DATASHEET
HKMC C Rule Enforcement
Hyundai Motor Group - Secure C Coding Guide for Automotive Embedded System
Version 4.1
ENFORCEMENT HELIX QAC 2024.1
Total | ||
|---|---|---|
a | Total Number of Rules | 129 |
b | Total Number of ‘Not Statically Enforceable’ Rules (Assisted/Unassisted) | 0 |
c | Total Number of Enforceable Rules (a-b) | 129 |
d | Total Number of Enforced Rules | 125 |
e | Total Number of Unenforced Rules | 4 |
f | Enforce Rules Percentage (d/c) | 97% |
g | Unenforced Rules Percentage (e/c) | 3% |
Rule ID | Description | Enforced |
|---|---|---|
3 Code Error | ||
3.1 Preprocessor | ||
C-PRE-001 | Do not create a character name of Universal character set (UCS) through token concatenation | Yes |
C-PRE-002 | Do not pass specific variable value conversion argument to unsafe macros | Yes |
C-PRE-003 | Do not pass preprocessing directives in when calling function-like macros | Yes |
3.2 Declaration and Initialization | ||
C-DCI-001 | Do not returning and assigning local variable address | Yes |
C-DCI-002 | Do not declare same variable for internal and external linkage | Yes |
C-DCI-003 | Do not declare or define a reserved identifier | Yes |
C-DCI-004 | Need to use the correct syntax when declaring a flexible array | Yes |
C-DCI-005 | Need to avoid information leakage when passing a structure across a trust boundary | Yes |
C-DCI-006 | Do not declare of incompatible function or object | Yes |
C-DCI-007 | Do not declare variable in a switch statement before the first case label | Yes |
C-DCI-008 | Attention to switch race condition | Yes |
C-DCI-009 | Do not miss default case in switch statement | Yes |
C-DCI-010 | Do not omit break in switch statement | Yes |
C-DCI-011 | Need explicit handling of operator precedence using parentheses [MCU] | Yes |
C-DCI-012 | Do not compare numerical ranges without minimum check [MCU] | Yes |
3.3 Integers, Characters and Strings | ||
C-INT-001 | Attention to integer conversion rules (CERT Recommendations) | Yes |
C-INT-002 | Ensure that unsigned integer operations do not wrap | Yes |
C-INT-003 | Integer conversion must be guaranteed not to result in lost or misinterpreted data [AP, MCU] | Yes |
C-INT-004 | Ensure that signed integer operations do not overflow [AP, MCU] | Yes |
C-INT-005 | Ensure that division and modulo operations do not result in ‘divide-by-zero’ errors [AP, MCU] | Yes |
C-INT-006 | Do not shift to negative values or shift by more than or equal to the bits of the operands | Yes |
C-INT-007 | Use the correct precisions of integer type | Yes |
C-INT-008 | Attention to type conversion between pointer and integer [AP, MCU] | Yes |
C-INT-009 | Attention to calculate for buffer or data type size | Yes |
C-FLP-001 | Do not use floating-point variables as loop counters | Yes |
C-FLP-002 | Ensure that floating-point type conversion occurs within the range of new types | Yes |
C-FLP-003 | Preserve precision when converting from integer type to floating-point type | Yes |
C-STR-001 | Do not modify string literals | Yes |
C-STR-002 | Ensure that storage has sufficiently space for character data and the null terminator | Yes |
C-STR-003 | Do not passing a non-null-terminated string to a library function | Yes |
C-STR-004 | Argument to character-handling function must be passed as unsigned char | Yes |
C-STR-005 | Do not confuse narrow and wide character strings when passing arguments to character-handling function | Yes |
C-STR-006 | Incorrect calculation of the multi-byte string length | Yes |
3.4 Expressions | ||
C-EXP-001 | Do not ignore return value by functions (CERT Recommendations) [MCU] | Yes |
C-EXP-002 | Attention to the order of calculation (evaluation) that causes the side effects | Yes |
C-EXP-003 | Do not reference(access, read) uninitialized memory [Ap, MCU] | Yes |
C-EXP-004 | Attention not to reference abnormal pointer [MCU] | Yes |
C-EXP-005 | Attention when using assignment operator instead of comparison operators [MCU] | Yes |
C-EXP-006 | Attention when using comparison operators instead assignment operators [MCU] | Yes |
C-EXP-007 | Attention to external input not checked for the control condition of the loop [MCU] | Yes |
C-EXP-008 | Do not use possible recursion calls and only allow a limited number of recursion calls if necessary | Yes |
C-EXP-009 | Do not null pointer dereference [AP, MCU] | Yes |
C-EXP-010 | Do not cast pointer into more strictly aligned pointer types | Yes |
C-EXP-011 | Do not variable access through pointers of incompatible types | Yes |
C-EXP-012 | Do not modify constant object | Yes |
C-EXP-013 | Do not compare padding data | Yes |
C-EXP-014 | Attention to avoid undefined behavior when using a pointer that qualifies restrict | Yes |
C-EXP-015 | Do not pass an expression that changes the value of variable as an operand to sizeof, _Alignof, _Generic | Yes |
C-EXP-016 | Do not perform assignment operation on certain operators | Yes |
C-EXP-017 | Do not use a bitwise operator with Boolean operand | Yes |
C-EXP-018 | Do not call va_arg with an argument of the incorrect type | Yes |
C-EXP-019 | Do not use of Path Manipulation Function without Maximum-sized Buffer | Yes |
3.5 Arrays | ||
C-ARR-001 | Ensure that the index is within the valid range for memory read and write operations of the array [AP, MCU] | Yes |
C-ARR-002 | Ensure size arguments for variable length array are in a valid range | Yes |
C-ARR-003 | Do not subtract or compare two pointers that do not reference the same array [AP, MCU] | Yes |
C-ARR-004 | Do not add or subtract an integer to a pointer to a non-array object [Ap, MCU] | Yes |
C-ARR-005 | Do not generate invalid pointer through library functions | Yes |
C-ARR-006 | Do not add and subtract integers resized automatically in pointer [AP, MCU] | Yes |
C-ARR-007 | Attention for handling length parameters when accessing arrays in loops like the for statements [MCU] | Yes |
C-ARR-008 | Write before buffer start | Yes |
C-ARR-009 | Buffer access using source buffer size | Yes |
C-ARR-010 | Attention not to include invalid arguments when calling a function [MCU] | Yes |
C-ARR-011 | Attention for incorrect judgement of return value by function [MCU] | Yes |
3.5 Exception Handling | ||
C-ERR-001 | Attention when calling a library related the errno | Yes |
C-ERR-002 | Detect and handle errors of standard library | Yes |
C-ERR-003 | Detect errors when converting a string to a number | Yes |
4 Code Quality | ||
4.1 Memory Managements | ||
C-MEM-001 | Do not reference freed memory | Yes |
C-MEM-002 | Free dynamically allocated memory when no longer needed | Yes |
C-MEM-003 | Allocate and copy structures containing a flexible array member dynamically | Yes |
C-MEM-004 | Free memory allocated dynamically | Yes |
C-MEM-005 | Allocate sufficient memory for an object | Yes |
C-MEM-006 | Do not modify the alignment of object by calling realloc() | Yes |
C-MEM-007 | Improper clearing of heap memory before release('Heap inspection') | Yes |
4.2 Input and Output | ||
C-FIO-001 | Exclude user input from format strings | Yes |
C-FIO-002 | Distinguish between characters read from a file and EOF or WEOF | Yes |
C-FIO-003 | Do not assume that fgets() or fgetws() returns a nonempty string when successful | Yes |
C-FIO-004 | Do not input and output from a stream without an intervening flush or positioning call | Yes |
C-FIO-005 | Reset strings on fgets() or fgetws() failure | Yes |
C-FIO-006 | Do not call getc(), putc(), getwc() or putwc() with a string argument that changes the value of a variable | Yes |
C-FIO-007 | Close file when they are no longer needed | Yes |
C-FIO-008 | Use valid format strings | Yes |
C-FIO-009 | Do not concurrent execution use shared resource with improper synchronization(Race condition) | Yes |
4.3 Environment Variable | ||
C-ENV-001 | Do not modify the object referenced by the return value of certain functions | Yes |
C-ENV-002 | Do not reference the environment variable pointer after a function is called that contains an operation that invalidates the environment variable pointer | Yes |
C-ENV-003 | All exit handlers must return normally | Yes |
C-ENV-004 | Do not call system() | Yes |
4.4 Signals | ||
C-SIG-001 | Only call functions that are asynchronously safe in the signal handler | Yes |
C-SIG-002 | Do not return from a computational exception signal handler | Yes |
4.4 Concurrency Programming | ||
C-CON-001 | Clean up thread storage after allocation | Yes |
C-CON-002 | Do not destroy a mutex while it is locked | Yes |
C-CON-003 | Prevent data race when accessing bit-fields from multiple threads | Yes |
C-CON-004 | Avoid race conditions when using library functions | Yes |
C-CON-005 | Declare object shared between threads | Yes |
C-CON-006 | Lock according to predefine order to avoid deadlock | Yes |
C-CON-007 | Wrapping of functions that can spuriously wake up in a loop | Yes |
C-CON-008 | Do not call signal() in a multithreaded program | Yes |
C-CON-009 | Preserve thread safety and liveness when using condition variables | Yes |
C-CON-010 | Do not join or detach a thread that was previously joined or detached | Yes |
C-CON-011 | Do not reference to an atomic variable twice in an expression | Yes |
5 Security Functions | ||
5.1 Security Functions | ||
C-MSC-001 | Should be treated as 2^16 + 1, ie 65537 in the public key index when using asymmetric key RSA | Yes |
C-MSC-002 | Use at least 8-Byte when using MAC | Yes |
C-MSC-003 | Do not use the rand() when generating random number using PRNG | Yes |
C-MSC-004 | Set seeds correctly when using PRNG | Yes |
C-MSC-005 | Attention to pass improper argument when using the asctime() | Yes |
C-MSC-006 | Return all functions other than void return type | Yes |
C-MSC-007 | Do not access to identifier as an object when a predefined identifier is defined only in macro | Yes |
C-MSC-008 | Do not call va_arg() on va_list with an unspecified value | Yes |
C-MSC-009 | Code removal error clearing compiler’s buffer | Yes |
C-MSC-010 | Do not use getloin in multithreaded applications | Yes |
C-MSC-011 | Do not transmit and store critical security and vehicle information to outside controller in the form of plain text [MCU] | Yes |
C-MSC-012 | Replace periodically the secret key and keep confidential of updated key[MCU] | Yes |
C-MSC-013 | Satisfy a certain level of security when using cryptographic algorithms or hash functions | No |
C-MSC-014 | Do not use algorithms that find security vulnerabilities, such as the DES symmetric key algorithm and the MD5 hash algorithm [MCU] | Yes |
C-MSC-015 | Do not use fixed or predictable seeds [MCU] | Yes |
C-MSC-016 | Include a message identification value to prevent replay attacks when creating a MAC to ensure integrity | No |
C-MSC-017 | Validate the certificate and signature of the public key when the sender sends a message using asymmetric key algorithm [MCU] | No |
C-MSC-018 | Store critical security information, such as key values, in a secure memory space [MCU] | No |
5.2 POSIX | ||
C-POS-001 | Correct use of readlink() | Yes |
C-POS-002 | Do not use for vfork() | Yes |
C-POS-003 | Do not pass a pointer to a local variable in the putenv() | Yes |
C-POS-004 | Attention for racing conditions when using fork and file descriptors | Yes |
C-POS-005 | Use of correct byte order is required for data communication between systems | Yes |
C-POS-006 | Do not use signals to terminate threads | Yes |
C-POS-007 | Do not unlock another POSIX thread’s mutex | Yes |
C-POS-008 | Detect and handle POSIX Library errors | Yes |
C-POS-009 | Attention improper resource locking | Yes |
C-POS-010 | Attention to leave without development mode, including debug code [MCU] | Yes |
C-POS-011 | Clear block delimitation of the statements [MCU] | Yes |
C-POS-012 | Remove 'Dead Code' [MCU] | Yes |