Managed String C Library Beta Released

CERT has released for download a beta version of its managed string library for C.

The library was developed in response to the need for a string library that can improve the security of C-language programs while eliminating obstacles to widespread adoption and possible standardization.

The managed string library is based on a dynamic approach; memory is allocated and reallocated as required. This approach eliminates the possibility of unbounded copies, null-termination errors, and truncation by ensuring that there is always adequate space available for the resulting string (including the terminating null character). The one exception is if memory is exhausted; that is treated as an error condition. In this way, the managed string library accomplishes the goal of indicating either success or failure. The managed string library also protects against improper data sanitization by (optionally) ensuring that all characters in a string belong to a predefined set of "safe" characters.

For more information on the project, see:

• Specifications for Managed Strings.
• Managed String Course -- Safer Strings in C: Using the Managed String Library.
• Managed String Library for C: Strings are of special concern in secure programming
• Information Technology - Programming languages, their environments and system software interfaces: Specification for Managed Strings.

Posted by Jon Erickson at 02:33 PM  Permalink