Secure Coding mailing list archives
managed string library
From: rcs at cert.org (Robert C. Seacord)
Date: Mon, 12 Jun 2006 18:07:59 -0400
The SEI has published CMU/SEI-2006-TR-006 "Specifications for Managed Strings" and released a "proof-of-concept" implementation of the managed string library. The specification, source code for the library, and other resources related to managed strings are available for download from the CERT web site at: http://www.cert.org/secure-coding/managedstring.html The following is a brief summary of the managed string library: The managed string library was developed in response to the need for a string library that can improve the quality and security of newly developed C-language programs while eliminating obstacles to widespread adoption and possible standardization. As the name implies, the managed string library is based on a dynamic approach; memory is allocated and reallocated as required. This approach eliminates the possibility of unbounded copies, null-termination errors, and truncation by ensuring that there is always adequate space available for the resulting string (including the terminating null character). The one exception is if memory is exhausted; that is treated as an error condition. In this way, the managed string library accomplishes the goal of indicating either success or failure. The managed string library also protects against improper data sanitization by (optionally) ensuring that all characters in a string belong to a predefined set of "safe" characters. rCs -- Robert C. Seacord Senior Vulnerability Analyst CERT/CC Work: 412-268-7608 FAX: 412-268-6989
Current thread:
- Silver Bullet: Dan Geer Gary McGraw (Jun 12)
- managed string library Robert C. Seacord (Jun 12)