Skip to content
Please enter a keyword to search

  • CAN/CSA-ISO/IEC TS 17961:18

    Current The latest, up-to-date edition.

    Information technology — Programming languages, their environments and system software interfaces — C secure coding rules (Adopted ISO/IEC TS 17961:2013, first edition, 2013-11-15, including adopted technical corrigendum 1:2016)

    Available format(s):  Hardcopy, PDF

    Language(s):  English

    Published date:  01-01-2018

    Publisher:  Canadian Standards Association

    Add To Cart

    Table of Contents - (Show below) - (Hide below)

    Foreword
    Introduction
    1 Scope
    2 Conformance
    3 Normative references
    4 Terms and definitions
    5 Rules
    Annex A (informative) - Intra- to Interprocedural
            Transformations
    Annex B (informative) - Undefined Behavior
    Annex C (informative) - Related Guidelines and References
    Annex D (informative) - Decidability of Rules
    Bibliography

    Abstract - (Show below) - (Hide below)

    Preface Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T). Scope This Technical Specification specifies rules for secure coding in the C programming language and code examples. This Technical Specification does not specify the mechanism by which these rules are enforced or any particular coding style to be enforced. (It has been impossible to develop a consensus on appropriate style guidelines. Programmers should define style guidelines and apply these guidelines consistently. The easiest way to consistently apply a coding style is with the use of a code formatting tool. Many interactive development environments provide such capabilities.) Each rule in this Technical Specification is accompanied by code examples. Code examples are informative only and serve to clarify the requirements outlined in the normative portion of the rule. Examples impose no normative requirements. Each rule in this Technical Specification that is based on undefined behavior defined in the C Standard identifies the undefined behavior by a numeric code. The numeric codes for undefined behaviors can be found in Annex B, Undefined Behavior. Two distinct kinds of examples are provided: noncompliant examples demonstrating language constructs that have weaknesses with potentially exploitable security implications; such examples are expected to elicit a diagnostic from a conforming analyzer for the affected language construct; and compliant examples are expected not to elicit a diagnostic. Examples are not intended to be complete programs. For brevity, they typically omit #include directives of C Standard Library headers that would otherwise be necessary to provide declarations of referenced symbols. Code examples may also declare symbols without providing their definitions if the definitions are not essential for demonstrating a specific weakness. Some rules in this Technical Specification have exceptions. Exceptions are part of the specification of these rules and are normative.

    Scope - (Show below) - (Hide below)

    Preface Standards development within the Information Technology sector is harmonized with international standards development. Through the CSA Technical Committee on Information Technology (TCIT), Canadians serve as the SCC Mirror Committee (SMC) on ISO/IEC Joint Technical Committee 1 on Information Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO member body for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of the International Telecommunication Union (ITU), Canada participates in the International Telegraph and Telephone Consultative Committee (ITU-T). Scope This Technical Specification specifies rules for secure coding in the C programming language and code examples. This Technical Specification does not specify the mechanism by which these rules are enforced or any particular coding style to be enforced. (It has been impossible to develop a consensus on appropriate style guidelines. Programmers should define style guidelines and apply these guidelines consistently. The easiest way to consistently apply a coding style is with the use of a code formatting tool. Many interactive development environments provide such capabilities.) Each rule in this Technical Specification is accompanied by code examples. Code examples are informative only and serve to clarify the requirements outlined in the normative portion of the rule. Examples impose no normative requirements. Each rule in this Technical Specification that is based on undefined behavior defined in the C Standard identifies the undefined behavior by a numeric code. The numeric codes for undefined behaviors can be found in Annex B, Undefined Behavior. Two distinct kinds of examples are provided: noncompliant examples demonstrating language constructs that have weaknesses with potentially exploitable security implications; such examples are expected to elicit a diagnostic from a conforming analyzer for the affected language construct; and compliant examples are expected not to elicit a diagnostic. Examples are not intended to be complete programs. For brevity, they typically omit #include directives of C Standard Library headers that would otherwise be necessary to provide declarations of referenced symbols. Code examples may also declare symbols without providing their definitions if the definitions are not essential for demonstrating a specific weakness. Some rules in this Technical Specification have exceptions. Exceptions are part of the specification of these rules and are normative.

    General Product Information - (Show below) - (Hide below)

    Document Type Standard
    Publisher Canadian Standards Association
    Status Current

    Standards Referencing This Book - (Show below) - (Hide below)

    ISO/IEC 2382-1:1993 Information technology Vocabulary Part 1: Fundamental terms
    ISO/IEC 11889-1:2015 Information technology Trusted platform module library Part 1: Architecture
    ISO/IEC TR 24772:2013 Information technology Programming languages Guidance to avoiding vulnerabilities in programming languages through language selection and use
    ISO 80000-2:2009 Quantities and units Part 2: Mathematical signs and symbols to be used in the natural sciences and technology
    ISO/IEC 9899:2011 Information technology Programming languages C
    ISO/IEC/IEEE 9945:2009 Information technology — Portable Operating System Interface (POSIX®) Base Specifications, Issue 7
    ISO/IEC TR 24731-2:2010 Information technology Programming languages, their environments and system software interfaces Extensions to the C library Part 2: Dynamic Allocation Functions
    IEEE/Open Group 1003.1, 2013 Edition IEEE Standard for Information Technology—Portable Operating System Interface (POSIX(TM)) Base Specifications, Issue 7
    View more information

    • Access your standards online with a subscription

      Features

      • Simple online access to standards, technical information and regulations
      • Critical updates of standards and customisable alerts and notifications
      • Multi - user online standards collection: secure, flexibile and cost effective