Skip to main content
SpringerLink
Log in

Enforcing Secure Coding Rules for the C Programming Language Using the Eclipse Development Environment

  • Conference paper
  • First Online:
National Cyber Summit (NCS) Research Track (NCS 2019)

Part of the book series: Advances in Intelligent Systems and Computing ((AISC,volume 1055))

Included in the following conference series:

Abstract

Creating secure software is challenging, but necessary due to the prevalence of large data breaches that have occurred for organizations such as Equifax, Uber, and U.S. Securities and Exchange Commission. Many static analysis tools are available that can identify vulnerable code, however many are proprietary, do not disclose their rule set or do not integrate with development environments. One open source tool that integrates well with the Eclipse development environment is the Secure Coding Assistant that was developed at California State University, Sacramento (CSUS), which is featured by early error detection. The tool provides support for secure coding rules for the Java programming language that were developed at the CERT division of the Software Engineering Institute at Carnegie Mellon University. The tool also provides error correction and contract programming support. To provide secure coding assistance in C programming, we further extend the tool to support the C programming language by semi-automating a subset of the CERT secure coding rules for C. The tool detects rule violations for the C programming language in the Eclipse development environment and provides feedback to aid and educate developers in secure coding practices. The tool is open source to the community and maintained at GitHub (http://benw408701.github.io/SecureCodingAssistant/).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. 2017 Annual Data Breach Year-End Review (2018). https://www.idtheftcenter.org/images/breach/2017Breaches/2017AnnualDataBreachYearEndReview.pdf. Accessed 27 Feb 2019

  2. Bearak, S.: Uber Data Breach Affects 57 Million: It is Time to Own Our Identities (2017). https://www.identityforce.com/business-blog/ubers-data-breach-affects-57-million-its-time-to-own-our-identities. Accessed 27 Feb 2019

  3. Cimpanu, C.: SEC Says Hackers Breached its System, Might Have Stolen Data for Insider Trading (2017). https://www.bleepingcomputer.com/news/security/sec-says-hackers-breached-its-system-might-have-used-stolen-data-for-insider-trading/. Accessed 27 Feb 2019

  4. Eclipse: Extensions and Extension Points (2018). http://help.eclipse.org/luna/index.jsp?topic=%2Forg.eclipse.pde.doc.user%2Fconcepts%2Fextension.htm. Accessed 27 Feb 2019

  5. Hicken, A.: ERR34-C. Detect errors when converting a string to a number (2018). https://wiki.sei.cmu.edu. Accessed 27 Feb 2019

  6. Hicken, A., Seacord, R.: STR34-C. Cast characters to unsigned char before converting to larger integer sizes (2018). https://wiki.sei.cmu.edu. Accessed 27 Feb 2019

  7. Leary, J.: Equifax Breach Impacts 147.9 Million: Steps to Keep Your Identity Protected (2018). https://www.identityforce.com/business-blog/equifax-breach-impacts-143-million-steps-to-keep-your-identity-protected. Accessed 27 Feb 2019

  8. Li, C., White, B., Dai, J., Zhang, C.: Enhancing secure coding assistant with error correction and contract programming. In: Proceeding of National Cyber Summit 2017, Huntsville, AL, 6–8 June 2017 (2017)

    Google Scholar 

  9. Long, F., Hicken, A.: MSC30-C. Do not use the rand() function for generating pseudorandom numbers (2018). https://wiki.sei.cmu.edu. Accessed 27 Feb 2019

  10. MITRE: CWE-843: Access of Resource Using Incompatible Type (‘Type Confusion’). Common Weakness Enumeration (2018)

    Google Scholar 

  11. NIST: Test Suites, 4.9 (2017). NIST Samate: https://samate.nist.gov/SARD/testsuite.php. Accessed 27 Feb 2019

  12. Ozkan, S.: Browse Vulnerabilities by Date (2018). https://www.cvedetails.com/browse-by-date.php. Accessed 27 Feb 2019

  13. Pretz, K.: 10 Recommendation for Avoiding Software Security Design Flaws (2014). http://theinstitute.ieee.org/special-reports/special-reports/10-recommendations-for-avoiding-software-security-design-flaws. Accessed 27 Feb 2019

  14. Razmyslov, S.: INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors (2018). https://wiki.sei.cmu.edu. Accessed 27 Feb 2019

  15. Seacord, R., Flynn, L.: FIO32-C. Do not perform operations on devices that are only appropriate for files (2018). https://wiki.sei.cmu.edu. Accessed 27 Feb 2019

  16. Seacord, R., Hicken, A.: MEM31-C. Free dynamically allocated memory when no longer needed (2018). https://wiki.sei.cmu.edu. Accessed 27 Feb 2019

  17. Svoboda, D., Snavely, W.: FIO45-C. Avoid TOCTOU race conditions while accessing files (2017). https://wiki.sei.cmu.edu. Accessed 27 Feb 2019

  18. White, B., Dai, J., Zhang, C.: Secure coding assistant: enforcing secure coding practices using the eclipse development environment. In: Proceeding of National Cyber Summit 2016, Huntsville, AL, 8–9 June 2016 (2016)

    Google Scholar 

  19. White, B., Dai, J., Zhang, C.: An early detection tool in eclipse to enforce secure coding practices. Int. J. Inf. Priv. Secur. Integr. (IJIPSI) 3, 284–309 (2018)

    Google Scholar 

  20. Melnik, V.V.: Enhancing secure coding assistant: enforcing secure coding rules for C programming language. Master report at California State University, Sacramento (2018)

    Google Scholar 

Download references

Acknowledgements

Acknowledgements and attributions are given to Carnegie Mellon University and its Software Engineering Institute, as this publication incorporates portions of the “SEI CERT C Coding Standard” (c) 2017 Carnegie Mellon University, with special permission from its Software Engineering Institute. Any material of Carnegie Mellon University and/or its software engineering institute contained herein is furnished on an “as-is” basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied, as to any matter including, but not limited to, warranty of fitness for purpose or merchantability, exclusivity, or results obtained from use of the material, Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. This publication has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute. CERT and CERT Coordination Center are registered trademarks of Carnegie Mellon University.

Author information

Authors and Affiliations

  1. Computer Science, California State University, Sacramento, CA, 95819, USA

    Victor Melnik, Jun Dai, Cui Zhang & Benjamin White

  2. Mother Lode Holding Company, Roseville, CA, 95747, USA

    Benjamin White

Authors
  1. Victor Melnik
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun Dai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Cui Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Benjamin White
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jun Dai .

Editor information

Editors and Affiliations

  1. The University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  2. University of Alabama in Huntsville, Huntsville, AL, USA

    Thomas H. Morris

  3. Air Force Institute of Technology, Wright-Patterson AFB, OH, USA

    Gilbert L. Peterson

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Melnik, V., Dai, J., Zhang, C., White, B. (2020). Enforcing Secure Coding Rules for the C Programming Language Using the Eclipse Development Environment. In: Choo, KK., Morris, T., Peterson, G. (eds) National Cyber Summit (NCS) Research Track. NCS 2019. Advances in Intelligent Systems and Computing, vol 1055. Springer, Cham. https://doi.org/10.1007/978-3-030-31239-8_12

Download citation

Publish with us

Policies and ethics

Search

Navigation