MISRA C 2012 vs MISRA C2 - How to make a switch
At Secure Code Warrior, we are always looking to expand our training coverage. To empower embedded developers and security managers to build secure embedded systems, we are tapping into the world of embedded systems security. In this post, we will talk about the MISRA C 2012 standard, and why its compliance is necessary to build secure embedded systems.
While writing code in C, it’s very easy to implement things that seemingly look right, but are inherently wrong. Your code may compile just fine, and even run well for a certain period of time. But the same code could crash, or exhibit undefined behavior, if your input size and/or memory grows. For example, a particular input number causing an integer to overflow, or a particular sequence of characters causing an array to go out-of-bounds.
This is where the MISRA C coding standard can help. The rules, guidelines, and best practices laid out by the standard, enable developers to write safe and reliable C code for embedded development.
MISRA C 2012, the latest version of the standard, adds new rules, enhances existing ones, and addresses some discrepancies. If you are still using an older version, now would be a great time to switch.
What is the MISRA C coding standard?
The MISRA C standard includes code safety, portability, and reliability guidelines for the C programming language. The first set of guidelines was released in 1998, which were specific to the C language.
However, since then, the MISRA Consortium also develops coding standards for C++. Every MISRA C document contains a set of rules, non-compliant examples, and detailed sections on the background information that contributed to the development of said rules.
C and C++ are the most widely used languages to develop embedded software. One of the main reasons is that they are fast, having only 1 or 2 levels of abstraction over machine language. But this also means that writing safe code, particularly in C, is difficult, and prone-to-error. For example, in most high-level languages like Java and C#, you don’t have to worry about trivial things like garbage collection or dynamic typing.
However, in C, there’s no predefined way to collect garbage, i.e. if you allocate a piece of memory for a data structure, you have to manually free it yourself, once you are done using it. If you don’t, C, unlike other languages, will not free the memory for you, which will lead to a memory leak.
MISRA C 2004 (C2) vs. MISRA C 2012 (C3) – What changed?
MISRA C: 2012, also known as C3, was first released in April 2013. Drawing knowledge from the works of thousands of people and organizations, C3 adds new rules, enhances the explanation and backgrounds of some existing rules, and closes some loopholes.
C3 supports the C99 version of the language, while also maintaining rules for the older ISO C90. The main focus area in C3 was to reduce the usual costs of rule enforcement, while also making the use of the C language safer in critical systems. All this makes it prudent to switch to the new standard, if you haven’t already.
Overall, here’s a list of the most significant changes:
- Correct issues that were found in the 2004 version.
- Significantly increase the number of decidable rules. A rule is decidable, if an analysis tool can help you determine conformity to it.
- Rules are categorized as “required”, “advisory”, or “mandatory”. Mandatory rules must never be broken, under any circumstances. Required and advisory rules can be violated in special scenarios, provided the violation is justified.
- Added guidance regarding how to apply rules to auto-generated code. This is very important because the same guidelines of human-written code, don’t always apply to that generated by a tool.
- Remove the overly generalized rules that forbade reasonable user behavior. E.g. previously it was recommended to not use macros at all, since they can lead to various difficulties and confusion (can’t debug macros, macros don’t have namespaces etc.). This prevented the use of macros, even in situations where they could provide an elegant, safe, and convenient solution. In MISRA C: 2012, new rules regarding macros were introduced, allowing people to use them carefully, whenever applicable. See the following excerpt, taken from a MISRA C document, that recommends using a macro over a function.
MISRA C rules in action
Enough talk, now it’s time to get hands-on with some MISRA C rules, with examples of how they apply.
Use compatible types as pointer arguments to memcpy, memmove, and memcmp
The standard library functions memcpy, memmove, and memcmp perform byte-by-byte move or comparison of the specified number of bytes. The Rule 21.15 of MISRA C 2012 standard dictates that the two function parameters should be pointers to the same type. A function call with incompatible pointer types could indicate a mistake.
Consider the following image, taken from the official MISRA compliance document. The rule is required, decidable, and applies to both C90 and C99.
An example follows the rule description.
As you can see, since the objects are of different types (uint8_t and uint16_t), this is a non-compliant solution.
String handling functions that don’t take length as input shall not result in out-of-bound access
String handling functions from <string.h> that don’t take the length as an input, shouldn’t result in out-of-bound access. The relevant functions are: strcat, strchr, strcmp, strcoll, strcpy, strcspn, strlen, strpbrk, strrchr, strspn, strrstr, and strtok. The rule is mandatory, meaning it can never be breached, under any circumstances. It applies to both C90 and C99, and is undecidable.
The corresponding example is:
As you can see, strcpy in function f1, will copy beyond the length of the string, which can only hold 5 characters. We also have a compliant and safe use of strcpy, where the string will only get copied, if the contents of “str” will fit.
Validate externally received data
Dir 4.14 recommends checking the validity of data received from “external” sources. External input can be:
- Read from a file.
- Read from an environment variable.
- Any user input.
- Anything received over a communication channel. E.g. over a TCP connection or HTTP API etc.
This directive falls in the required category, and is applicable to both C90 and C99. The rationale for this is that a program has no control over data received from external sources, which means that this data can be invalid or malicious. E.g. a program expects a user to input a number, but the user enters a string. Before processing the input, the program must verify that it’s indeed a number.
How to switch to MISRA C 2012
Switching to MISRA C 2012 will require an update in your coding guidelines document. If you don’t use one, and instead rely on a static analysis tool (which is the recommended choice), you may have to get a newer version of the tool. Here are three tools that check for MISRA C 2012 compliance:
- Cppcheck is an open-source tool that can check for MISRA rules, and also detect various kinds of bugs.
- PC-lint Plus is a paid tool that comes with a 30-day evaluation period. In addition to checking for MISRA C compliance, it can also help identify potential bugs and vulnerabilities.
- CodeSonar is another tool that checks for both MISRA C and C++ compliance.
There are also a few compilers that can test for MISRA compliance. In case a rule violation is detected, warnings or exceptions are raised accordingly. E.g. Green Hills Software provides compilers with support for all MISRA standards, for both 32-bit and 64-bit architectures.
Using Secure Code Warrior to upskill developers in MISRA C
Secure Code Warrior's flagship product - learning platform - has numerous interactive challenges, courses, and assessments that can help train developers to write secure C/C++ code. The content on the platform is framework-specific and highly engaging. Our C/C++:Embed coding challenges took inspirations from both MISRA C, AUTOSAR C++ (MISRA C++), and IEC.
Developers can embark on personalized learning journeys, where they identify C/C++-specific vulnerabilities and more importantly learn to fix those bugs. In this process, developers can keep track of their progress to identify their weaknesses, and even enjoy a friendly coding competitions with their peers. Find out more about how we help automotive and transportation industries with our solutions.
Want to find out how interactive and embed-focus our challenges are? Try some C/C++:Embed challenges on the learning platform today!
In this post, we will compare the MISRA C 2012 standard with C2, and guide you through the journey of switching to the new standard. We will explain why MISRA's compliance is necessary to build secure embedded systems.
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
This article was written by Secure Code Warrior's team of industry experts, committed to empowering developers with the knowledge and skills to build secure software from the start. Drawing on deep expertise in secure coding practices, industry trends, and real-world insights.
At Secure Code Warrior, we are always looking to expand our training coverage. To empower embedded developers and security managers to build secure embedded systems, we are tapping into the world of embedded systems security. In this post, we will talk about the MISRA C 2012 standard, and why its compliance is necessary to build secure embedded systems.
While writing code in C, it’s very easy to implement things that seemingly look right, but are inherently wrong. Your code may compile just fine, and even run well for a certain period of time. But the same code could crash, or exhibit undefined behavior, if your input size and/or memory grows. For example, a particular input number causing an integer to overflow, or a particular sequence of characters causing an array to go out-of-bounds.
This is where the MISRA C coding standard can help. The rules, guidelines, and best practices laid out by the standard, enable developers to write safe and reliable C code for embedded development.
MISRA C 2012, the latest version of the standard, adds new rules, enhances existing ones, and addresses some discrepancies. If you are still using an older version, now would be a great time to switch.
What is the MISRA C coding standard?
The MISRA C standard includes code safety, portability, and reliability guidelines for the C programming language. The first set of guidelines was released in 1998, which were specific to the C language.
However, since then, the MISRA Consortium also develops coding standards for C++. Every MISRA C document contains a set of rules, non-compliant examples, and detailed sections on the background information that contributed to the development of said rules.
C and C++ are the most widely used languages to develop embedded software. One of the main reasons is that they are fast, having only 1 or 2 levels of abstraction over machine language. But this also means that writing safe code, particularly in C, is difficult, and prone-to-error. For example, in most high-level languages like Java and C#, you don’t have to worry about trivial things like garbage collection or dynamic typing.
However, in C, there’s no predefined way to collect garbage, i.e. if you allocate a piece of memory for a data structure, you have to manually free it yourself, once you are done using it. If you don’t, C, unlike other languages, will not free the memory for you, which will lead to a memory leak.
MISRA C 2004 (C2) vs. MISRA C 2012 (C3) – What changed?
MISRA C: 2012, also known as C3, was first released in April 2013. Drawing knowledge from the works of thousands of people and organizations, C3 adds new rules, enhances the explanation and backgrounds of some existing rules, and closes some loopholes.
C3 supports the C99 version of the language, while also maintaining rules for the older ISO C90. The main focus area in C3 was to reduce the usual costs of rule enforcement, while also making the use of the C language safer in critical systems. All this makes it prudent to switch to the new standard, if you haven’t already.
Overall, here’s a list of the most significant changes:
- Correct issues that were found in the 2004 version.
- Significantly increase the number of decidable rules. A rule is decidable, if an analysis tool can help you determine conformity to it.
- Rules are categorized as “required”, “advisory”, or “mandatory”. Mandatory rules must never be broken, under any circumstances. Required and advisory rules can be violated in special scenarios, provided the violation is justified.
- Added guidance regarding how to apply rules to auto-generated code. This is very important because the same guidelines of human-written code, don’t always apply to that generated by a tool.
- Remove the overly generalized rules that forbade reasonable user behavior. E.g. previously it was recommended to not use macros at all, since they can lead to various difficulties and confusion (can’t debug macros, macros don’t have namespaces etc.). This prevented the use of macros, even in situations where they could provide an elegant, safe, and convenient solution. In MISRA C: 2012, new rules regarding macros were introduced, allowing people to use them carefully, whenever applicable. See the following excerpt, taken from a MISRA C document, that recommends using a macro over a function.
MISRA C rules in action
Enough talk, now it’s time to get hands-on with some MISRA C rules, with examples of how they apply.
Use compatible types as pointer arguments to memcpy, memmove, and memcmp
The standard library functions memcpy, memmove, and memcmp perform byte-by-byte move or comparison of the specified number of bytes. The Rule 21.15 of MISRA C 2012 standard dictates that the two function parameters should be pointers to the same type. A function call with incompatible pointer types could indicate a mistake.
Consider the following image, taken from the official MISRA compliance document. The rule is required, decidable, and applies to both C90 and C99.
An example follows the rule description.
As you can see, since the objects are of different types (uint8_t and uint16_t), this is a non-compliant solution.
String handling functions that don’t take length as input shall not result in out-of-bound access
String handling functions from <string.h> that don’t take the length as an input, shouldn’t result in out-of-bound access. The relevant functions are: strcat, strchr, strcmp, strcoll, strcpy, strcspn, strlen, strpbrk, strrchr, strspn, strrstr, and strtok. The rule is mandatory, meaning it can never be breached, under any circumstances. It applies to both C90 and C99, and is undecidable.
The corresponding example is:
As you can see, strcpy in function f1, will copy beyond the length of the string, which can only hold 5 characters. We also have a compliant and safe use of strcpy, where the string will only get copied, if the contents of “str” will fit.
Validate externally received data
Dir 4.14 recommends checking the validity of data received from “external” sources. External input can be:
- Read from a file.
- Read from an environment variable.
- Any user input.
- Anything received over a communication channel. E.g. over a TCP connection or HTTP API etc.
This directive falls in the required category, and is applicable to both C90 and C99. The rationale for this is that a program has no control over data received from external sources, which means that this data can be invalid or malicious. E.g. a program expects a user to input a number, but the user enters a string. Before processing the input, the program must verify that it’s indeed a number.
How to switch to MISRA C 2012
Switching to MISRA C 2012 will require an update in your coding guidelines document. If you don’t use one, and instead rely on a static analysis tool (which is the recommended choice), you may have to get a newer version of the tool. Here are three tools that check for MISRA C 2012 compliance:
- Cppcheck is an open-source tool that can check for MISRA rules, and also detect various kinds of bugs.
- PC-lint Plus is a paid tool that comes with a 30-day evaluation period. In addition to checking for MISRA C compliance, it can also help identify potential bugs and vulnerabilities.
- CodeSonar is another tool that checks for both MISRA C and C++ compliance.
There are also a few compilers that can test for MISRA compliance. In case a rule violation is detected, warnings or exceptions are raised accordingly. E.g. Green Hills Software provides compilers with support for all MISRA standards, for both 32-bit and 64-bit architectures.
Using Secure Code Warrior to upskill developers in MISRA C
Secure Code Warrior's flagship product - learning platform - has numerous interactive challenges, courses, and assessments that can help train developers to write secure C/C++ code. The content on the platform is framework-specific and highly engaging. Our C/C++:Embed coding challenges took inspirations from both MISRA C, AUTOSAR C++ (MISRA C++), and IEC.
Developers can embark on personalized learning journeys, where they identify C/C++-specific vulnerabilities and more importantly learn to fix those bugs. In this process, developers can keep track of their progress to identify their weaknesses, and even enjoy a friendly coding competitions with their peers. Find out more about how we help automotive and transportation industries with our solutions.
Want to find out how interactive and embed-focus our challenges are? Try some C/C++:Embed challenges on the learning platform today!
At Secure Code Warrior, we are always looking to expand our training coverage. To empower embedded developers and security managers to build secure embedded systems, we are tapping into the world of embedded systems security. In this post, we will talk about the MISRA C 2012 standard, and why its compliance is necessary to build secure embedded systems.
While writing code in C, it’s very easy to implement things that seemingly look right, but are inherently wrong. Your code may compile just fine, and even run well for a certain period of time. But the same code could crash, or exhibit undefined behavior, if your input size and/or memory grows. For example, a particular input number causing an integer to overflow, or a particular sequence of characters causing an array to go out-of-bounds.
This is where the MISRA C coding standard can help. The rules, guidelines, and best practices laid out by the standard, enable developers to write safe and reliable C code for embedded development.
MISRA C 2012, the latest version of the standard, adds new rules, enhances existing ones, and addresses some discrepancies. If you are still using an older version, now would be a great time to switch.
What is the MISRA C coding standard?
The MISRA C standard includes code safety, portability, and reliability guidelines for the C programming language. The first set of guidelines was released in 1998, which were specific to the C language.
However, since then, the MISRA Consortium also develops coding standards for C++. Every MISRA C document contains a set of rules, non-compliant examples, and detailed sections on the background information that contributed to the development of said rules.
C and C++ are the most widely used languages to develop embedded software. One of the main reasons is that they are fast, having only 1 or 2 levels of abstraction over machine language. But this also means that writing safe code, particularly in C, is difficult, and prone-to-error. For example, in most high-level languages like Java and C#, you don’t have to worry about trivial things like garbage collection or dynamic typing.
However, in C, there’s no predefined way to collect garbage, i.e. if you allocate a piece of memory for a data structure, you have to manually free it yourself, once you are done using it. If you don’t, C, unlike other languages, will not free the memory for you, which will lead to a memory leak.
MISRA C 2004 (C2) vs. MISRA C 2012 (C3) – What changed?
MISRA C: 2012, also known as C3, was first released in April 2013. Drawing knowledge from the works of thousands of people and organizations, C3 adds new rules, enhances the explanation and backgrounds of some existing rules, and closes some loopholes.
C3 supports the C99 version of the language, while also maintaining rules for the older ISO C90. The main focus area in C3 was to reduce the usual costs of rule enforcement, while also making the use of the C language safer in critical systems. All this makes it prudent to switch to the new standard, if you haven’t already.
Overall, here’s a list of the most significant changes:
- Correct issues that were found in the 2004 version.
- Significantly increase the number of decidable rules. A rule is decidable, if an analysis tool can help you determine conformity to it.
- Rules are categorized as “required”, “advisory”, or “mandatory”. Mandatory rules must never be broken, under any circumstances. Required and advisory rules can be violated in special scenarios, provided the violation is justified.
- Added guidance regarding how to apply rules to auto-generated code. This is very important because the same guidelines of human-written code, don’t always apply to that generated by a tool.
- Remove the overly generalized rules that forbade reasonable user behavior. E.g. previously it was recommended to not use macros at all, since they can lead to various difficulties and confusion (can’t debug macros, macros don’t have namespaces etc.). This prevented the use of macros, even in situations where they could provide an elegant, safe, and convenient solution. In MISRA C: 2012, new rules regarding macros were introduced, allowing people to use them carefully, whenever applicable. See the following excerpt, taken from a MISRA C document, that recommends using a macro over a function.
MISRA C rules in action
Enough talk, now it’s time to get hands-on with some MISRA C rules, with examples of how they apply.
Use compatible types as pointer arguments to memcpy, memmove, and memcmp
The standard library functions memcpy, memmove, and memcmp perform byte-by-byte move or comparison of the specified number of bytes. The Rule 21.15 of MISRA C 2012 standard dictates that the two function parameters should be pointers to the same type. A function call with incompatible pointer types could indicate a mistake.
Consider the following image, taken from the official MISRA compliance document. The rule is required, decidable, and applies to both C90 and C99.
An example follows the rule description.
As you can see, since the objects are of different types (uint8_t and uint16_t), this is a non-compliant solution.
String handling functions that don’t take length as input shall not result in out-of-bound access
String handling functions from <string.h> that don’t take the length as an input, shouldn’t result in out-of-bound access. The relevant functions are: strcat, strchr, strcmp, strcoll, strcpy, strcspn, strlen, strpbrk, strrchr, strspn, strrstr, and strtok. The rule is mandatory, meaning it can never be breached, under any circumstances. It applies to both C90 and C99, and is undecidable.
The corresponding example is:
As you can see, strcpy in function f1, will copy beyond the length of the string, which can only hold 5 characters. We also have a compliant and safe use of strcpy, where the string will only get copied, if the contents of “str” will fit.
Validate externally received data
Dir 4.14 recommends checking the validity of data received from “external” sources. External input can be:
- Read from a file.
- Read from an environment variable.
- Any user input.
- Anything received over a communication channel. E.g. over a TCP connection or HTTP API etc.
This directive falls in the required category, and is applicable to both C90 and C99. The rationale for this is that a program has no control over data received from external sources, which means that this data can be invalid or malicious. E.g. a program expects a user to input a number, but the user enters a string. Before processing the input, the program must verify that it’s indeed a number.
How to switch to MISRA C 2012
Switching to MISRA C 2012 will require an update in your coding guidelines document. If you don’t use one, and instead rely on a static analysis tool (which is the recommended choice), you may have to get a newer version of the tool. Here are three tools that check for MISRA C 2012 compliance:
- Cppcheck is an open-source tool that can check for MISRA rules, and also detect various kinds of bugs.
- PC-lint Plus is a paid tool that comes with a 30-day evaluation period. In addition to checking for MISRA C compliance, it can also help identify potential bugs and vulnerabilities.
- CodeSonar is another tool that checks for both MISRA C and C++ compliance.
There are also a few compilers that can test for MISRA compliance. In case a rule violation is detected, warnings or exceptions are raised accordingly. E.g. Green Hills Software provides compilers with support for all MISRA standards, for both 32-bit and 64-bit architectures.
Using Secure Code Warrior to upskill developers in MISRA C
Secure Code Warrior's flagship product - learning platform - has numerous interactive challenges, courses, and assessments that can help train developers to write secure C/C++ code. The content on the platform is framework-specific and highly engaging. Our C/C++:Embed coding challenges took inspirations from both MISRA C, AUTOSAR C++ (MISRA C++), and IEC.
Developers can embark on personalized learning journeys, where they identify C/C++-specific vulnerabilities and more importantly learn to fix those bugs. In this process, developers can keep track of their progress to identify their weaknesses, and even enjoy a friendly coding competitions with their peers. Find out more about how we help automotive and transportation industries with our solutions.
Want to find out how interactive and embed-focus our challenges are? Try some C/C++:Embed challenges on the learning platform today!
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
This article was written by Secure Code Warrior's team of industry experts, committed to empowering developers with the knowledge and skills to build secure software from the start. Drawing on deep expertise in secure coding practices, industry trends, and real-world insights.
At Secure Code Warrior, we are always looking to expand our training coverage. To empower embedded developers and security managers to build secure embedded systems, we are tapping into the world of embedded systems security. In this post, we will talk about the MISRA C 2012 standard, and why its compliance is necessary to build secure embedded systems.
While writing code in C, it’s very easy to implement things that seemingly look right, but are inherently wrong. Your code may compile just fine, and even run well for a certain period of time. But the same code could crash, or exhibit undefined behavior, if your input size and/or memory grows. For example, a particular input number causing an integer to overflow, or a particular sequence of characters causing an array to go out-of-bounds.
This is where the MISRA C coding standard can help. The rules, guidelines, and best practices laid out by the standard, enable developers to write safe and reliable C code for embedded development.
MISRA C 2012, the latest version of the standard, adds new rules, enhances existing ones, and addresses some discrepancies. If you are still using an older version, now would be a great time to switch.
What is the MISRA C coding standard?
The MISRA C standard includes code safety, portability, and reliability guidelines for the C programming language. The first set of guidelines was released in 1998, which were specific to the C language.
However, since then, the MISRA Consortium also develops coding standards for C++. Every MISRA C document contains a set of rules, non-compliant examples, and detailed sections on the background information that contributed to the development of said rules.
C and C++ are the most widely used languages to develop embedded software. One of the main reasons is that they are fast, having only 1 or 2 levels of abstraction over machine language. But this also means that writing safe code, particularly in C, is difficult, and prone-to-error. For example, in most high-level languages like Java and C#, you don’t have to worry about trivial things like garbage collection or dynamic typing.
However, in C, there’s no predefined way to collect garbage, i.e. if you allocate a piece of memory for a data structure, you have to manually free it yourself, once you are done using it. If you don’t, C, unlike other languages, will not free the memory for you, which will lead to a memory leak.
MISRA C 2004 (C2) vs. MISRA C 2012 (C3) – What changed?
MISRA C: 2012, also known as C3, was first released in April 2013. Drawing knowledge from the works of thousands of people and organizations, C3 adds new rules, enhances the explanation and backgrounds of some existing rules, and closes some loopholes.
C3 supports the C99 version of the language, while also maintaining rules for the older ISO C90. The main focus area in C3 was to reduce the usual costs of rule enforcement, while also making the use of the C language safer in critical systems. All this makes it prudent to switch to the new standard, if you haven’t already.
Overall, here’s a list of the most significant changes:
- Correct issues that were found in the 2004 version.
- Significantly increase the number of decidable rules. A rule is decidable, if an analysis tool can help you determine conformity to it.
- Rules are categorized as “required”, “advisory”, or “mandatory”. Mandatory rules must never be broken, under any circumstances. Required and advisory rules can be violated in special scenarios, provided the violation is justified.
- Added guidance regarding how to apply rules to auto-generated code. This is very important because the same guidelines of human-written code, don’t always apply to that generated by a tool.
- Remove the overly generalized rules that forbade reasonable user behavior. E.g. previously it was recommended to not use macros at all, since they can lead to various difficulties and confusion (can’t debug macros, macros don’t have namespaces etc.). This prevented the use of macros, even in situations where they could provide an elegant, safe, and convenient solution. In MISRA C: 2012, new rules regarding macros were introduced, allowing people to use them carefully, whenever applicable. See the following excerpt, taken from a MISRA C document, that recommends using a macro over a function.
MISRA C rules in action
Enough talk, now it’s time to get hands-on with some MISRA C rules, with examples of how they apply.
Use compatible types as pointer arguments to memcpy, memmove, and memcmp
The standard library functions memcpy, memmove, and memcmp perform byte-by-byte move or comparison of the specified number of bytes. The Rule 21.15 of MISRA C 2012 standard dictates that the two function parameters should be pointers to the same type. A function call with incompatible pointer types could indicate a mistake.
Consider the following image, taken from the official MISRA compliance document. The rule is required, decidable, and applies to both C90 and C99.
An example follows the rule description.
As you can see, since the objects are of different types (uint8_t and uint16_t), this is a non-compliant solution.
String handling functions that don’t take length as input shall not result in out-of-bound access
String handling functions from <string.h> that don’t take the length as an input, shouldn’t result in out-of-bound access. The relevant functions are: strcat, strchr, strcmp, strcoll, strcpy, strcspn, strlen, strpbrk, strrchr, strspn, strrstr, and strtok. The rule is mandatory, meaning it can never be breached, under any circumstances. It applies to both C90 and C99, and is undecidable.
The corresponding example is:
As you can see, strcpy in function f1, will copy beyond the length of the string, which can only hold 5 characters. We also have a compliant and safe use of strcpy, where the string will only get copied, if the contents of “str” will fit.
Validate externally received data
Dir 4.14 recommends checking the validity of data received from “external” sources. External input can be:
- Read from a file.
- Read from an environment variable.
- Any user input.
- Anything received over a communication channel. E.g. over a TCP connection or HTTP API etc.
This directive falls in the required category, and is applicable to both C90 and C99. The rationale for this is that a program has no control over data received from external sources, which means that this data can be invalid or malicious. E.g. a program expects a user to input a number, but the user enters a string. Before processing the input, the program must verify that it’s indeed a number.
How to switch to MISRA C 2012
Switching to MISRA C 2012 will require an update in your coding guidelines document. If you don’t use one, and instead rely on a static analysis tool (which is the recommended choice), you may have to get a newer version of the tool. Here are three tools that check for MISRA C 2012 compliance:
- Cppcheck is an open-source tool that can check for MISRA rules, and also detect various kinds of bugs.
- PC-lint Plus is a paid tool that comes with a 30-day evaluation period. In addition to checking for MISRA C compliance, it can also help identify potential bugs and vulnerabilities.
- CodeSonar is another tool that checks for both MISRA C and C++ compliance.
There are also a few compilers that can test for MISRA compliance. In case a rule violation is detected, warnings or exceptions are raised accordingly. E.g. Green Hills Software provides compilers with support for all MISRA standards, for both 32-bit and 64-bit architectures.
Using Secure Code Warrior to upskill developers in MISRA C
Secure Code Warrior's flagship product - learning platform - has numerous interactive challenges, courses, and assessments that can help train developers to write secure C/C++ code. The content on the platform is framework-specific and highly engaging. Our C/C++:Embed coding challenges took inspirations from both MISRA C, AUTOSAR C++ (MISRA C++), and IEC.
Developers can embark on personalized learning journeys, where they identify C/C++-specific vulnerabilities and more importantly learn to fix those bugs. In this process, developers can keep track of their progress to identify their weaknesses, and even enjoy a friendly coding competitions with their peers. Find out more about how we help automotive and transportation industries with our solutions.
Want to find out how interactive and embed-focus our challenges are? Try some C/C++:Embed challenges on the learning platform today!
Table of contents
Secure Code Warrior makes secure coding a positive and engaging experience for developers as they increase their skills. We guide each coder along their own preferred learning pathway, so that security-skilled developers become the everyday superheroes of our connected world.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Secure by Design: Defining Best Practices, Enabling Developers and Benchmarking Preventative Security Outcomes
In this research paper, Secure Code Warrior co-founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., along with expert contributors, Chris Inglis, Former US National Cyber Director (now Strategic Advisor to Paladin Capital Group), and Devin Lynch, Senior Director, Paladin Global Institute, will reveal key findings from over twenty in-depth interviews with enterprise security leaders including CISOs, a VP of Application Security, and software security professionals.
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
Finding meaningful data on the success of Secure-by-Design initiatives is notoriously difficult. CISOs are often challenged when attempting to prove the return on investment (ROI) and business value of security program activities at both the people and company levels. Not to mention, it’s particularly difficult for enterprises to gain insights into how their organizations are benchmarked against current industry standards. The President’s National Cybersecurity Strategy challenged stakeholders to “embrace security and resilience by design.” The key to making Secure-by-Design initiatives work is not only giving developers the skills to ensure secure code, but also assuring the regulators that those skills are in place. In this presentation, we share a myriad of qualitative and quantitative data, derived from multiple primary sources, including internal data points collected from over 250,000 developers, data-driven customer insights, and public studies. Leveraging this aggregation of data points, we aim to communicate a vision of the current state of Secure-by-Design initiatives across multiple verticals. The report details why this space is currently underutilized, the significant impact a successful upskilling program can have on cybersecurity risk mitigation, and the potential to eliminate categories of vulnerabilities from a codebase.
Resources to get you started
Setting the Standard: SCW Releases Free AI Coding Security Rules on GitHub
AI-assisted development is no longer on the horizon — it’s here, and it’s rapidly reshaping how software is written. Tools like GitHub Copilot, Cline, Roo, Cursor, Aider, and Windsurf are transforming developers into co-pilots of their own, enabling faster iteration and accelerating everything from prototyping to major refactoring projects.
Close the Loop on Vulnerabilities with Secure Code Warrior + HackerOne
Secure Code Warrior is excited to announce our new integration with HackerOne, a leader in offensive security solutions. Together, we're building a powerful, integrated ecosystem. HackerOne pinpoints where vulnerabilities are actually happening in real-world environments, exposing the "what" and "where" of security issues.
Revealed: How the Cyber Industry Defines Secure by Design
In our latest white paper, our Co-Founders, Pieter Danhieux and Dr. Matias Madou, Ph.D., sat down with over twenty enterprise security leaders, including CISOs, AppSec leaders and security professionals, to figure out the key pieces of this puzzle and uncover the reality behind the Secure by Design movement. It’s a shared ambition across the security teams, but no shared playbook.
Is Vibe Coding Going to Turn Your Codebase Into a Frat Party?
Vibe coding is like a college frat party, and AI is the centerpiece of all the festivities, the keg. It’s a lot of fun to let loose, get creative, and see where your imagination can take you, but after a few keg stands, drinking (or, using AI) in moderation is undoubtedly the safer long-term solution.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
