Build secure and reliable embedded systems with MISRA C/C++
Editor's Note: This article was originally presented at ESC Boston.
No software engineering process can guarantee secure code, but following the right coding guidelines can dramatically increase the security and reliability of your code. Many embedded systems live in a world where a security breach can be catastrophic.
Embedded systems control much of the world’s critical infrastructure, such as dams, traffic signals, and air traffic control. These systems are increasingly communicating together using COTS networking and in many cases using the Internet itself. Keeping yourself out of the courtroom, if not common decency, demands that all such systems should be developed to be secure.
There are many factors that determine the security of an embedded system. A well-conceived design is crucial to the success of a project. Also, a team needs to pay attention to its development process. There are many different models of how software development ought to be done, and it is prudent to choose one that makes sense. Finally, the choice of operating system can mean the difference between a project that works well in the lab and one that works reliably for years in the real world.
Even the most well thought-out design is vulnerable to flaws when the implementation falls short of the design. This paper focuses on how one can use a set of coding guidelines, called MISRA C and MISRA C++, to help root out bugs introduced during the coding stage.
MISRA C and C++
MISRA stands for Motor Industry Software Reliability Association. It originally published Guidelines For the Use of the C Language In Critical Systems, known informally as MISRA C, in 1998. A second edition of MISRA C was introduced in 2004, and then MISRA C++ was released in 2008. More information on MISRA and the standards themselves can be obtained from the MISRA website.
The purpose of MISRA C and MISRA C++ guidelines are not to promote the use of C or C++ in critical systems. Rather, the guidelines accept that these languages are being used for an increasing number of projects. The guidelines discuss general problems in software engineering and note that C and C++ do not have as much error checking as other languages do. Thus the guidelines hope to make C and C++ safer to use, although they do not endorse MISRA C or MISRA C++ over other languages.
MISRA C is a subset of the C language. In particular, it is based on the ISO/IEC 9899:1990 C standard, which is identical to the ANSI X3.159-1989 standard, often called C ’89. Thus every MISRA C program is a valid C program. The MISRA C subset is defined by 141 rules that constrain the C language. Correspondingly, MISRA C++ is a subset of the ISO/IEC 14882:2003 C++ standard. MISRA C++ is based on 228 rules, many of which are refinements of the MISRA C rules to deal with the additional realities of C++.
For notational convenience, we will use the terms “MISRA”, “MISRA C” or “MISRA C++” loosely in the remainder of the document to refer to either the defining documents or the language subsets.