January 9, 2012—In the field of information technology, ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) has established a joint technical committee ISO/IEC JTC 1. For the past several years, members of the Secure Coding team in the SEI’s CERT Program have been contributing to the development of a major revision of the ISO/IEC standard for the C programming language. CERT’s efforts have focused on introducing much-needed security enhancements to the language and standard library. These security enhancements include (conditional) support for bounds-checking interfaces (originally specified in ISO/IEC TR 24731−1:2007), (conditional) support for analyzability, static assertions, no-return functions, support for opening files for exclusive access, and the removal of the insecure gets function. In December 2011, the work of the CERT team and industry participants resulted in the release of ISO/IEC 9899:2011, informally referred to as C11. This third edition of the C standard cancels and replaces the second edition, ISO/IEC 9899:1999. David Keaton, a member of the SEI’s Secure Coding team, served as chair of Task Group PL22.11 C of the International Committee for Information Technology Standards (INCITS). Working with SEI colleagues Robert C. Seacord and David Svoboda, Keaton helped develop, refine, and introduce many of the security enhancements to this major ISO standard revision. “Security features in C had been limited to the snprintf function, introduced in 1999,” explained Keaton. “Now, the new ISO standard includes an entire new library of secure string functions, plus an optional compilation model that makes C code more understandable by source code analyzers that perform security checks.” Read more: Software Engineering Institute
QR:
QR: