Secure embedded software – choosing the right coding standard

This article compares state-of-the-art coding standards and explains how adherence to them can help developers deliver more secure C and C++ code.


By Richard Bellairs, PRQA                        Download PDF version of this article


An increasing number of products that touch our daily lives are connected to the internet. This brings many benefits, but also introduces potential security vulnerabilities. It is imperative that the software powering these products is developed with security in mind. Adoption of a strong coding standard that addresses known security issues has been shown to deliver more secure products. Enforcing this standard with automated code analysis tools will help to ensure products are delivered on time and in budget.

The pace of change in consumer products is amazing and the rate of innovation continues to accelerate. A new generation of connected devices and socially oriented services continues to impact our lives in profound ways, from the use of voice-activated speakers to control our smart homes to the hundreds of sensors that are used to control traffic in our cities more effectively. The widespread adoption of connected devices raises concerns over their security and our privacy.

Security of software is a hot topic, and one that every organization must address effectively. C remains the dominant language for embedded software development in consumer products, with C++ growing in popularity. There is no shortcut to achieving software security; reducing the risk it poses requires a concerted effort, and an appreciation of best practice industry guidelines.

Applying coding standards to the development of safety-critical software is a widely adopted practice, but coding standards that target security issues are still relatively new. Demand for software security standards has increased as a result of the Internet of Things (IoT); the security of data and the connections between devices have been shown to have serious security flaws. Some examples of high-profile failures include the hacking of TrendNet nanny cams and the failure of Nest thermostats due to a flawed software update. Security and privacy breaches not only put users at risk, but also have the potential to cause significant damage to company reputation. As such, security is a commercial imperative.

Recognition of the importance of security has increased over recent years. New security-focused coding standards have emerged alongside the more mature safety-critical standards. Although the underlying goals are different, their recommendations frequently overlap. Most of the coding standards considered in this article use rules to prohibit aspects of a language that are considered inappropriate by the issuing standards body. In addition, they prescribe ways to enrich the development process and the language effectiveness. In some respects, they define a new language, with specific emphasis on delivering greater security, improved predictability, increased robustness and better maintainability. Today most popular coding standards for security are the CERT C Secure Coding Standard; MISRA C:2012; and the C Secure Coding Rules (ISO/IEC TS 17961:2013).

For the purposes of comparison, the coding standards covered in this article have been assessed using nine categories, some of which include a qualitative indication of how the coding standards perform. The performance indicator (1 to 3 stars) is derived from considerations and impressions PRQA has collected from its wide customer base which, by any measure, can be considered an official endorsement of any standard. We categorized the standards as follows:

Industry: the original industry sector targeted by the coding standard.

Reference language version: the version of the C Standard that is currently used as a reference for the coding guidelines. This is important as it can influence the choice of coding standard for a project; for example, if C11 is to be used (for instance, because some of its features make it the most applicable for a given application) MISRA C:2012 is not a good candidate unless specific compliancy requirements make it necessary.

Automatic enforceability: the ease of creation of automatic checks for the guidelines that don’t result in false positives. This is usually related to how strictly or loosely specific guidelines are defined.

Coverage: a qualitative indication of the breadth of the coding standard scope and the number of guidelines defined. The broader the scope, the higher the educational value of the coding standard, but a broad scope can also bring complexity in terms of guideline maintenance and tool coverage.

Market adoption: the level of usage of the coding standard for real-world projects, in terms of formal compliance requirements (for example in functional safety applications) and voluntary usage to improve overall software quality.

Tool availability: the market availability of an automated code analysis tool to enforce the coding standard. This tends to be linked with the standards level of market adoption.

Evolution: a quickly evolving standard adapts better to feedback from the users and provides faster introduction of new features. This can be considered good for consumer products but bad for other sectors. CERT C uses two methods for publishing its guidelines; a web-based wiki, and a PDF document freely available. The wiki evolves faster than the latter.

Resources: this can include references to the C language standard, to other standards, papers, articles or other common knowledge bases that may be helpful.

Examples: descriptions to illustrate the issues related to the violation of a specific guideline and compliant solutions.

Figure 1. This simple flow chart helps to make an informed choice.

 

There is no single best standard for secure coding. Selection must consider many different aspects, such as the duration of the project (where stability of the reference is more important), the version of the language being used and the existence of legacy code. The simple flow chart in figure 1 can help to make an informed choice.

Scenario 1. If the requirements dictate compliance with a recognized coding standard (a typical scenario would be a safety-critical application) then the choice should be MISRA C. The latest version of this standard is MISRA C:2012 Amendment 1. If a previous version of MISRA is mandated (for example MISRA C:2004) then the project will benefit from the addition of the security rules provided by ISO/IEC 17961:2013 (some work will be required to match the C version and remove any overlap – a good footprint would be the Addendum 2 of MISRA C:2012 “Coverage of MISRA C:2012 against ISO/IEC 17961:2012 C Secure”).

 

 

 

 

 

 

 

 

 

 

 

 

Figure 2. Comparison table of CERT C, MISRA C: 2012, and IEC/ISO 17961:2013 €

Scenario 2. If the application has no compliancy requirements, and if there are no high-performance needs that would sacrifice code portability it is still recommended to adopt a high integrity perspective. In this case the recommendation would also be to use MISRA C:2012.

Scenario 3. In both previous scenarios CERT C could offer valuable support from a security perspective, and the recommendation would be to adopt CERT C in parallel with the suggested standards (in the flow chart this is indicated by a dashed line). However, if a high-integrity approach is not taken the MISRA C:2012 standard could be seen as too restrictive for the specific application, in this case the recommendation would be to only apply CERT C in order to achieve a good level of code security.

Choosing the right coding standard to adopt when developing secure code will depend on many factors, such as an understanding of the features and benefits of each standard and how they could meet the requirements of the current development project. The process shown in this article focuses on the ability to perform automated testing with tools such as PRQA static analyzers QA·C and QA·C++. Such tools perform deep analysis of software code to prevent, detect and eliminate defects and automatically enforce coding rules to ensure standards compliance.


Related


Wireless networking and security for IoT devices

David Brook, marketing director with HCC Embedded, shares an update on two of the company's main focus areas: wireless networking for IoT devices and security for those networked IoT devices. ...

Fluffing the Cloud

The synergistic development aspect of electronic design was very apparent these past weeks at the APEC and Embedded World shows, as engineers from around the globe came together in San Antonio, Texas,...

Best practices for safer systems

Hear industry expert and Barr Group CTO Michael Barr discuss the latest startling statistics concerning embedded systems safety from Barr Group’s newly released 2018 Embedded Systems Safety ...

 


Grammatech talks about the importance of software in engineering

In this video Mark Hermeling of Grammatech talks to Alix Paultre after the Embedded World show in Nuremberg about the importance of software verification for security and safety in electronic design. ...


Lattice Semi walks through their booth demos at Embedded World

In this video Lattice Semiconductor walks us through their booth demonstrations at Embedded World 2018. The live demonstrations include an operating IoT remote vehicle, a low-power network used for vi...


Maxim describes their latest security solution at Embedded World 2018

In this video Scott from Maxim Integrated describes their latest security solution at Embedded World 2018. In the live demo he shows the DS28E38 DeepCover Secure ECDSA Authenticator, an ECDSA public k...


Garz & Fricke at Embedded World 2018 - Embedded HMIs and SBCs “Made in Germany”

You are looking for a HMI-system or single components as touches, displays and ARM-based SBCs? Welcome at Garz & Fricke – the Embedded HMI Company! Our offering ranges from typical single co...


ECRIN Systems myOPALE: Remote Embedded Modular Computers

myOPALE™ offers disruptive technology to multiply capabilities of your next Embedded Computers in a smaller foot print thanks to PCI Express® over Cable interconnect, standard 5.25’&rs...


TechNexion rolls out embedded systems, modules, Android Things kits at Embedded World 2018

In this video John Weber of TechNexion talks to Alix Paultre about how the company helps its customers getting products to market faster. By choosing to work with TechNexion, developers can take advan...


Mike Barr talks cybersecurity

In this video Mike Barr, CEO of the Barr Group, talks to Alix Paultre about cybersecurity at the Embedded World conference in Nuremberg, Germany. Too many designers, even in critical spaces like milit...


Ted Marena of Microsemi talks about their scope-free on-chip debug tools

In this video Ted Marena of Microsemi talks about their scope-free on-chip debug tools with Alix Paultre at Embedded World 2018. SmartDebug tool works with the Microsemi FPGA array and SERDES without ...


Infineon demonstrates their iMotion motor control solution at Embedded World

In this video Infineon explains their latest  IMC100 series iMOTION motor control IC at Embedded World 2018 in Nuremberg. The device provides a ready-to-use solution for high-efficiency variable-...


Samsung goes over their new ARTIK IoT development system

In this video James Stansberry of Samsung talks to Alix Paultre about their ARTIK IoT development system at Embedded World in Nuremberg. The family of system-on-modules provide a complete, production-...


Cypress explains their latest low-power 32-bit Arm Cortex-M4 PSoC 6

In this video Allen Hawes of Cypress Semiconductor talks to Alix Paultre about their latest low-power 32-bit Arm Cortex-M4 PSoC 6, designed to provide a secure high-performance MCU for next-generation...