Skip to content

AD2043: DoNotUseBannedApisPE

Summary

Property Value
ID AD2043
Name DoNotUseBannedApisPE
Category Security
Severity Warning (Error for critical functions)
Applies to PE (Windows)

Description

PE binaries should not use deprecated or banned APIs that are known to be unsafe. This rule checks import tables for functions identified as dangerous by the C17/C23 standards (Annex K bounds-checking interfaces) and Microsoft's SDL banned function list.

Why This Matters

The C standards explicitly acknowledge these issues in Annex K:

"Traditionally, the C Library has contained many functions that trust the programmer to provide output character arrays big enough to hold the result being produced. Not only do these functions not check that the arrays are big enough, they frequently lack the information needed to perform such checks."

"Worse, this style of programming has compromised the security of computers and networks. Buffer overflows can often be exploited to run arbitrary code with the permissions of the vulnerable (defective) program."

Banned Functions Reference

Critical Functions (Error Level)

These functions are especially dangerous and should never be used:

Function Risk Reason Safer Alternative
gets REMOVED from C11 No bounds checking possible - reads unlimited input fgets, gets_s
strcpy Buffer overflow No destination size check strcpy_s, StringCchCopy
wcscpy Buffer overflow Wide-char version of strcpy wcscpy_s, StringCchCopyW
lstrcpy Buffer overflow Windows version of strcpy StringCchCopy
strcat Buffer overflow No destination size check strcat_s, StringCchCat
wcscat Buffer overflow Wide-char version of strcat wcscat_s, StringCchCatW
lstrcat Buffer overflow Windows version of strcat StringCchCat
sprintf Buffer overflow + format string No output buffer size limit sprintf_s, snprintf, StringCchPrintf
vsprintf Buffer overflow + format string No output buffer size limit vsprintf_s, vsnprintf
wsprintf Buffer overflow + format string Windows sprintf StringCchPrintf

String Operations (Warning Level)

Function Risk Reason Safer Alternative
strncpy Truncation issues May not null-terminate result strncpy_s
wcsncpy Truncation issues Wide-char strncpy wcsncpy_s
strncat Error-prone Complex size calculations strncat_s
wcsncat Error-prone Wide-char strncat wcsncat_s

Format String Functions

Function Risk Reason Safer Alternative
swprintf Buffer overflow Wide-char sprintf swprintf_s
vswprintf Buffer overflow Wide-char vsprintf vswprintf_s
wvsprintf Buffer overflow Windows vsprintf StringCchVPrintf

Input Functions (scanf family)

Function Risk Reason Safer Alternative
scanf Buffer overflow No bounds on %s, %[, %c scanf_s
wscanf Buffer overflow Wide-char scanf wscanf_s
sscanf Buffer overflow String scanf sscanf_s
swscanf Buffer overflow Wide string scanf swscanf_s
fscanf Buffer overflow File scanf fscanf_s
fwscanf Buffer overflow Wide file scanf fwscanf_s
vscanf Buffer overflow Variadic scanf vscanf_s
vfscanf Buffer overflow Variadic file scanf vfscanf_s
vsscanf Buffer overflow Variadic string scanf vsscanf_s
vwscanf Buffer overflow Wide vscanf vwscanf_s
vfwscanf Buffer overflow Wide vfscanf vfwscanf_s
vswscanf Buffer overflow Wide vsscanf vswscanf_s

Memory Functions

Function Risk Reason Safer Alternative
memcpy No validation No overlap check, no size validation memcpy_s
memmove No validation No size validation memmove_s

Thread-Unsafe Functions (Static Buffers)

Function Risk Reason Safer Alternative
strtok Data races Uses static internal state strtok_s
asctime Data races Returns pointer to static buffer asctime_s
ctime Data races Returns pointer to static buffer ctime_s
gmtime Data races Returns pointer to static struct gmtime_s
localtime Data races Returns pointer to static struct localtime_s
strerror Data races May return static buffer strerror_s

Environment/System Functions

Function Risk Reason Safer Alternative
getenv Data races Pointer may be invalidated by other threads getenv_s, _dupenv_s
tmpnam TOCTOU race Time-of-check to time-of-use vulnerability tmpnam_s, tmpfile_s

Numeric Conversion Functions

Function Risk Reason Safer Alternative
atoi No error detection Undefined behavior on overflow strtol with error check
atol No error detection Undefined behavior on overflow strtol with error check
atoll No error detection Undefined behavior on overflow strtoll with error check
atof No error detection No way to detect failure strtod with error check

Multibyte/Wide Character Conversion

Function Risk Reason Safer Alternative
wctomb Not reentrant Uses static internal state wctomb_s
mbstowcs No size validation No destination buffer size check mbstowcs_s
wcstombs No size validation No destination buffer size check wcstombs_s

Path Manipulation Functions

Function Risk Reason Safer Alternative
_makepath Buffer overflow No destination size check _makepath_s
_wmakepath Buffer overflow Wide-char makepath _wmakepath_s
_splitpath Buffer overflow No component buffer size check _splitpath_s
_wsplitpath Buffer overflow Wide-char splitpath _wsplitpath_s

Other Dangerous Functions

Function Risk Reason Safer Alternative
alloca Stack overflow Allocates on stack without bounds HeapAlloc, malloc
_alloca Stack overflow MSVC alloca _malloca with _freea

Resolution

Replace banned functions with secure alternatives:

// Before - DANGEROUS
char buffer[256];
strcpy(buffer, user_input);
sprintf(buffer, "User: %s", username);

// After - SECURE
char buffer[256];
strcpy_s(buffer, sizeof(buffer), user_input);
sprintf_s(buffer, sizeof(buffer), "User: %s", username);

// Or use Windows StringCch functions
StringCchCopy(buffer, ARRAYSIZE(buffer), user_input);
StringCchPrintf(buffer, ARRAYSIZE(buffer), TEXT("User: %s"), username);

Compiler Flags

# MSVC - Enable SDL checks (warns on banned functions)
cl /W4 /sdl program.c

# Enable deprecation warnings
cl /D_CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES=1 program.c

References