Finding and fixing these defects can consume up to 80% of development time, depending on the maturity of the development team. This leads to an obvious conclusion: code quality is a major issue. So why not try to avoid defects in the first place to reduce the time required for debugging?
Incidentally, we still use the concepts of "error" and "debugging" in software today, but the origins of these terms can be traced back to the mechanical computers at Harvard University. At that time, an event where a moth got stuck in a relay was recorded as the first "error" or defect in computer history.
Repeating the same mistake again and again
It is well known that in web, application, desktop, and even embedded development, developers often unintentionally introduce the same types of errors repeatedly into their source code. This conclusion comes from several important organizations, such as NASA, Bell Labs, and MITRE, which have conducted numerous investigations and studies. Examples of common flaws include the lack of freeing after allocation in C++ code (and even C code), and the use of functions without prototypes, thus preventing strict type checking at compile time. The results of this research list best or recommended programming practices that identify risky and bad coding behaviors.
Numerous guidelines and coding practices exist on how to improve code quality, based on common errors and outlining how to avoid them in the future. Some of these techniques and practices have become widely accepted standards (such as MISRA-C and CERT-C), particularly in critical industries like automotive, medical, and rail, to ensure application code safety and code security. Functional safety standards such as IEC 61508, EN 50128, and ISO 26262 recommend [or strongly recommend, depending on the Safety Integrity Level (SIL) or Automotive Safety Integrity Level (ASIL)] the use of static and runtime analysis tools to meet these standards. This is because deficiencies in safety-critical systems can lead to serious consequences, such as personal injury or environmental damage.
Focus on reliability
Secure coding techniques must comprehensively consider code quality, code security, and code protection capabilities. Code security focuses on software reliability, while code protection aims to prevent unwanted activities and ensure system security in the event of an attack. Both are highly dependent on code quality, as code quality is the foundation of every reliable application.
The goal of secure coding techniques and standards is to advance software security to ensure the required reliability. However, equally important is improving the readability and maintainability of source code. More efficient, more readable code means more robust source code with fewer defects and future usability, contributing to improved code reusability.
MISRA C is one of the most mature software development standards, avoiding common defects and vulnerabilities. Of course, there are other guidelines, such as the CWE and CERT-C coding standards, which are highly recommended for any embedded application. Let's delve deeper into these coding standards below.
MISRA C Standard
MISRA C was developed by the Motor Industry Software Reliability Association (MISRA) with the goal of improving the security, portability, and reliability of code in embedded systems, especially those systems programmed using ISO C.
The first version of the MISRA C standard, titled "Guide to C Language Development for Automotive Software," was released in 1998 and officially named MISRA-C:1998. It was subsequently updated in 2004 and 2012, adding more rules. Additionally, there is the MISRA C++ 2008 standard, based on C++ 2003. Later, Amendment 1 to MISRA C:2012 added 14 additional rules, focusing on security concerns highlighted in the ISO C Secure Guidelines. Some of these rules address one of the security vulnerabilities known in many embedded applications: specific issues related to the use of untrusted data.
MISRA rules help you discover issues before committing code for a formal build, so defects discovered this way are treated as if they never existed. MISRA rules are designed with security and reliability in mind, while also making code easier to port to other tools and architectures.
CWE and CERT C/C++
CWE, or Common Weakness Enumeration, is a community-developed dictionary of software defects. CWE provides a unified, measurable set of software defects to better understand and manage them, and supports efficient software security tools and services capable of discovering them.
The CERT C/C++ Secure Coding Standards are standards published by the Computer Emergency Response Team (CERT) that provide rules and recommendations regarding secure coding in the C/C++ programming language.
Implement secure coding technology
As a general recommendation, every embedded application should at least comply with the MISRA (which is mandatory for safety-critical systems), CWE, and CERT C/C++ standards.
Even after following these coding standards, your application may still be affected by issues such as arithmetic problems, buffer overflows, boundary issues, heap integrity problems, and memory leaks at runtime. To detect these errors, specific detection code or assertions can be inserted at all potential points where errors might occur. However, manually adding instructions to check for and report problems at runtime is a very time-consuming task.
To comply with all these guidelines and standards, you need to follow nearly 700 rules and requirements, and also add detection code to your source code. So, how do you implement secure coding techniques and follow all these rules?
Use automation tools
The best way to improve software quality, security, and reliability is to use automation tools. This can be achieved by using high-quality compilers and linkers (preferably those certified for functional safety), as well as automated static and runtime analysis tools.
As a leading global provider of embedded systems development software solutions, IAR offers the IAR Embedded Workbench integrated development environment, which includes a compiler, assembler, linker, and debugger. It also seamlessly integrates the static analysis tool C-STAT and the runtime analysis tool C-RUN, forming a complete toolchain. With these powerful features, IAR Embedded Workbench ensures code robustness, security, and high quality.
Let's first look at the compiler and linker. They should support modern programming languages, such as the latest C (ISO/IEC 9899:2018) and C++ (ISO/IEC 14882:2020, also known as the C++20 revision), so that they can generate warnings when suspicious cases or syntax problems occur, such as volatile memory accesses whose evaluation order may affect the logic of the application.
Compiler and linker warnings are your first step in static analysis and should never be ignored, especially in functional safety environments. The best practice is to change the compiler settings to treat all warnings as errors, thus converting them into bugs. This will allow developers to fix any ambiguities in the code, as all issues will be treated as real problems.
Static analysis tools can help you discover the most common defects in your code, and also help you identify problems that developers typically don't consider or worry about when trying to write code, especially when they're just writing scaffolded code to make certain functions work. This type of tool can indeed help you develop higher-quality code because it helps you implement coding standards. IAR's C-STAT static analysis tool requires no installation or static code analysis project creation; it only requires simple rule settings to perform static code analysis after a successful build, making it ideal for developers to use in their daily development process.
In addition, there are dynamic or runtime analysis tools that can capture code defects that only appear at runtime. Dynamic or runtime analysis tools can discover actual and potential errors in the code when the program is executed in a software debugger. IAR's C-RUN dynamic analysis tool performs arithmetic checks, boundary checks, and heap checks through simple configuration, recompiling, and running. Using C-RUN requires no modification to existing processes and can be integrated into daily development workflows, greatly lowering the barrier to entry for dynamic analysis tools.
When examining all possible defects in a system, static analysis tools excel at finding certain types of defects, while runtime analysis tools are better at finding others. Sometimes they may overlap, but sometimes only one tool can detect a particular defect. For the most comprehensive code analysis, it's best to combine both tools and integrate them with top-tier build tools. The matrix below nicely illustrates the complete defect coverage when combining different tools for detection.
Summarize
As embedded systems become increasingly complex, the requirements for embedded software are also rising. The most crucial and fundamental aspect is code quality, and adhering to coding standards in secure coding techniques is the best practice for improving code quality. The most effective way to implement secure coding techniques is to apply automated tools, including compilers, linkers, static analysis tools, and runtime analysis tools. This can efficiently improve code quality, security, and reliability during the development process, reducing project development time and costs while enhancing product quality and competitiveness.
