CWE Rule 319

Cleartext Transmission of Sensitive Information

Since R2023b

expand all in page

Description

This checker is deactivated in a default Polyspace® as You Code analysis. See Checkers Deactivated in Polyspace as You Code Analysis (Polyspace Access).

Rule Description

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Polyspace Implementation

The rule checker checks for the issue Leakage of sensitive data.

Examples

expand all

Issue

This issue occurs when you pass sensitive data to functions that might transmit the data over an unsafe channel. The rule checker consider functions such as printf, fprintf, write, fwrite, putchar, puts, fputc, and fputs as functions that might transmit data over an unsafe channel.

Before using this coding rule, provide these specifications in a datalog (*.dl) file:

  • Specify which data in your code is sensitive.

  • If you specify a pointer that points to sensitive data, then you must also specify the function that allocates memory for the pointer. You can either provide this specification in the datalog file or include the allocation in your code.

  • If you transmit data using functions other than the ones listed previously, specify which functions in your code might leak data.

Provide the datalog file as an argument of the option -code-behavior-specifications. The code behavior specification file must include the datalog file "models/interfaces/leakage.dl". See Example.

Risk

If your code passes sensitive data to functions that transmit data over unsafe channels, then the functions might leak the sensitive data.

Fix

To fix this issue, encrypt your data using cryptographic protocols. To resolve the violation, specify the encryption function you use in the datalog file.

Extend Checker

To detect the issue Leakage of sensitive data, specify the sensitive data and the functions that might leak the data in a datalog file and then provide the datalog file as an input to -code-behavior-specifications.

  • To specify variables that hold sensitive data by value, in a datalog (*.dl) file, add this code:

    // Include the api
.include "models/interfaces/leakage.dl"

// Specify objects that hold sensitive data by value
Leakage.Basic.sensitiveVariableValue("priv2Key", "priv2Key holds sensitive data by value").

  • To specify variables that hold to sensitive data by reference, in a datalog (*.dl) file, add this code:

    // Include the api
.include "models/interfaces/leakage.dl"
// Specify objects that point to sensitive data
Leakage.Basic.sensitiveVariableDeref("privKey.*", "privKey.* sensitive data").

  • To specify functions that takes a pointer input parameter and points the input parameter to sensitive data, use this code:

    // Include the api
.include "models/interfaces/leakage.dl"
// Specify objects that point to sensitive data
Leakage.Basic.sensitiveFunctionOutputs("getSecret", $OutParameterDeref(0), "First parameter of getData points to sensitive data.").

  • To specify a custom set of functions as functions that transmit data over unsafe channel, add:

    
.include "common.dl"
.include "cpp/cpp.dl"
// CustomFunc() exposes data on observable channel
Leakage.Basic.leaking("CustomFunc",$InParameterDeref(0),"CustomFunc might leak data").
// connect() exposes data on observable channel
Leakage.Basic.leaking("connect",$InParameterDeref(0),"connect might transmit data over observable channels.").
    This code specifies that the functionsCustomFunc() and connect() are unsafe.

  • To specify encryption functions, in the datalog file, add:

    // The value returned by Encrypt() on third parameter is now trusted
Leakage.Basic.sanitizing("Encrypt",$OutParameterDeref(2)).
    This code specifies that the Encrypt function encrypts the data that is passed to it as the third parameter using an industry standard cryptographic protocol.

  • To specify a regular expression as a name in a Leakage.Basic relation, use Cpp.Variable.name:

    
Leakage.Basic.leaking(name,$InParameterDeref(0),"Message") :-
Cpp.Function.name(_, name),
//Specify regular expression
match("publishCAN.*Data", name).

  • When calculating leakage of sensitive data, Polyspace ignores pointers that are not allocated any memory. If your code contains a pointer that points to sensitive data, Polyspace ignores the pointer unless your code allocate memory for the pointer. Alternatively, you can specify which function allocates the required memory by using this code:

    //initConnection allocates memory for the returned pointer
Alias.Basic.allocates("initConnection", $OutReturnValue()).
    This code specifies that the function initConnection allocates memory and returns a pointer to it.

For details about specifying code behaviors using datalog files, see Modify Bug Finder Checkers Through Code Behavior Specifications.

Example — Avoid Data Leak

In this example, the function getData() obtains sensitive data, which is then leaked by the function transmit().

#include <stdio.h>
#include <stdlib.h>

typedef unsigned char uint8;

extern void getData(uint8 *payload);
extern uint8 *initialize(void);
extern void openURL(uint8 *buffer, char *url);
extern void setMethod(uint8 *buffer, char *meth);
void transmit(uint8 *buffer) {}
extern void stopTransmit(uint8 *buffer);


void cwe_standard() {

	uint8 *buffer;
	buffer = initialize();

	if(buffer) {
		openURL(buffer, "http://www.secret.example.org/");
		setMethod(buffer, "PUT");
		getData(buffer);
		transmit(buffer); //Noncompliant
		stopTransmit(buffer);
	}

}

To detect this violation, the Polyspace analysis must know which data is sensitive and which functions can leak data. Provide these specifications using this datalog (specs.dl):

// Include the leakage.dl file
.include "models/interfaces/leakage.dl"
.include "common.dl"
.include "cpp/cpp.dl"
// Recognize sensitive data
Leakage.Basic.sensitiveFunctionOutputs("getData", $OutParameterDeref(0), "First parameter of getData points to sensitive data.").

//initialize allocates pointer it returns
Alias.Basic.allocates("initialize", $OutReturnValue()).

// transmit() exposes data on an observable channel
Leakage.Basic.leaking("transmit",$InParameterDeref(0),"transmit() can leak data.").

Use this additional option to run the analysis:

-code-behavior-specifications specs.dl

Correction — Encrypt Sensitive Data

To fix this defect, encrypt the data so that the sensitive information is not leaked. For instance, in this code, the function encrypt() uses a trusted cryptographic protocol to encrypt the sensitive data. Using the encrypted data with transmit() is no longer a violation.

#include <stdio.h>
#include <stdlib.h>

typedef unsigned char uint8;

extern void getData(uint8 *payload);
extern uint8 *initialize(void);
extern void openURL(uint8 *buffer, char *url);
extern void setMethod(uint8 *buffer, char *meth);
void transmit(uint8 *buffer) {}
extern void stopTransmit(uint8 *buffer);
extern void encrypt(uint8* );


void cwe_standard() {

	uint8 *buffer;
	buffer = initialize();

	if(buffer) {
		openURL(buffer, "http://www.secret.example.org/");
		setMethod(buffer, "PUT");
		getData(buffer);
		encrypt(buffer);
		transmit(buffer); //Compliant
		stopTransmit(buffer);
	}

}

To inform Polyspace that encrypt() uses a trusted method to encrypt buffer, update the datalog file:

// Include the api
.include "models/interfaces/leakage.dl"

// Recognize sensitive data
Leakage.Basic.sensitiveFunctionOutputs("getData", $OutParameterDeref(0), "First parameter of getData points to sensitive data.").

//initialize allocates pointer it returns
Alias.Basic.allocates("initialize", $OutReturnValue()).


// transmit() exposes data on an observable channel
Leakage.Basic.leaking("transmit",$InParameterDeref(0),"transmit() can leak data.").

// The first parameter of encrypt() is encrypted using a trusted method
Leakage.Basic.sanitizing("encrypt",$OutParameterDeref(0)).

Check Information

Category: Information Management Errors

Version History

Introduced in R2023b

See Also

Topics

External Websites