CERT C: Rule MSC41-C

Never hard code sensitive information

expand all in page

Description

Rule Definition

Never hard code sensitive information.[1]

Polyspace Implementation

This checker checks for Hard coded sensitive data.

Examples

expand all

Hard coded sensitive data occurs when data that is potentially sensitive is directly exposed in the code, for instance, as string literals. The checker identifies data as sensitive from their use in certain functions such as password encryption functions.

Following data can be potentially sensitive.

Type of DataFunctions That Indicate Sensitive Nature of Information
Host name

  • sethostname, setdomainname, gethostbyname, gethostbyname2, getaddrinfo, gethostbyname_r, gethostbyname2_r (string argument)

  • inet_aton, inet_pton, inet_net_pton, inet_addr, inet_network (string argument)

  • mysql_real_connect, mysql_real_connect_nonblocking, mysql_connect (2nd argument)

Password

  • CreateProcessWithLogonW, LogonUser (1st argument)

  • mysql_real_connect, mysql_real_connect_nonblocking, mysql_connect (3rd argument)

Database

  • MySQL: mysql_real_connect, mysql_real_connect_nonblocking, mysql_connect (4th argument)

  • SQLite: sqlite3_open, sqlite3_open16, sqlite3_open_v2 (1st argument)

  • PostgreSQL: PQconnectdb

  • Microsoft SQL: SQLDriverConnect (3rd argument)

User name

  • getpw, getpwnam, getpwnam_r, getpwuid, getpwuid_r

Saltcrypt, crypt_r (2nd argument)
Cryptography keys and initialization vectors

OpenSSL:

  • EVP_CipherInit, EVP_EncryptInit, EVP_DecryptInit (3rd argument)

  • EVP_CipherInit_ex, EVP_EncryptInit_ex, EVP_DecryptInit_ex (4th argument)

Seed

  • srand, srandom, initstate (1st argument)

  • OpenSSL: RAND_seed, RAND_add

Risk

Information that is hardcoded can be queried from binaries generated from the code.

Fix

Avoid hard coding sensitive information.

Example – Sensitive Data Exposed Through String Literals
// Typically, you include the header "mysql.h" with function and type declarations.
// In this example, only the required lines from the header are quoted.

typedef struct _MYSQL MYSQL;

MYSQL *mysql_real_connect(MYSQL *mysql,
                          const char *host, const char *user, const char *passwd,
                          const char *db, unsigned int port, const char *unix_socket,
                          unsigned long client_flag);

typedef void * DbHandle;
extern MYSQL *sql;

// File that uses functions from "mysql.h" 
const char *host = "localhost";
char *user = "guest";
char *passwd;

DbHandle connect_to_database_server(const char *db)
{
    passwd = (char*)"guest";
    return (DbHandle)
        mysql_real_connect (sql, host, user, passwd, db, 0, 0x0, 0);
}

In this example, the mysql_real_connect arguments host (host name), user (user name), and passwd (password) are string literals and directly exposed in the code.

Querying the generated binary for ASCII strings can reveal this information.

Correction – Read Sensitive Data from Secured Configuration Files

One possible correction is to read the data from a configuration file. In the following corrected example, the call to function connect_to_database_server_init presumably reads the host name, user name, and password into its arguments from a secured configuration file.

// Typically, you include the header "mysql.h" with function and type declarations.
// In this example, only the required lines from the header are quoted.

typedef struct _MYSQL MYSQL;

MYSQL *mysql_real_connect(MYSQL *mysql,
                          const char *host, const char *user, const char *passwd,
                          const char *db, unsigned int port, const char *unix_socket,
                          unsigned long client_flag);

typedef void * DbHandle;
extern MYSQL *sql;

// File that uses functions from "mysql.h" 

DbHandle connect_to_database_server(const char *db)
{
    const char *host_from_cfg;
    const char *user_from_cfg;
    const char *passwd_from_cfg;
    const char *db_from_cfg;
    if (connect_to_database_server_init(&host_from_cfg,
                                        &user_from_cfg,
                                        &passwd_from_cfg,
                                        &db_from_cfg))
    {
        return (DbHandle)
            mysql_real_connect (sql, host_from_cfg, user_from_cfg, 
                           passwd_from_cfg, db_from_cfg,  0, 0x0, 0);
    }
    else
        return (DbHandle)0x0;
}

Check Information

Group: Rule 48. Miscellaneous (MSC)

See Also

Topics

External Websites

Introduced in R2020a

[1] This software has been created by MathWorks incorporating portions of: the “SEI CERT-C Website,” © 2017 Carnegie Mellon University, the SEI CERT-C++ Web site © 2017 Carnegie Mellon University, ”SEI CERT C Coding Standard – Rules for Developing safe, Reliable and Secure systems – 2016 Edition,” © 2016 Carnegie Mellon University, and “SEI CERT C++ Coding Standard – Rules for Developing safe, Reliable and Secure systems in C++ – 2016 Edition” © 2016 Carnegie Mellon University, with special permission from its Software Engineering Institute.

ANY MATERIAL OF CARNEGIE MELLON UNIVERSITY AND/OR ITS SOFTWARE ENGINEERING INSTITUTE CONTAINED HEREIN IS FURNISHED ON AN "AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This software and associated documentation has not been reviewed nor is it endorsed by Carnegie Mellon University or its Software Engineering Institute.

Polyspace Bug Finder Documentation

Support