Secure Coding Techniques: Improving the Security and Reliability of Embedded Application Code

The modernization of programming languages ​​and better coding techniques are directly related to the evolution from mechanical computers to modern software development processes. We have moved from highly specialized, mostly mathematical notations to high-level programming languages ​​that are closer to human syntax, thanks to compiler technology. However, this has also opened the door to code defects. High-level programming languages ​​such as C and C++ contain a lot of undefined behaviors, and different compilers may interpret these behaviors slightly differently, which can lead to unknown or undesirable side effects that eventually turn into defects.

Finding and fixing these defects can take up to 80% of development time, depending on the maturity of the development organization. This leads to an obvious conclusion: code quality is a big problem. So why not try to avoid defects as much as possible to reduce the time needed to debug?

By the way, we still use the terms “bug” and “debug” in software, but the origins of these words can be traced back to Harvard University’s mechanical computers, where a moth got stuck in a relay, an event that was recorded as the first “bug” or defect in computer history.

Repeating the same mistakes over and over again

It is well known that in web, application, desktop, and even embedded development, developers tend to inadvertently introduce the same types of errors into their source code over and over again. This conclusion comes from multiple surveys and studies conducted by multiple important organizations such as NASA, Bell Labs, and MITRE. Examples of common defects include not freeing after allocation in C++ code (or even C code) and using functions without prototypes, so strict type checking cannot be done at compile time. The results of this study list best programming practices or recommended programming practices that can identify risky and bad coding behaviors.

There are many guidelines and coding practices on how to improve code quality, all based on common mistakes and how to avoid them in the future. Some of these tips and practices have become widely accepted standards (such as MISRA-C and CERT-C), especially in critical industries such as automotive, medical and railway to ensure the code safety and code security of applications. Functional safety standards such as IEC 61508, EN 50128 and ISO 26262 recommend [or strongly recommend, depending on the safety integrity level (SIL) or automotive safety integrity level (ASIL)] the use of static and runtime analysis tools to meet the standards. Because defects in safety-critical systems can have serious consequences, such as loss of life or environmental damage.

Focus on reliability

Secure coding techniques take into account code quality, code security, and code protection. Code security focuses on the reliability of the software, while code protection aims to prevent unwanted activities and ensure the safety of the system when attacked. Both are highly dependent on code quality, as code quality is the foundation of every reliable application.

The goal of secure coding techniques and standards is to advance the security of software to ensure the required reliability. However, equally important is to improve the readability and maintainability of source code. More efficient and readable code means that the source code is more robust, has fewer defects, and is future-proof, which helps improve code reusability.

MISRA C is one of the most mature software development standards that can avoid common defects and vulnerabilities. Of course, there are other guidelines such as CWE and CERT-C coding standards, which are highly recommended for any embedded application. Let's take a deeper look at these coding standards.

MISRA C Standard

MISRA C was developed by the Motor Industry Software Reliability Association with the goal of improving the safety, portability, and reliability of code in embedded systems, especially those programmed using ISO C.

The first version of the MISRA C standard, titled "Guidelines for C Language Development of Automotive Software," was published in 1998 and formally known as MISRA-C:1998. It was later updated in 2004 and 2012 to add more rules. In addition, there is the MISRA C++ 2008 standard based on C++ 2003. Since then, Amendment 1 of MISRA C: 2012 has added 14 additional rules, focusing on security concerns highlighted in the ISO C Secure Guidelines. Some of these rules address one of the known security vulnerabilities in many embedded applications: specific issues related to the use of untrusted data.

MISRA rules can help you find problems before submitting code for formal builds, so defects found in this way are as if they never existed. MISRA rules are designed with safety and reliability in mind, while also making code easier to port to other tools and architectures.

CWE and CERT C/C++

CWE, or Common Weakness Enumeration, is a community-developed dictionary of software defects. CWE provides a unified, measurable set of software defects to better understand and manage them, and can support efficient software security tools and services that can discover them.

The CERT C/C++ Secure Coding Standards is a standard published by the Computer Emergency Response Team (CERT) that provides rules and recommendations for secure coding in the C/C++ programming language.

Implement secure coding techniques

As a general recommendation, every embedded application should at least follow the MISRA (MISRA is mandatory for safety-critical systems), CWE and CERT C/C++ standards.

After following these coding standards, your application may still be vulnerable to arithmetic problems, buffer overflows, bounds issues, heap integrity, and memory leaks at runtime. To detect these errors, you can insert specific detection code or assertions in all places where potential errors may occur. However, manually adding instructions to check and report problems at runtime is a very time-consuming task.

To comply with all these guidelines and standards, you need to follow nearly 700 rules and requirements while also adding detection code to your source code. So, how do you implement secure coding techniques and follow all these rules?

Use Automation Tools

The best way to improve software quality, security, and reliability is to use automated tools. This can be achieved by using high-quality compilers and linkers (preferably those that are functional safety certified), as well as automated static analysis and runtime analysis tools.

As the world's leading embedded system development software solution provider, IAR provides an integrated development environment, IAR Embedded Workbench, which includes compilers, assemblers, linkers and debuggers, and seamlessly integrates static analysis tools C-STAT and runtime analysis tools C-RUN to form a complete tool chain. With these powerful functions, IAR Embedded Workbench can ensure the robustness, security and high quality of the code.

Let’s start with compilers and linkers. They should support modern programming languages, such as the latest C (ISO/IEC 9899:2018) and C++ (ISO/IEC 14882:2020, also known as the C++20 revision), so that they generate warnings when suspicious situations or syntax issues occur, for example, volatile memory accesses whose order of evaluation may affect the logic of the application.

Compiler and linker warnings are your first static analysis check and should never be ignored, especially in a functional safety environment. The best advice is to turn these warnings into errors by changing the compiler settings to treat all warnings as errors. This will let the developer fix any ambiguities in the code, as all issues will be treated as real problems.

Static analysis tools can help you find the most common defects in your code, while also helping you identify issues that developers don't usually consider or worry about when trying to write code, especially when they are just writing scaffolding code to make something work properly. This type of tool can really help you develop higher quality code because they can help you implement coding standards. IAR's C-STAT static analysis tool does not require any installation and static code analysis project creation. It only requires simple rule settings to perform static code analysis after a successful build, which is very suitable for developers to use in their daily development process.

In addition, there are dynamic or runtime analysis tools that can capture code defects that only appear at runtime. Dynamic or runtime analysis tools can find actual and potential errors in the code when executing the program in a software debugger. IAR's C-RUN dynamic analysis tool can implement arithmetic checks, bounds checks, and heap checks through simple configuration, recompile, and run. Using C-RUN does not require any modifications to the existing process and can be used as a natural part of the daily development workflow, which greatly reduces the threshold for using dynamic analysis tools.

When you look at all the defects that could be in a system, static analysis tools are good at finding certain types of defects, while runtime analysis tools are good at finding other types of defects. Sometimes they can overlap, but sometimes only one tool can detect a certain defect. For the most comprehensive code analysis, it is best to use both tools together and integrate them with a top-notch build tool. The matrix below is a good example of the complete defect coverage when combining different tools for detection.

Summarize

As the complexity of embedded systems increases, the requirements for embedded software are also getting higher and higher. The most core and fundamental thing is code quality, and secure coding technology that follows coding standards is the best practice for improving code quality. The most effective way to implement secure coding technology is to apply automated tools, including compilers, linkers, static analysis tools, and runtime analysis tools. This can effectively improve code quality and its security and reliability during the development process, which not only reduces project development time and cost, but also improves product quality and competitiveness.