{"id":16902367,"url":"https://github.com/rurban/safeclib","last_synced_at":"2025-04-08T10:26:04.846Z","repository":{"id":19877804,"uuid":"88128310","full_name":"rurban/safeclib","owner":"rurban","description":"safec libc extension with all C11 Annex K functions","archived":false,"fork":false,"pushed_at":"2024-12-29T15:11:58.000Z","size":53801,"stargazers_count":353,"open_issues_count":11,"forks_count":68,"subscribers_count":27,"default_branch":"master","last_synced_at":"2025-04-01T09:21:10.750Z","etag":null,"topics":["bounds-checking","c-library"],"latest_commit_sha":null,"homepage":"https://rurban.github.io/safeclib/","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rurban.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog","contributing":null,"funding":".github/FUNDING.yml","license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null},"funding":{"github":"rurban","patreon":"rurban"}},"created_at":"2017-04-13T05:29:04.000Z","updated_at":"2025-03-31T10:51:25.000Z","dependencies_parsed_at":"2023-12-22T12:40:22.032Z","dependency_job_id":"1cf789e6-9b0f-46c3-aebc-bf862a3991ea","html_url":"https://github.com/rurban/safeclib","commit_stats":null,"previous_names":[],"tags_count":42,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rurban%2Fsafeclib","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rurban%2Fsafeclib/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rurban%2Fsafeclib/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rurban%2Fsafeclib/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rurban","download_url":"https://codeload.github.com/rurban/safeclib/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247822187,"owners_count":21001805,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bounds-checking","c-library"],"created_at":"2024-10-13T18:05:40.087Z","updated_at":"2025-04-08T10:26:04.821Z","avatar_url":"https://github.com/rurban.png","language":"C","funding_links":["https://github.com/sponsors/rurban","https://patreon.com/rurban"],"categories":[],"sub_categories":[],"readme":"Safe C Library - README\n=======================\n\n[![safeclib](doc/safeclib-banner.png)](https://github.com/rurban/safeclib/issues)\n\nCopying\n-------\n\nThis project's licensing restrictions are documented in the file 'COPYING'\nunder the root directory of this release. Basically it's MIT licensed.\n\nOverview\n--------\n\nThis library implements the secure C11 Annex K[^5] functions on top of most libc\nimplementations, which are missing from them.\n\nThe ISO TR24731 Bounds Checking Interface documents indicate that the key\nmotivation for the new specification is to help mitigate the ever increasing\nsecurity attacks, specifically the buffer overrun.[^1]\n\nThe rationale document says _\"Buffer overrun attacks continue to be a security\nproblem. Roughly 10% of vulnerability reports cataloged by CERT from\n01/01/2005 to 07/01/2005 involved buffer overflows. Preventing buffer overruns\nis the primary, but not the only, motivation for this technical report.\"_[^2]\n\nThe rationale document continues _\"that these only mitigate, that is lessen,\nsecurity problems. When used properly, these functions decrease the danger\nbuffer overrun attacks. Source code may remain vulnerable due to other bugs\nand security issues. The highest level of security is achieved by building in\nlayers of security utilizing multiple strategies.\"_[^2]\n\nThe rationale document lists the following key points for TR24731:\n\n- Guard against overflowing a buffer\n- Do not produce unterminated strings\n- Do not unexpectedly truncate strings\n- Provide a library useful to existing code\n- Preserve the zero terminated string datatype\n- Only require local edits to programs\n- Library based solution\n- Support compile-time checking\n- Make failures obvious\n- Zero buffers, null strings\n- Runtime-constraint handler mechanism\n- Support re-entrant code\n- Consistent naming scheme\n- Have a uniform pattern for the function parameters and return type\n- Deference to existing technology\n\nand the following can be added...\n\n- provide a library of functions with like behavior\n- provide a library of functions that promote and increase code safety and\n  security\n- provide a library of functions that are efficient\n\nThe C11 Standard adopted many of these points, and added some secure\n`_s` variants in the Annex K.  The Microsoft Windows/MINGW secure API\ndid the same, but deviated in some functions from the standard.\nBesides Windows (with its msvcrt, ucrt, reactos msvcrt and wine msvcrt\nvariants) only the unused stlport, Android's Bionic, Huawei securec\nand Embarcadero implemented this C11 secure Annex K API so far.  They\nare still missing from glibc, musl, FreeBSD, darwin and DragonFly\nlibc, OpenBSD libc, newlib, dietlibc, uClibc, minilibc.\n\nDesign Considerations\n---------------------\n\nThis library implements since 3.0 all functions defined in the\nspecifications.[^3]  Included in the library are extensions to the specification\nto provide a complementary set of functions with like behavior.\n\nThis library is meant to be used on top of all the existing libc's\nwhich miss the secure C11 functions. Of course tighter integration\ninto the system libc would be better, esp. with the printf, scanf and\nIO functions. See the seperate [libc-overview](doc/libc-overview.md) document.\n\nAustin Group Review of ISO/IEC WDTR 24731\nhttp://www.open-std.org/jtc1/sc22/wg14/www/docs/n1106.txt\n\nC11 standard (ISO/IEC 9899:2011)\nhttp://en.cppreference.com/w/c\n\nCERT C Secure Coding Standard[^4]\n\nStackoverflow discussion:\nhttps://stackoverflow.com/questions/372980/do-you-use-the-tr-24731-safe-functions\n\nDrDobbs review[^6]\nhttp://www.drdobbs.com/cpp/the-new-c-standard-explored/232901670\n\nC17 reconsidered safeclib but looked only at the old incomplete Cisco version,\nnot our complete and fixed version.\nhttp://www.open-std.org/jtc1/sc22/wg14/www/docs/n1967.htm\n\n* Use of errno\n\nThe TR24731 specification says an implementation may set errno for the\nfunctions deﬁned in the technical report, but is not required to.\nThis library does not set `errno` in most functions, only in\n`bsearch_s`, `fscanf_s`, `fwscanf_s`, `gets_s`, `gmtime_s`, `localtime_s`,\n`scanf_s`, `sscanf_s`, `swscanf_s`, `strtok_s`, `vfscanf_s`,\n`vfwscanf_s`, `vsscanf_s`, `vswscanf_s`, `wcstok_s`, `wscanf_s`.\n\nIn most cases the safeclib extended ES* errors do not set `errno`, only\nwhen the underlying insecure system call fails, errno is set.  The\nlibrary does use `errno` return codes as required by functional APIs.\nSpecific Safe C String and Safe C Memory errno codes are defined in\nthe `safe_errno.h` file.\n\n* Runtime-constraints\n\nPer the spec, the library verifies that the calling program does not violate\nthe function's runtime-constraints. If a runtime-constraint is violated, the\nlibrary calls the currently registered runtime-constraint handler.\n\nPer the spec, multiple runtime-constraint violations in the same call to a\nlibrary function result in only one call to the runtime-constraint handler.\nThe first violation encountered invokes the runtime-constraint handler.\n\nWith `--disable-constraint-handler` calling the runtime-constraint handler\ncan be disabled, saving some memory, but not much run-time performance.\n\nWith `--with-default-handler=\u003cabort|ignore\u003e` you may set the default\nconstraint handler at compile-time to `abort_handler_s` or\n`ignore_handler_s`.\n\nThe runtime-constraint handler might not return. If the handler does\nreturn, the library function whose runtime-constraint was violated\nreturns an indication of failure as given by the function’s return.\nWith valid dest and dmax values, dest is cleared. With the optional\n`--disable-null-slack` only the first value of dest is cleared,\notherwise the whole dest buffer.\n\n`rsize_t`\n\tThe specification defines a new type.  This type, `rsize_t`, is\n    conditionally defined in the `safe_lib.h` header file.\n\n`RSIZE_MAX`\n\tThe specification defines the macro `RSIZE_MAX` which expands to a value\n\tof type `rsize_t`. The specification uses `RSIZE_MAX` for both the string\n\tfunctions and the memory functions. This implementation defines two\n\tmacros: `RSIZE_MAX_STR` and `RSIZE_MAX_MEM`.  `RSIZE_MAX_STR` defines the\n\trange limit for the safe string functions. `RSIZE_MAX_MEM` defines the\n\trange limit for the safe memory functions.  The point is that string\n\tlimits can and should be different from memory limits.\n\tThere also exist `RSIZE_MAX_WSTR`, `RSIZE_MAX_MEM16`, `RSIZE_MAX_MEM32`.\n\n* Compile-time constraints\n\nWith supporting compilers the dmax overflow checks and several more\nare performed at compile-time.  Currently only since clang-5 with\n`diagnose_if` support. This checks similar to `_FORTIFY_SOURCE=2` if\nthe `__builtin_object_size` of the dest buffer is the same size as\ndmax, and errors if dmax is too big. With the optional\n`--enable-warn-dmax` it prints a warning if the sizes are different,\nwhich is esp. practical as compile-time warning. It can be promoted\nvia the optional `--enable-error-dmax` to be fatal. On unsupported\ncompilers, the overflow check and optional equality warn-dmax check is\ndeferred to run-time. This check is only possible with\n`__builtin_object_size` and `-O2` when the dest buffer size is known\nat compile-time, otherwise only the simplier `dest == NULL`, `dmax == 0`\nand `dmax \u003e RSIZE_MAX` checks are performed.\n\n* Header Files\n\nThe specification states the various functions would be added to\nexisting Standard C header files: stdio.h, string.h, etc.  This\nimplementation separates the memory related functions into the\n`safe_mem_lib.h` header, the string related functions into the\n`safe_str_lib.h` header, and the rest into the `safe_lib.h`\nheader. There are also the internal `safe_compile.h`, `safe_config.h`\n`safe_lib_errno.h` and `safe_types.h` headers, but they do not need to\nbe included. You can also include all safec API's with `\u003csafec.h\u003e`.\n\nThe make file builds a single library `libsafec-VERSION.a` and `.so`.\nBuilt but not installed are also libmemprims, libsafeccore and libstdunsafe.\n\nIt is possible to split the make such that a separate `safe_mem_lib.so` and\n`safe_str_lib.so` are built.  It is also possible to integrate the prototypes\ninto the Standard C header files, but that may require changes to your\ndevelopment tool chain.\n\n\nUserspace Library\n-----------------\n\nThe build system for the userspace library is the well known *GNU build\nsystem*, a.k.a. Autotools. This system is well understood and supported\nby many different platforms and distributions which should allow this\nlibrary to be built on a wide variety of platforms. See the\n[Tested platforms](#tested-platforms) section for details on what\nplatforms this library was tested on during its development.\n\n* Building\n\nFor those familiar with autotools you can probably skip this part. For those\nnot and want to get right to building the code see below. And, for those that\nneed additional information see the `INSTALL` file in the same directory.\n\nTo build you do the following:\n\n    ./build-aux/autogen.sh\n    ./configure\n    make\n\n`autogen.sh` only needs to be run if you are building from the git\nrepository. Optionally, you can do `make check` if you want to run the unit\ntests.\n\nOn Apple M1-M3 hardware I was told to use this:\n\n    ./configure --disable-hardening CC=\"clang -arch arm64 -arch x86_64\" \\\n      CXX=\"clang -arch arm64 -arch x86_64\" CPP=\"clang -E\" CXXCPP=\"clang -E\"\n\nThis builds safeclib as a fat lib for macOS arm64 + X86-64 using clang.\n\n* Installing\n\nInstallation must be preformed by `root`, an `Administrator` on most\nsystems. The following is used to install the library.\n\n    sudo make install\n\nSafe Linux Kernel Module\n------------------------\n\nThe build for the kernel module has not been integrated into the autotools\nbuild infrastructure. Consequently, you have to run a different makefile to\nbuild the kernel module.\n\n\n* Building\n\n.To build do the following:\n\n    ./configure --disable-wchar\n    make -f Makefile.kernel\n\nThis assumes you are compiling on a Linux box and this makefile supports the\nstandard kernel build system infrastructure documented in:\n`/usr/src/linux-kernel/Documentation/kbuild/modules.txt`\n\nNOTE: If you build the kernel module then wish to build the userspace library\n      or vice versa you will need to do a `make clean` otherwise a `make check`\n      will fail to build.\n\n\n* Installing\n\nThe kernel module will be found at the root of the source tree called\n`slkm.ko`. The file `testslkm.ko` are the unit tests run on the userspace\nlibrary but in Linux kernel module form to verify functionality within the\nkernel.\n\nTested Platforms\n----------------\n\nThe library has been tested on the following systems:\n\n- Linux Fedora core 31 - 41 amd64/i386 glibc 2.28 - 2.40 (all gcc’s + clang’s)\n- Mac OS X 10.6-12 w/ Apple developer tools and macports (all gcc’s + clang’s)\n- Linux Debian/Ubuntu since Debian 9 amd64/i386 glibc 2.24 - 2.40 (all gcc’s + clang’s)\n- Linux centos 7 amd64\n- Linux Void amd64 musl-1.1.16\n- x86_64-w64-mingw32 native and cross-compiled\n- i686-w64-mingw32 native, and cross-compiled and tested under wine\n- i386-mingw32 cross-compiled\n- cygwin32 gcc (newlib)\n- cygwin64 gcc -std=c99 (newlib)\n- freebsd 10 - 13 amd64\n- linux docker images under qemu:\n  i386/debian, x86_64/rhel, arm32v7/debian, aarch64: arm64v8/{debian,centos,rhel,fedora},\n  s390x/fedora (the only big endian test I could find), ppc64le/{debian,ubuntu,fedora,centos,rhel}\n- User Mode Linux (UML), Linux kernel version v3.5.3 w/ Debian Squeeze rootfs\n\nwith most available compilers. See `build-aux/smoke.sh` and the various CI configs.\n\n- https://github.com/rurban/safeclib/actions\n- https://travis-ci.org/github/rurban/safeclib/\n- https://ci.appveyor.com/project/rurban/safeclib/\n- https://cirrus-ci.com/github/rurban/safeclib\n- https://cloud.drone.io/rurban/safeclib/\n\nKnown Issues\n------------\n\n1. If you are building the library from the git repository you will have to\n   first run `build-aux/autogen.sh` which runs autoreconf to `install` the\n   autotools files and create the configure script.\n\n2. If you use cmake, you'd need to add `-DCMAKE_APPLE_SILICON_PROCESSOR=$(uname -m)`\n   for Apple Silicon M1 or M2 processors.\n\nReferences\n----------\n\n[^1]: Programming languages, their environments and system software\n      interfaces, Extensions to the C Library, Part I: Bounds-checking\n      interfaces, ISO/IEC TR 24731-1.\n\n[^2]: Rationale for TR 24731 Extensions to the C Library Part I:\n      Bounds-checking interfaces, ISO/IEC JTC1 SC22 WG14 N1225.\n\n[^3]: The Open Group Base Specifications Issue 7\n      http://pubs.opengroup.org/onlinepubs/9699919799/functions/contents.html\n\n[^4]: CERT C Secure Coding Standard\n      https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard\n\n[^5]: C11 Standard (ISO/IEC 9899:2011) Annex K\n\n[^6]: DrDobbs review http://www.drdobbs.com/cpp/the-new-c-standard-explored/232901670\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frurban%2Fsafeclib","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frurban%2Fsafeclib","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frurban%2Fsafeclib/lists"}