standard. This standard can also be used for conformance testing and tool selection and validation. Once a coding standard has been established, tools and processes can be developed or modified to determine conformance with the standard. SEI CERT C++ CODING STANDARD (2016 EDITION) | V01 3 Software Engineering Institute | Carnegie Mellon University [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution. Introduction - How this Coding Standard Is Organized This standard can also be used to develop training and educate software professionals regarding the appropriate application of coding standards. The Software Engineering Institute (SEI) offers several Secure Coding courses and certificates, available as live training and online training. The material from this standard and supplemental training and evaluation materials can be used to 1. identify job candidates with specific programming skills 2. demonstrate the presence of a well-trained software workforce 3. provide guidance to educational and training institutions 1.4 How this Coding Standard Is Organized This coding standard is organized into 11 chapters that contain rules in specific topic areas followed by four appendices. Appendix A contains the bibliography. Appendix B lists the definitions of terms used throughout the standard. Appendix C lists the relationships between the rules of this standard and two other related guidelines: MISRA C++ 2008: Guidelines for the Use of the C++ Language in Critical Systems [MISRA 2008] and MITRE’s Common Weakness Enumeration (CWE) [MITRE 2010]. Appendix D lists the risk assessments associated with all of the rules in the coding standard. Most rules have a consistent structure. Each rule in this standard has a unique identifier, which is included in the title. The title and the introductory paragraphs define the rule and are typically followed by one or more pairs of noncompliant code examples and compliant solutions. Each rule also includes a risk assessment, related guidelines, and a bibliography (where applicable). Rules may also include a table of related vulnerabilities. 1.4.1 Identifiers Each rule and recommendation (see Rules Versus Recommendations) is given a unique identifier. These identifiers consist of three parts: • A three-letter mnemonic representing the section of the standard • A two-digit numeric value in the range of 00 to 99 • A suffix that represents the associated language or platform. − “-C” for the SEI CERT C Coding Standard − “-CPP” for the SEI CERT C++ Coding Standard − “-J” for the SEI CERT Oracle Coding Standard for Java − “-PL” for the SEI CERT Perl Coding Standard The three-letter mnemonic is used to group similar coding practices and to indicate which category a coding practice belongs to. The numeric value is used to give each coding practice a unique identifier. Numeric values in the range of 00 to 49 are reserved for recommendations, and values in the range of 50 to 99 are SEI CERT C++ CODING STANDARD (2016 EDITION) | V01 4 Software Engineering Institute | Carnegie Mellon University [DISTRIBUTION STATEMENT A] Approved for public release and unlimited distribution.