Plum Hall, Inc.

Home  Products  News  ANSI/ISO 


SSCC: The Plum Hall Safe-Secure C/C++ Project

Before there were ANSI and ISO standards for C and C++, Plum Hall was already involved with the evolution of C and C++ technology in an intensely competitive open marketplace. The absence of any hierarchical oversight has fostered decades of contributions by experts of world-class creativity and skill, but the downside has been that C and C++ create a disproportionate share of safety and security problems [1]. There is no reason to believe, however, that any "hierarchical oversight" would be welcome or useful in these arenas, so these safety and security problems present some very special challenges.

At the Oxford UK meeting of SC22/WG14 in 2003, Martyn Lovell presented a new foundation library for C and C++, which assists the programmer in avoiding various buffer-overflow (out-of-bounds store) problems associated with the original (un-checked) C library functions. This new library became the "bounds-checked library" [2]. At that Oxford meeting, Plum Hall commented to Lovell that there was a need for automated assistance, so that the burden of remediation isn't borne totally by the application programmers themselves. Upon hearing that Lovell's project wasn't pursuing that direction, Plum Hall launched its Safe-Secure C/C++ (SSCC) project (the subject of this web page). (Since that time, a second part has been added to the library Technical Report, which itemizes some alternative library functions from the POSIX and Linux standards [3].)

The challenge for introducing any improvements into the tool chain for C and C++ is that these communities are extremely concerned about the performance of the software. There is very little tolerance for overhead; a penalty of 10% in code space or execution time is usually enough to disqualify an otherwise-promising improvement. The intention of SSCC has been to make substantial improvements in reliability while working within these tight constraints.

Early on, Plum Hall approached more than eight major producers of compilers, source-analysis tools, and applications, seeking development partners to build a proof-of-concept prototype of the SSCC methods. Their responses can be characterized as a chicken-and-egg problem: Several tool vendors said the methods looked interesting and promising, and as soon as their customers were asking them for such tools, they would be interested in providing the tools. Vendors of applications also expressed interest, and said that as soon as some tool vendor would make such a tool available for license, they would want that tool. In the meantime, Plum Hall has expended its own resources toward producing such a prototype, and has made grant applications in search of further support. This specific web page has documented various developments in the progress of SSCC. It has always been our intention to avoid competing with our customers; we have sought to provide tools and components that could be licensed to the C/C++ tool providers who have been our steady customers for over twenty years now.

During the six years since 2003, Plum Hall has maintained its active involvement in various committees within the INCITS and ISO/IEC JTC 1 programming-language standards process. Within that process, there are various prohibitions arising from concerns regarding anti-trust and patent policy. For example, INCITS requires that there should never be discussion of any company's prices or pricing policies or its specific R&D, sales or marketing plans. Discussion of patent questions should be avoided; certain specific PDF pages should be displayed, but not discussed [4]. However, it appears to us that nothing prohibits discussion of these topics on a company's own web page (such as this one).

In various standards contributions, Plum Hall has briefly disclosed its commercial interests in SSCC (and other projects), and provided links to these web pages, for readers who wanted further information [5] [6].

Also, at the Berlin meeting of WG14, we described the SSCC project during an informal session after the committee meetings were completed.

Plum Hall has focused its safety and security efforts on the foundations of C and C++, the lowest-level semantics shared by both languages (while recognizing that others are also making valuable contributions in other areas). We have participated in every arena that seemed relevant: Plum Hall presented a paper [7] at the SSATTM conference in Long Beach (sponsored by the NIST SAMATE project [8]); we attended the NIST SAMATE Static Analysis Summit [9]; we joined the SC22 Other Working Group on Vulnerabilities (OWGV) when it was formed in 2005, and have continued to provide a delegate to OWGV's successor SC22/WG23 [10]; we worked with the group that addressed the detailed drafting of the Bounds-Checking Library TR [2]; we led a discussion group for Robert Seacord's track at HICSS-40 [11]; we contributed to the CERT Secure Coding Guidelines project [12]; we joined INCITS CS1 (Cybersecurity) [13]; we co-sponsored proposals to SC22/WG14 (C language) for a conditionally-normative annex to the next C standard [14] and for the Secure C Technical Report [15].

The latest development in the SSCC project took place just yesterday; on September 9, Plum Hall received notice that a patent has been granted for the first of a series of patent applications covering the SSCC methods [16].

This patent app is somewhat unusual in that it provides a large survey of the prior art. Of course, prior art is not subject to any patent claims (that's why it's called "prior"), but we itemized it to illustrate the possibility of eliminating many various problems of undefined behavior which have been hindrances to safety and security in C/C++ applications. As is the case with any patent, the Claims section is where our own patented methods are delineated.

This latest patent is the third patent that has been granted to Plum Hall's personnel; the previous patents dealt with authentication and licensing [17] and with test-coverage methods [18].

Plum Hall has always been committed to making its patented methods available on reasonable and non-discriminatory (RAND) licensing terms. Furthermore, Plum Hall intends to avoid proposing any standard in which any of its patents would be essential to conform to the standard, and intends to object if any such proposal is offered by others. We intend to compete in the dimension of Quality of Implementation (QoI), rather than being required by any standard. We don't think our methods are the only way to achieve their various goals but we do think they are the "best" way.

During our participation in the various groups described above, Plum Hall has contributed a number of ideas and methods which are not now, and will not be, subject to any patent claims: (1) The method of Analyzer Advice [19]; (2) the distinction between Critical Undefined Behavior and Bounded Undefined Behavior [14]; (3) efficient methods for catching integer overflow and truncation at run-time [20]; (4) the Secure C Coding Guidelines [15] (other than as noted above [16]).

Within a highly competitive technology arena such as the C and C++ marketplaces, every action of a standards committee may have an impact (positive or negative) on the companies that participate; that's par for the course, and expected by everyone. The question for each committee as a group is to determine what is best for the marketplace as a whole, as well as for the legitimate commercial interests of all the participants.

- Thomas Plum, 10 September 2009

[1] ISO/IEC PDTR 24772. Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use, March 2008. (An unofficial draft copy is available at http://www.aitcnet.org/isai/DocLog/180-thru-199/22-WG23-N-0191/n0191.pdf
[2] ISO/IEC TR 24731-1. Extensions to the C Library - Part I: Bounds-checking interfaces. April 2006. (An unofficial draft copy is available at http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1225.pdf.)
[3] ISO/IEC TR 24731-2, Extensions to the C Library - Part II: Dynamic Allocation Functions. (An unofficial draft copy is available at http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1337.pdf.)
[4] INCITS Patent Policy - Slides for TC/TG/SG Meetings http://www.incits.org/pat_slides.pdf.
[5] SC22/OWGV N0062, 02 April 2007, Thomas Plum. Vulnerability, Safety, Security, and Quality. http://www.aitcnet.org/isai/DocLog/60-thru-79/22-OWGV-N-0062/n0062.html
[6] SC22/WG14 N1232, 02 April 2007, Thomas Plum. Vulnerability, Safety, Security, and Quality. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1232.htm
[7] Thomas Plum and David Keaton, "Eliminating Buffer Overflows, Using the Compiler or a Standalone Tool", Workshop on Software Security Assurance Tools, Techniques, and Metrics (SSATTM), Long Beach CA Nov 7-8 2005. http://www.plumhall.com/ASE-SSATTM-plum+keaton-proceedings.pdf
[8] SAMATE - Software Assurance Metrics And Tool Evaluation. http://samate.nist.gov
[9] NIST Static Analysis Summit. http://samate.nist.gov/SAS/index.html (a dead link, as of Sep 2009?)
[10] ISO/IEC JTC 1/SC 22/WG 23. Programming Language Vulnerabilities. http://www.aitcnet.org/isai
[11] HICSS-40 - Hawaii International Conference on System Sciences. January 3-6, 2007, Hilton Waikoloa Village Resort, Waikoloa, Big Island, Hawaii. http://www.hicss.hawaii.edu/hicss_40/apahome40.htm
[12] CERT Secure Coding Standards. https://www.securecoding.cert.org
[13] INCITS CS1 - Cyber Security. http://cs1.incits.org
[14] SC22/WG14/N1394, Thomas Plum and Robert Seacord, "Analyzability". http://www.plumhall.com/n1394-Plum-Seacord-analyzability
[15] SC22/WG14/N1393, Robert Seacord, "C Secure Coding Guidelines Review Draft". http://www.plumhall.com/n1393-Seacord-Secure-C-TR-Proposal
[16] US Patent 7,584,461. Thomas S. Plum, "Automated safe secure techniques for eliminating undefined behavior in computer software". http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=7584461.PN.&OS=PN/7584461&RS=PN/7584461
[17] US Patent 5,579,479. Thomas S. Plum, "Computer software licensing authentication method and apparatus". patft.uspto.gov/net&acgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=5579479.PN.&OS=PN/5579479&RS=PN/5579479
[18] US Patent 5,758,061. Thomas S. Plum, "Computer software testing method and apparatus". http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=5758061.PN.&OS=PN/5758061&RS=PN/5758061
[19] Thomas Plum, email to SC22/WG14. http://www.open-std.org/jtc1/sc22/wg14/11821
[20] David Keaton et. al., "As-if Infinitely Ranged Integer Model". Carnegie-Mellon Software Engineering Institute Technical Note CMU/SEI-2009-TN-023. http://www.sei.cmu.edu/reports/09tn023.pdf


quot;www.plumhall.com/SSCC_MP_071b.pdf" - 2-page overview of Safe-Secure Project


RELATED PROJECTS

"https://www.securecoding.cert.org/" CERT/CC web site dedicated to developing secure coding standards for the C programming language, C++, and Java.

"http://samate.nist.gov" SAMATE - Software Assurance Metrics And Tool Evaluation project. This project supports the Department of Homeland Security's Software Assurance Tools and R&D Requirements Identification Program. The objective of part 3, Technology (Tools and Requirements) is the identification, enhancement and development of software assurance tools. NIST is leading in (A) testing software evaluation tools, (B) measuring the effectiveness of tools, and (C) identifying gaps in tools and methods.

"http://www.aitcnet.org/isai/" ISO/IEC Project 22.24772: Guidance for Avoiding Vulnerabilities through Language Selection and Use.

http://cwe.mitre.org/ Common Weakness Enumeration - A community-developed dictionary of common software weaknesses. Each definition has its own page, so http://cwe.mitre.org/data/definitions/121.html provides definition 121, etc.


CONFERENCE PROCEEDINGS

"ASE-SSATTM-plum+keaton-proceedings.pdf" - "Plum and Keaton, Eliminating Buffer Overflows, Using the Compiler or a Standalone Tool" Workshop on Software Security Assurance Tools, Techniques, and Metrics (SSATTM)


PRESS COVERAGE

"www.plumhall.com/2004-12-30-NorthHawaiiNews.pdf" - "Local business wins state award"

"www.sdtimes.com/fullcolumn/column-20060115-03.html" - "SD Times, Larry O'Brien, Type Safety"

"www.ddj.com/security/184402075" - "C/C++ Users Journal, Robert C. Seacord, Validating C and C++ For Safety and Security" PDF page-images available at "www.plumhall.com/Seacord-CUJ-Feb-2006.pdf"


WIKI WEBPAGE FOR TECHNICAL DETAILS AND DISCUSSION

For in-depth technical details, obtain the URL, login and password for the Safe-Secure Wiki: Contact Us


Plum Hall® Suite++® LibSuite++® Suite#® and JVS®are registered trademarks of Plum Hall, Inc.
CV-Suite™ and The Plum Hall Validation Suite for C™ are trademarks of Plum Hall, Inc.
Java™ is a trademark of Sun Microsystems, Inc.