Presentation is loading. Please wait.

Presentation is loading. Please wait.

NASA Secure Coding Rules

Published byNirupama Dayal Modified over 5 years ago

Similar presentations

Presentation on theme: "NASA Secure Coding Rules"— Presentation transcript:

1 NASA Secure Coding Rules
Necessary Restriction Copyright © by Curt Hill

2 Copyright © 2014-2017 by Curt Hill
NASA Generates or contracts for a substantial amount of code Their code has to perform well in very adverse conditions Hard to send a service truck to repair Sometimes lives depend on it Their failures always make the news Copyright © by Curt Hill

3 Copyright © 2014-2017 by Curt Hill
Thus They have developed a number of rules that must be strictly observed They have done this out of necessity Saving $50 at the cost of a billion dollar spacecraft is not good economics We will now look at some of these What we need to ask is: Why? Copyright © by Curt Hill

4 Copyright © 2014-2017 by Curt Hill
Flow of Control I Restrict all code to very simple control flow constructs Do not use goto statements, setjmp or longjmp constructs, and direct or indirect recursion. Copyright © by Curt Hill

5 Copyright © 2014-2017 by Curt Hill
Flow of Control II All loops must have a fixed upper-bound It must be trivially possible for a checking tool to prove statically that a preset upper-bound on the number of iterations of a loop cannot be exceeded If the loop-bound cannot be proven statically, the rule is considered violated Copyright © by Curt Hill

6 Copyright © 2014-2017 by Curt Hill
Dynamic Memory Do not use dynamic memory allocation after initialization Copyright © by Curt Hill

7 Copyright © 2014-2017 by Curt Hill
Function I No function should be longer than what can be printed on a single sheet of paper in a standard reference format with one line per statement and one line per declaration Typically, this means no more than about 60 lines of code per function. Copyright © by Curt Hill

8 Copyright © 2014-2017 by Curt Hill
Functions II The return value of non-void functions must be checked by each calling function, and the validity of parameters must be checked inside each function Copyright © by Curt Hill

9 Copyright © 2014-2017 by Curt Hill
Function Assertions The assertion density of the code should average to a minimum of two assertions per function Assertions are used to check for anomalous conditions that should never happen in real-life executions Assertions must always be side-effect free and should be defined as Boolean tests Copyright © by Curt Hill

10 Copyright © 2014-2017 by Curt Hill
Assertions Continued When an assertion fails, an explicit recovery action must be taken, e.g., by returning an error condition to the caller of the function that executes the failing assertion Any assertion for which a static checking tool can prove that it can never fail or never hold violates this rule (I.e., it is not possible to satisfy the rule by adding unhelpful “assert(true)” statements) Copyright © by Curt Hill

11 Copyright © 2014-2017 by Curt Hill
Variables Data objects must be declared at the smallest possible level of scope Copyright © by Curt Hill

12 Copyright © 2014-2017 by Curt Hill
Preprocessor The use of the preprocessor must be limited to the inclusion of header files and simple macro definitions Token pasting, variable argument lists (ellipses), and recursive macro calls are not allowed All macros must expand into complete syntactic units Copyright © by Curt Hill

13 Preprocessor Continued
The use of conditional compilation directives is often also dubious, but cannot always be avoided This means that there should rarely be justification for more than one or two conditional compilation directives even in large software development efforts, beyond the standard boilerplate that avoids multiple inclusion of the same header file Each such use should be flagged by a tool-based checker and justified in the code Copyright © by Curt Hill

14 Copyright © 2014-2017 by Curt Hill
Pointers The use of pointers should be restricted Specifically, no more than one level of dereferencing is allowed Pointer dereference operations may not be hidden in macro definitions or inside typedef declarations Function pointers are not permitted Copyright © by Curt Hill

15 Copyright © 2014-2017 by Curt Hill
Compilation All code must be compiled, from the first day of development, with all compiler warnings enabled at the compiler’s most pedantic setting All code must compile with these setting without any warnings All code must be checked daily with at least one, but preferably more than one, state-of-the-art static source code analyzer and should pass the analyses with zero warnings Copyright © by Curt Hill

16 Copyright © 2014-2017 by Curt Hill
NASA Comment The rules act like the seatbelt in your car: initially they are perhaps a little uncomfortable, but after a while their use becomes second-nature and not using them becomes unimaginable Copyright © by Curt Hill

Download ppt "NASA Secure Coding Rules"

Similar presentations

Programming Languages and Paradigms

Programming Languages and Paradigms
Programming Languages and Paradigms The C Programming Language.

Programming Languages and Paradigms The C Programming Language.
Coding Standard: General Rules 1.Always be consistent with existing code. 2.Adopt naming conventions consistent with selected framework. 3.Use the same.

Coding Standard: General Rules 1.Always be consistent with existing code. 2.Adopt naming conventions consistent with selected framework. 3.Use the same.
George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.

George Blank University Lecturer. CS 602 Java and the Web Object Oriented Software Development Using Java Chapter 4.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.

© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. Chapter 5 - Functions Outline 5.1Introduction 5.2Program.
CS241 PASCAL I - Control Structures1 PASCAL I - Control Structures Philip Fees CS241.

CS241 PASCAL I - Control Structures1 PASCAL I - Control Structures Philip Fees CS241.
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.

CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Software Safety CS3300 Fall 2015. Failures are costly ● Bhopal 1984 – 3000 dead and 200000 injured ● Therac-25 1987 – 6 dead ● Chernobyl / Three Mile.

Software Safety CS3300 Fall Failures are costly ● Bhopal 1984 – 3000 dead and injured ● Therac – 6 dead ● Chernobyl / Three Mile.
© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. C How To Program - 4th edition Deitels Class 05 University.

© Copyright 1992–2004 by Deitel & Associates, Inc. and Pearson Education Inc. All Rights Reserved. C How To Program - 4th edition Deitels Class 05 University.
CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 12: Pointers continued, C strings.

CMPSC 16 Problem Solving with Computers I Spring 2014 Instructor: Tevfik Bultan Lecture 12: Pointers continued, C strings.
1 Homework / Exam Finish up K&R Chapters 3 & 4 Starting K&R Chapter 5 Next Class HW4 due next class Go over HW3 solutions.

1 Homework / Exam Finish up K&R Chapters 3 & 4 Starting K&R Chapter 5 Next Class HW4 due next class Go over HW3 solutions.
Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.

Use of Coverity & Valgrind in Geant4 Gabriele Cosmo.
Programming Languages and Paradigms Imperative Programming.

Programming Languages and Paradigms Imperative Programming.
C Functions Three major differences between C and Java functions: –Functions are stand-alone entities, not part of objects they can be defined in a file.

C Functions Three major differences between C and Java functions: –Functions are stand-alone entities, not part of objects they can be defined in a file.
Lecture 3 Classes, Structs, Enums Passing by reference and value Arrays.

Lecture 3 Classes, Structs, Enums Passing by reference and value Arrays.
DOCUMENTATION SECTION GLOBAL DECLARATION SECTION

DOCUMENTATION SECTION GLOBAL DECLARATION SECTION
CSC 212 Object-Oriented Programming and Java Part 2.

CSC 212 Object-Oriented Programming and Java Part 2.
CS241 PASCAL I - Control Structures1 PASCAL Control Structures Modified Slides of Philip Fees.

CS241 PASCAL I - Control Structures1 PASCAL Control Structures Modified Slides of Philip Fees.
 2003 Prentice Hall, Inc. All rights reserved. 1 IS 0020 Program Design and Software Tools Preprocessor Midterm Review Lecture 7 Feb 17, 2004.

 2003 Prentice Hall, Inc. All rights reserved. 1 IS 0020 Program Design and Software Tools Preprocessor Midterm Review Lecture 7 Feb 17, 2004.
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 8 – C: Miscellanea Control, Declarations, Preprocessor, printf/scanf.

CSE 374 Programming Concepts & Tools Hal Perkins Fall 2015 Lecture 8 – C: Miscellanea Control, Declarations, Preprocessor, printf/scanf.

Similar presentations

Ads by Google