Secure embedded software – choosing the right coding standard

This article compares state-of-the-art coding standards and explains how adherence to them can help developers deliver more secure C and C++ code.


By Richard Bellairs, PRQA                        Download PDF version of this article


An increasing number of products that touch our daily lives are connected to the internet. This brings many benefits, but also introduces potential security vulnerabilities. It is imperative that the software powering these products is developed with security in mind. Adoption of a strong coding standard that addresses known security issues has been shown to deliver more secure products. Enforcing this standard with automated code analysis tools will help to ensure products are delivered on time and in budget.

The pace of change in consumer products is amazing and the rate of innovation continues to accelerate. A new generation of connected devices and socially oriented services continues to impact our lives in profound ways, from the use of voice-activated speakers to control our smart homes to the hundreds of sensors that are used to control traffic in our cities more effectively. The widespread adoption of connected devices raises concerns over their security and our privacy.

Security of software is a hot topic, and one that every organization must address effectively. C remains the dominant language for embedded software development in consumer products, with C++ growing in popularity. There is no shortcut to achieving software security; reducing the risk it poses requires a concerted effort, and an appreciation of best practice industry guidelines.

Applying coding standards to the development of safety-critical software is a widely adopted practice, but coding standards that target security issues are still relatively new. Demand for software security standards has increased as a result of the Internet of Things (IoT); the security of data and the connections between devices have been shown to have serious security flaws. Some examples of high-profile failures include the hacking of TrendNet nanny cams and the failure of Nest thermostats due to a flawed software update. Security and privacy breaches not only put users at risk, but also have the potential to cause significant damage to company reputation. As such, security is a commercial imperative.

Recognition of the importance of security has increased over recent years. New security-focused coding standards have emerged alongside the more mature safety-critical standards. Although the underlying goals are different, their recommendations frequently overlap. Most of the coding standards considered in this article use rules to prohibit aspects of a language that are considered inappropriate by the issuing standards body. In addition, they prescribe ways to enrich the development process and the language effectiveness. In some respects, they define a new language, with specific emphasis on delivering greater security, improved predictability, increased robustness and better maintainability. Today most popular coding standards for security are the CERT C Secure Coding Standard; MISRA C:2012; and the C Secure Coding Rules (ISO/IEC TS 17961:2013).

For the purposes of comparison, the coding standards covered in this article have been assessed using nine categories, some of which include a qualitative indication of how the coding standards perform. The performance indicator (1 to 3 stars) is derived from considerations and impressions PRQA has collected from its wide customer base which, by any measure, can be considered an official endorsement of any standard. We categorized the standards as follows:

Industry: the original industry sector targeted by the coding standard.

Reference language version: the version of the C Standard that is currently used as a reference for the coding guidelines. This is important as it can influence the choice of coding standard for a project; for example, if C11 is to be used (for instance, because some of its features make it the most applicable for a given application) MISRA C:2012 is not a good candidate unless specific compliancy requirements make it necessary.

Automatic enforceability: the ease of creation of automatic checks for the guidelines that don’t result in false positives. This is usually related to how strictly or loosely specific guidelines are defined.

Coverage: a qualitative indication of the breadth of the coding standard scope and the number of guidelines defined. The broader the scope, the higher the educational value of the coding standard, but a broad scope can also bring complexity in terms of guideline maintenance and tool coverage.

Market adoption: the level of usage of the coding standard for real-world projects, in terms of formal compliance requirements (for example in functional safety applications) and voluntary usage to improve overall software quality.

Tool availability: the market availability of an automated code analysis tool to enforce the coding standard. This tends to be linked with the standards level of market adoption.

Evolution: a quickly evolving standard adapts better to feedback from the users and provides faster introduction of new features. This can be considered good for consumer products but bad for other sectors. CERT C uses two methods for publishing its guidelines; a web-based wiki, and a PDF document freely available. The wiki evolves faster than the latter.

Resources: this can include references to the C language standard, to other standards, papers, articles or other common knowledge bases that may be helpful.

Examples: descriptions to illustrate the issues related to the violation of a specific guideline and compliant solutions.

Figure 1. This simple flow chart helps to make an informed choice.

 

There is no single best standard for secure coding. Selection must consider many different aspects, such as the duration of the project (where stability of the reference is more important), the version of the language being used and the existence of legacy code. The simple flow chart in figure 1 can help to make an informed choice.

Scenario 1. If the requirements dictate compliance with a recognized coding standard (a typical scenario would be a safety-critical application) then the choice should be MISRA C. The latest version of this standard is MISRA C:2012 Amendment 1. If a previous version of MISRA is mandated (for example MISRA C:2004) then the project will benefit from the addition of the security rules provided by ISO/IEC 17961:2013 (some work will be required to match the C version and remove any overlap – a good footprint would be the Addendum 2 of MISRA C:2012 “Coverage of MISRA C:2012 against ISO/IEC 17961:2012 C Secure”).

 

 

 

 

 

 

 

 

 

 

 

 

Figure 2. Comparison table of CERT C, MISRA C: 2012, and IEC/ISO 17961:2013 €

Scenario 2. If the application has no compliancy requirements, and if there are no high-performance needs that would sacrifice code portability it is still recommended to adopt a high integrity perspective. In this case the recommendation would also be to use MISRA C:2012.

Scenario 3. In both previous scenarios CERT C could offer valuable support from a security perspective, and the recommendation would be to adopt CERT C in parallel with the suggested standards (in the flow chart this is indicated by a dashed line). However, if a high-integrity approach is not taken the MISRA C:2012 standard could be seen as too restrictive for the specific application, in this case the recommendation would be to only apply CERT C in order to achieve a good level of code security.

Choosing the right coding standard to adopt when developing secure code will depend on many factors, such as an understanding of the features and benefits of each standard and how they could meet the requirements of the current development project. The process shown in this article focuses on the ability to perform automated testing with tools such as PRQA static analyzers QA·C and QA·C++. Such tools perform deep analysis of software code to prevent, detect and eliminate defects and automatically enforce coding rules to ensure standards compliance.


Related


An introduction to the SuperTest MISRA suites

The SuperTest MISRA suites are created to verify the conformance of MISRA checking software. The aim of a, so-called, MISRA checker is to check application software for its compliance with the MIS...

Coding safe and secure applications

The world is becoming far more connected, and systems are vulnerable to malicious attacks via these connections. Safety and security are different, but there are some common ways to achieve them i...

Data Distribution Service in autonomous car design

Builders of autonomous vehicles face a daunting challenge. To get a competitive edge, intelligent vehicle manufacturers must deliver superior driving experience while meeting demanding requirement...

Nine Steps to Choosing The Right Coding Standard

Selecting the right coding standard is an essential building block for safe and secure coding. While superficially many coding standards and automatic analysis tools may look similar, they can be quit...

Basics and tools for multi-core debugging

In the past, debugging meant seeking for variables written with wrong values. These days, it’s completely different: for the multi-core systems used nowadays in automotive control units, deb...

 


Infineon launches a new family of configurable industrial drive boards

In this video Infineon explains their new family of configurable industrial drive boards at SPS-IPC Drives 2017. Intended to enable easy setup and deployment, the XMC-based automation boards can handl...


STMicro explains their STSPIN family of single-chip motor drivers

In this video STMicroelectronics explains their STSPIN single-chip motor drivers at SPS-IPC Drives 2017. The STSPIN family embeds can drive motors efficiently and with high accuracy, with an advanced ...


Taking SiC Mainstream: The Story of Littelfuse Power Semiconductors

Since 1964, Littelfuse has brought its legacy of stability and reliability in circuit protection to the power semiconductor space. Now, the company is pioneering a series of in-house technology breakt...


Intel and Wind River Lead Technology Innovation Delivering Resilient and Secure Functional Safety Solutions

Together, industry leaders Wind River and Intel are delivering innovative Industrial IEC 61508 functional safety certification solutions that reduce project risk. A holistic approach is used to combin...


Wind River Titanium Control Advances Industrial IoT

Gareth Noyes, Chief Strategy Officer at Wind River introduces Wind River Titanium Control, a software platform that enables critical infrastructure companies to cost-effectively evolve aging legacy co...


WSI's OLED Professional innovations create more value for You.

WSI are the PMOLED manufacturer and our factory located in Chun-Nan in Taiwan. Our products are the market leader and pioneer in PMOLED module, including the monochrome, area colors and full color one...


SKIPPER UBT21 - a Bluetooth 4.0 USB serial adapter for industrial and medical use

SKIPPER UBT21 is a Bluetooth 4.0 USB serial adapter for industrial and medical use. It incorporates a Bluetooth Dual-Mode Stack, supports ranges of up to 300 meters and transferrates of 720 kbit/s (ne...


Three of a kind - Versatility based on Low Power ARM Cortex-A15

At this year's Embedded World, MEN has presented three low power, ARM Cortex-A15-based solutions on different form factors: a VMEbus SBC, an industrial box PC and a COM Express Mini module. All so...


Enabling Embedded IoT

Eurotech, a long-time leading provider of embedded systems and a global leader in IoT enablement, showed its new modules and Multi-service IoT Gateways at Embedded World 2017. The newly introduced Eu...


PLS’ UDE and new UAD2next allow more powerful trace analysis of embedded multicore systems

The new Universal Debug Engine 4.8 from PLS Development Tools offers a bunch of new and improved features for trace analysis of embedded multicore systems. With the new access device UAD2next PLS cont...


Disruptive technologies

Rahman Jamal, Global Technology & Marketing Director, National Instruments, talks about disruptive technologies in the consumer world, but also in measurement, automation, and the embedded industr...


AdaCore Announces Availability of QGen Debugger at Embedded World 2017

Jose Ruiz, technical lead at AdaCore for the company's QGen automatic code generator toolset for model-based development, discusses that product and explains what differentiates it from other prod...


SECO IoT roadmap: from the proof of concept to the market

During Embedded World 2017 Gianluca Venere, SECO Director of Global Sales, leads us to discover the company's Industrial IoT roadmap showcased at SECO's main booth, along with the latest UDOO ...


Internet of Chocolate

HCC show off an embedded chocolate vending machine using MQTT to connect to a broker in the cloud. There is an important message behind this cool demo – security and reliability of embedded soft...