CERT C: Rec. MSC06-C

This issue occurs when code contains memory clearing operations that may be removed or altered by compiler optimizations. For example, memset() or bzero() calls that clears sensitive data may be optimized away if the memory is not accessed afterward.

Failure to adhere to this rule can result in unexpected and unwanted compiler optimizations that alter program behavior in critical ways. For example, if a buffer that stores sensitive data is cleared using memset() but the memory is not accessed afterward, the compiler may optimize away the clearing operation and leave sensitive data in memory.

Solutions include:

In this example, after using the buffer pwd to store a password, the programmer attempts to clear its contents using memset(). However, since pwd is not accessed after the call to memset(), some compiler optimization modes may determine that clearing the buffer has no observable effect and remove the memset() call. As a result, the sensitive password data may remain in memory, posing a security risk.

#include <string.h>

int GetPassword(char*, int);

void getPassword_NonCompliant_memset(void) {
    char pwd[64];

    if (GetPassword(pwd, sizeof(pwd))) {
    }

    memset(pwd, 0, sizeof(pwd));   // Noncompliant
}
void foo() {
	char pwd[64];
	bzero(pwd, sizeof(pwd)); //Noncompliant

}

Touch the memory after the call to memset() or bzero(). This technique prevents some compilers from optimizing out these calls, but does not work for all implementations.

#include <string.h>

int GetPassword(char*, int);

void getPassword_Compliant_memset(void)
{
    char pwd[64];

    if (GetPassword(pwd, sizeof(pwd))) {
    }

    memset(pwd, 0, sizeof(pwd));    // Compliant
    volatile char *vp = pwd;
    *vp = *vp;
}

void foo() {
	char pwd[64];
	bzero(pwd, sizeof(pwd)); //Compliant
       volatile char *vp = pwd;
       *vp = *vp; 
}

Another solution is to use a memory clearing function that is not optimized away by the compiler. Refer to your compiler documentation for secure memory clearing functions (for example, explicit_bzero() or SecureZeroMemory() on Windows), or use platform- or compiler-specific pragmas or attributes.

This issue occurs when infinite while-loops controlled by nonconstant expressions can be optimized out by the compiler, potentially changing program behavior. For example, you can use an empty infinite while-loop to implement a sleep function capability on platforms that do not support sleep() or equivalent functions.

Infinite loops may be optimized away by the compiler if their controlling expressions are not constant, potentially causing the program to exit or behave unpredictably. Such optimizations can compromise security, reliability, and correctness, particularly when handling sensitive information or implementing essential control flow constructs.

Solutions include:

In this example, the while-loop is controlled by a nonconstant variable always. The compiler may determine that the value of always does not change and, under certain optimization settings, remove the loop. This can cause the program to terminate unexpectedly or behave differently than intended.

static int always = 1;

int main_example(void)
{
    while (always) {              // Noncompliant
    }
}

Change the while-loop to use a constant expression 1 as the controlling expression. This allows the compiler to recognize the while-loop as infinite and to not optimize it away.

int main_example(void)
{
    while (1) {                   // Compliant
    }
}