The Safe C Library implements a subset of the functions defined in the ISO TR24731 specification which is designed to provide alternative functions for the C Library (as defined in ISO/IEC 9899:1999) that promotes safer, more secure programming in C.
To recap: The Safe C Library (available for download here) provides bound checking memory and string functions per ISO/IEC TR24731. These functions are alternative functions to the existing Standard C Library.
A complement to the Safe C Library defined by the ISO TR24731 specification the Safe Math Library, designed to catch arithmetic overflows. These are the subtle errors that occur when converting from one data size to another, converting from signed to unsigned and unsigned to signed. The library provides a set of functions for: addition, subtraction, multiply, divide, increment, decrement, modulo, negation, and absolute.
While there is no standard for such functions, the Safe Math library is modeled after the ISO TR24731 specification. It is intended to complement the Safe C Library, providing one more layer security.
The Safe Math Library supports the data types in Table 1.
As you can see in Table 1, taking the absolute value of the minimum signed value of a data type overflows. For example, there is no corresponding value for the absolute of -128 for the signed int8_t data type. The addition of two like unsigned data types will overflow when the sum exceeds the maximum value of that unsigned data type. For example, the sum of two uint16_ts -- 65535 and 1 -- will overflow. Type casting an unsigned data type to a like signed data type can also result in the unexpected. For example, casting an unsigned short with a value of 32768 to a signed short will overflow the maximum signed short value of 32767.
When used properly, the Safe Math functions mitigate the dangers associated with arithmetic errors and the vulnerability of cyber attacks. Source code may remain vulnerable due to other bugs and security issues. The highest level of security is achieved by building in layers of security utilizing multiple strategies.
The rationale for the safe Math Library is similar to TR24731 and is itemized below:
- Complement the Safe C Library
- Guard against arithmetic overflows
- Provide a library useful to existing code
- Only require local edits to programs
- Library-based solution, no tool chain upgrades required
- Support compile-time checking
- Make failures obvious through constrain handler
- Runtime-constraint handler mechanism
- Support re-entrant code
- Consistent naming scheme
- Have a uniform pattern for the function parameters and return type
- Deference to existing technology
Similar to TR24731, the Safe Math Library verifies that the calling program does not violate the function's runtime-constraints. If a runtime-constraint is violated, the library calls the currently registered runtime-constraint handler to recorded the violation. The runtime-constraint handler might not return. If the handler does return, the Safe Math library functions whose runtime-constraint was violated does not attempt to mathematically correct the result nor does it provide a return code indicating the error. Corrective action will require scanning the logs to correct the mathematical errors in the code.
To appreciate the risk of overflows see: