Projects per year
Abstract
Writing correct C programs is well-known to be hard, not least due to the many low-level language features intrinsic to C. Writing secure C programs is even harder and, at times, seemingly impossible. To improve this situation the US CERT has developed and published a set of coding standards, the “CERT C Secure Coding Standard”, that (currently) enumerates 122 rules and 180 recommendations, with the aim of making C programs (more) secure. The large number of rules and recommendations makes automated tool support essential for certifying that a given system complies with the standard.
In this paper, we report on ongoing work on adapting the Coccinelle bug-finder and program transformation tool, into a tool for analysing and certifying C programs according to, e.g., the CERT C Secure Coding Standard or the MISRA (the Motor Industry Software Reliability Association) C standard. We argue that such a tool must be highly adaptable and customisable to each software project as well as to the certification rules required by a given standard.
Furthermore, we present current work on integrating Clang (the LLVM C front-end) as a program analysis component into Coccinelle. Program analysis information, e.g., from data-flow or pointer analysis, is necessary both for more precise compliance checking, i.e., with fewer false positives, and also for enabling more complete checking, i.e., with fewer false negatives, e.g., resulting from pointer aliasing.
In this paper, we report on ongoing work on adapting the Coccinelle bug-finder and program transformation tool, into a tool for analysing and certifying C programs according to, e.g., the CERT C Secure Coding Standard or the MISRA (the Motor Industry Software Reliability Association) C standard. We argue that such a tool must be highly adaptable and customisable to each software project as well as to the certification rules required by a given standard.
Furthermore, we present current work on integrating Clang (the LLVM C front-end) as a program analysis component into Coccinelle. Program analysis information, e.g., from data-flow or pointer analysis, is necessary both for more precise compliance checking, i.e., with fewer false positives, and also for enabling more complete checking, i.e., with fewer false negatives, e.g., resulting from pointer aliasing.
| Original language | English |
|---|---|
| Journal | Science of Computer Programming |
| Volume | 91 |
| Issue number | Part B |
| Pages (from-to) | 141-160 |
| ISSN | 0167-6423 |
| DOIs | |
| Publication status | Published - Oct 2014 |
| Event | 4th International Workshop on Foundations and Techniques for Open Source Software Certification - Pisa, Italy Duration: 17 Sept 2010 → 18 Sept 2010 Conference number: 4 |
Conference
| Conference | 4th International Workshop on Foundations and Techniques for Open Source Software Certification |
|---|---|
| Number | 4 |
| Country/Territory | Italy |
| City | Pisa |
| Period | 17/09/2010 → 18/09/2010 |
Projects
- 1 Finished
-
Improving the Security of Infrastructure Software
Hansen, R. R. (Project Applicant) & Lawall, J. (Project Licensee)
Forskningsrådet for Teknologi og Produktion (FTP)
19/05/2008 → 18/05/2011
Project: Research