Secure C++

C++, while full of safety features, still exposes a ton of insecure features inherited from C, and to be fair, isn’t designed to be as safe as it could be. There are still dozens and dozens of practices the C++ programmer needs to adopt to write secure code.

Prerequisites

These notes will assume you’re a fairly capable C++ programmer. In particular, you should already know:

How C++ extends C
The different data types of the language
How storage is segmented into three regions: Static, Stack, and Heap
What a pointer is, and the basics of pointer arithmetic
Smart pointers
The Standard Library
Constructing classes
Copy and Move semantics
How strings are stored and manipulated
The dangers of pointers to stack variables
The most basic information about memory leaks and dangling pointers

Early Standards

Back in the day, 1998 that is, there was MISRA C, coding standards for safety, security, and more, with a focus on embedded systems programmed in C.

Then C++ really started to take off.

JSF C++

In 2005, the JSF C++ Coding Standards, was released, using the MISRA-C:1998 as a starting point.

The idea was to prohibit programmers from doing certain things that were problematic. To follow the JSF guidelines, you must follow 200+ rules. Here are some of them:

AV Rule 1: No more than 200 logical source lines of code in a function or method
AV Rule 2: No self-modifying code.
AV Rule 13: No multi-byte characters and wide string literals.
AV Rules 17-25: Never use errno, offsetof, setlocale, setjmp, longjmp, <signal.h>, <stdio.h>, atof, atoi, atol, abort, exit, getenv, system, <time.h>
AV Rule 26: Don’t use any preprocessor directives except for a certain four, whose use is further restricted in other rules.
AV Rules 39: No definitions of variables or functions in header files.
AV Rule 41: Lines must be 120 character or less.
AV Rule 57: In a class the public section must come before the protected section which must come before the private section.
AV Rule 71.1: Do not invoke a virtual function from a constructor or destructor.
AV Rule 94: Never redefine an inherited nonvirtual function.
AV Rule 119: “Functions shall not call themselves, either directly or indirectly (i.e. recursion shall not be allowed). ”
AV Rule 135: No shadowing.
AV Rule 149: Never use octal constants (except 0).
AV Rule 153: Never use unions.
AV Rule 206: “Allocation/deallocation from/to the free store (heap) shall not occur after initialization. ”
AV Rule 208: “C++ exceptions shall not be used (i.e. throw, catch and try shall not be used.) ”

Many of the rules are stylistic only and don’t directly address security concerns. However, the more pristine the source code, the easier it is to spot potential security issues.

CLASSWORK

Let’s examine some of the rules and look in detail at the rationales provided for each one.
We may have some opportunities for a code along!

This video goes over how one can edit code to make it JSF compliant:

But please note: The JSF guidelines are quite old (from 2005) and some of the rules are no longer relevant to modern C++. The guidelines have largely been superseded by more recent and comprehensive standards like CERT C++ and the C++ Core Guidelines. But they are an important part of security history!

MISRA C++:2008

MISRA C++:2008 arrived in 2008.

Exercise: Browse the MISRA C++:2008 guidelines. How many rules are there? What are the essential differences between MISRA C++:2008 and the earlier JSF C++ guidelines?

CERT-C++

The The SEI CERT C++ Coding Standard is a work-in-progress document from the Software Engineering Institute at Carnegie Mellon. (Before diving into it, you might want to check out this short blog post about the SEI guidelines.)

The Standard is organized into a number of Guidelines, divided into Rules and Recommendations, grouped into sections numbered and titled as follows:

01 (DCL) Declarations and Initialization
02 (EXP) Expressions
03 (INT) Integers
04 (CTR) Containers
05 (STR) Characters and Strings
06 (MEM) Memory Management
07 (FIO) Input/Output
08 (ERR) Exceptions and Error Handling
09 (OOP) Object Oriented Programming
10 (CON) Concurrency
49 (MSC) Miscellaneous

Rules vs. Recommendations
Rules are basically requirements that if violated will almost surely result in an exploitable vulnerability. They are generally in principle checkable by static analysis tools (or by a competent human code reviewer). Recommendations basically improve software quality, but violations are not necessarily defects.

The online standard has a page listing all of the rules. As of early 2026, the standard does not have any published recommendations; they were removed in 2019 pending a review. Who knows when they will be back.

CLASSWORK

We’re going to browse a few of these guidelines!

ISO C++ Coding Standards

The Standard C++ Foundation maintains a wiki called the C++ Super-FAQ, and on this wiki there’s a very helpful page on coding standards.

Coding standards are helpful for security.

The foundation recommends:

C++ Core Guidelines by the C++ creator, Bjarne Stroustrup, and others. This is under active development and it’s really good.
The book C++ Coding Standards: 101 Rules, Guidelines, and Best Practices by Herb Sutter and Andrei Alexandrescu.

They also recommend avoiding old or ad-hoc coding standards. Many standards out there just pile some stuff on top of C, or are just so old they don't even understand Modern C++. Interestingly, the foundation did not call out CERT C++ as a recommended guide, nor did they recommend the Google C++ Style Guide.

The sections in the the C++ Core Guidelines cover the usual suspects:

In: Introduction
P: Philosophy
I: Interfaces
F: Functions
C: Classes and class hierarchies
Enum: Enumerations
R: Resource management
ES: Expressions and statements
Per: Performance
CP: Concurrency and parallelism
E: Error handling
Con: Constants and immutability
T: Templates and generic programming
CPL: C-style programming
SF: Source files
SL: The Standard Library

Each section has a number of different items, with rationales, examples, and non-examples. Here’s one of the items from the Philosophy section:

P.1: Express ideas directly in code

This item has examples and non-examples, including:

class Date {
public:
    Month month() const;      // good
    int month();              // bad
    // ...
};

void change_speed(double s)   // bad: what does s signify?

void change_speed(Speed s)    // better: the meaning of s is specified

change_speed(2.3);            // error: no unit
change_speed(23_m / 10s);     // meters per second

Wondering about that syntax in the last example?

Sounds familiar right? This is something we’ve been talking about since the beginning of this course. It’s really no surprise that this is the first item in the guide.

CLASSWORK

Let’s browse these guidelines, and for those that don’t specifically mention security implications, let’s think about how non-examples can lead to vulnerabilities.

Other Standards

In October 2023, MISRA released an updated version of their C++ guidelines, called MISRA C++:2023. It targets C++17, not C++23, since the C++23 was released in 2024, so we’ll have to wait and see what’s next for MISRA.

A couple of interesting frameworks AUTOSTAR (the “the global established standard for software and methodology enabling open E/E system architectures for future intelligent mobility supporting high levels of dependability, especially safety and security”) and JPL’s F Prime (“a component-driven framework that enables rapid development and deployment of spaceflight and other embedded software applications”) have their own coding standards that may be worth a look.

The aforementioned C++ Coding Guidelines, though, will continue to evolve with the language.

Recall Practice

Here are some questions useful for your spaced repetition learning. Many of the answers are not found on this page. Some will have popped up in lecture. Others will require you to do your own research.

What was the influential C++ Coding Standards document released in 2005?
The Joint Strike Fighter (JSF) C++ Coding Standards.
What did the JSF C++ standards say about recursion?
Recursion is not allowed. Not allowed at all.
What did the JSF C++ Standards say about dynamic memory allocation?
Dynamic memory allocation and deallocation from/to the heap is prohibited after initialization.
JSF C++ used MISRA-C:1998 as a starting point. How many years after JSF C++ was released was MISRA-C++ first released?
Three years later, in 2008.
What is interesting about CERT-C++, at least as of early 2026?
It currently has no recommendations, only rules. The recommendations were removed in 2019 pending a review.
What is the difference between rules and recommendations, in CERT-land?
Violations of rules are almost certainly exploitable vulnerabilities. Recommendations improve software quality but violations are not necessarily defects.
What organization has published the influential C++ Core Guidelines?
The Standard C++ Foundation.
What is MISRA (Motor Industry Software Reliability Association)?
An organization originally formed to develop coding standards for the automotive industry, but now involved in safety and security standards for a variety of industries.
What is AUTOSAR (AUTomotive Open System ARchitecture)?
A global partnership of leading companies in the automotive and software industry developing and establishing the standardized software framework and open E/E system architecture for intelligent mobility.
What is F Prime?
A framework for rapid development and deployment of spaceflight and other embedded software applications, developed by JPL.

Summary

We’ve covered:

Early Standards
CERT C++
ISO C++ Coding Standards
Other Standards