Skip to content

AD3041: DoNotUseBannedApisELF

Summary

Property Value
ID AD3041
Name DoNotUseBannedApisELF
Category Security
Severity Warning (Error for critical functions)
Applies to ELF (Linux/Unix)

Description

ELF binaries should not use deprecated or banned APIs that are known to be unsafe. This rule checks symbol tables for functions identified as dangerous by the C17/C23 standards (Annex K bounds-checking interfaces) and common security guidance.

Why This Matters

The C standards explicitly acknowledge these issues in Annex K:

"Traditionally, the C Library has contained many functions that trust the programmer to provide output character arrays big enough to hold the result being produced. Not only do these functions not check that the arrays are big enough, they frequently lack the information needed to perform such checks."

"Worse, this style of programming has compromised the security of computers and networks. Buffer overflows can often be exploited to run arbitrary code with the permissions of the vulnerable (defective) program."

Banned Functions Reference

Critical Functions (Error Level)

These functions are especially dangerous and should never be used:

Function Risk Reason Safe Alternative
gets REMOVED from C11 No bounds checking possible fgets
strcpy Buffer overflow No destination size check strlcpy, strncpy + null
wcscpy Buffer overflow Wide-char version of strcpy wcsncpy
strcat Buffer overflow No destination size check strlcat, strncat
wcscat Buffer overflow Wide-char version of strcat wcsncat
sprintf Buffer overflow + format string No output buffer size limit snprintf
vsprintf Buffer overflow + format string No output buffer size limit vsnprintf

String Operations (Warning Level)

Function Risk Reason Safe Alternative
strncpy Truncation issues May not null-terminate result Check return, ensure null
wcsncpy Truncation issues Wide-char strncpy Check return, ensure null
strncat Error-prone Complex size calculations strlcat (BSD/glibc 2.38+)
wcsncat Error-prone Wide-char strncat Manual length tracking

Format String Functions

Function Risk Reason Safer Alternative
swprintf Buffer overflow Wide-char sprintf Use with size parameter
vswprintf Buffer overflow Wide-char vsprintf Use with size parameter

Input Functions (scanf family)

Function Risk Reason Safer Alternative
scanf Buffer overflow No bounds on %s, %[, %c fgets + sscanf with width
wscanf Buffer overflow Wide-char scanf Width specifiers
sscanf Buffer overflow String scanf Width specifiers: %255s
swscanf Buffer overflow Wide string scanf Width specifiers
fscanf Buffer overflow File scanf Width specifiers
fwscanf Buffer overflow Wide file scanf Width specifiers
vscanf Buffer overflow Variadic scanf Width specifiers
vfscanf Buffer overflow Variadic file scanf Width specifiers
vsscanf Buffer overflow Variadic string scanf Width specifiers
vwscanf Buffer overflow Wide vscanf Width specifiers
vfwscanf Buffer overflow Wide vfscanf Width specifiers
vswscanf Buffer overflow Wide vsscanf Width specifiers

Memory Functions

Function Risk Reason Safer Alternative
memcpy No validation No overlap check, no size validation Validate sizes manually
memmove No validation No size validation Validate sizes manually

Thread-Unsafe Functions (Static Buffers)

Function Risk Reason Safer Alternative
strtok Data races Uses static internal state strtok_r
asctime Data races Returns pointer to static buffer strftime
ctime Data races Returns pointer to static buffer strftime
gmtime Data races Returns pointer to static struct gmtime_r
localtime Data races Returns pointer to static struct localtime_r
strerror Data races May return static buffer strerror_r

Environment/System Functions

Function Risk Reason Safer Alternative
getenv Data races Pointer may be invalidated by other threads secure_getenv, copy immediately
tmpnam TOCTOU race Time-of-check to time-of-use vulnerability mkstemp

Numeric Conversion Functions

Function Risk Reason Safer Alternative
atoi No error detection Undefined behavior on overflow strtol with error check
atol No error detection Undefined behavior on overflow strtol with error check
atoll No error detection Undefined behavior on overflow strtoll with error check
atof No error detection No way to detect failure strtod with error check

Multibyte/Wide Character Conversion

Function Risk Reason Safer Alternative
wctomb Not reentrant Uses static internal state wcrtomb
mbstowcs No size validation No destination buffer size check mbsrtowcs
wcstombs No size validation No destination buffer size check wcsrtombs

Legacy POSIX Functions

Function Risk Reason Safer Alternative
getwd Buffer overflow Fixed buffer size assumed getcwd
getpass Obsolete Echo handling issues, no length limit Custom implementation
mktemp Race condition Between name creation and file open mkstemp
realpath Buffer overflow NULL second arg allocates, but fixed otherwise Use with proper buffer

Resolution

Replace banned functions with secure alternatives:

// Before - DANGEROUS
char buffer[256];
strcpy(buffer, user_input);
sprintf(buffer, "User: %s", username);

// After - SECURE (glibc 2.38+ or BSD)
char buffer[256];
strlcpy(buffer, user_input, sizeof(buffer));
snprintf(buffer, sizeof(buffer), "User: %s", username);

// Thread-safe time functions
struct tm result;
time_t now = time(NULL);
localtime_r(&now, &result);  // NOT localtime()

// Thread-safe tokenization
char *saveptr;
char *token = strtok_r(str, delim, &saveptr);  // NOT strtok()

Compiler Flags

# GCC/Clang - Enable FORTIFY_SOURCE for runtime checks
gcc -D_FORTIFY_SOURCE=2 -O2 program.c

# Clang - Enable format string warnings
clang -Wformat -Wformat-security program.c

# Enable all security warnings
gcc -Wall -Wextra -Wformat-security -Wstack-protector program.c

FORTIFY_SOURCE Protection

When compiled with -D_FORTIFY_SOURCE=2, glibc provides checked versions of many dangerous functions that abort on detected overflows:

// With FORTIFY_SOURCE, strcpy becomes __strcpy_chk
// which validates the destination buffer size at runtime

References