AD5013: DoNotUseBannedApisMachO¶

Summary¶

Property	Value
ID	AD5013
Name	DoNotUseBannedApisMachO
Category	Security
Severity	Warning (Error for critical functions)
Applies to	Mach-O (macOS, iOS)

Description¶

Mach-O binaries should not use deprecated or banned APIs that are known to be unsafe. This rule checks symbol tables for functions identified as dangerous by the C17/C23 standards (Annex K bounds-checking interfaces) and Apple's security guidance.

Why This Matters¶

The C standards explicitly acknowledge these issues in Annex K:

"Traditionally, the C Library has contained many functions that trust the programmer to provide output character arrays big enough to hold the result being produced. Not only do these functions not check that the arrays are big enough, they frequently lack the information needed to perform such checks."

"Worse, this style of programming has compromised the security of computers and networks. Buffer overflows can often be exploited to run arbitrary code with the permissions of the vulnerable (defective) program."

macOS/iOS provides excellent safe alternatives through BSD heritage (strlcpy, strlcat) that are not available on all platforms.

Banned Functions Reference¶

Critical Functions (Error Level)¶

These functions are especially dangerous and should never be used:

Function	Risk	Reason	Safer Alternative
`gets`	REMOVED from C11	No bounds checking possible	`fgets`
`strcpy`	Buffer overflow	No destination size check	`strlcpy`
`wcscpy`	Buffer overflow	Wide-char version of strcpy	`wcsncpy`
`strcat`	Buffer overflow	No destination size check	`strlcat`
`wcscat`	Buffer overflow	Wide-char version of strcat	`wcsncat`
`sprintf`	Buffer overflow + format string	No output buffer size limit	`snprintf`
`vsprintf`	Buffer overflow + format string	No output buffer size limit	`vsnprintf`

String Operations (Warning Level)¶

Function	Risk	Reason	Safer Alternative
`strncpy`	Truncation issues	May not null-terminate result	`strlcpy`
`wcsncpy`	Truncation issues	Wide-char strncpy	Ensure null termination
`strncat`	Error-prone	Complex size calculations	`strlcat`
`wcsncat`	Error-prone	Wide-char strncat	Manual length tracking

Format String Functions¶

Function	Risk	Reason	Safer Alternative
`swprintf`	Buffer overflow	Wide-char sprintf	Use with size parameter
`vswprintf`	Buffer overflow	Wide-char vsprintf	Use with size parameter

Input Functions (scanf family)¶

Function	Risk	Reason	Safer Alternative
`scanf`	Buffer overflow	No bounds on `%s`, `%[`, `%c`	`fgets` + parsing
`wscanf`	Buffer overflow	Wide-char scanf	Width specifiers
`sscanf`	Buffer overflow	String scanf	Width specifiers: `%255s`
`swscanf`	Buffer overflow	Wide string scanf	Width specifiers
`fscanf`	Buffer overflow	File scanf	Width specifiers
`fwscanf`	Buffer overflow	Wide file scanf	Width specifiers
`vscanf`	Buffer overflow	Variadic scanf	Width specifiers
`vfscanf`	Buffer overflow	Variadic file scanf	Width specifiers
`vsscanf`	Buffer overflow	Variadic string scanf	Width specifiers
`vwscanf`	Buffer overflow	Wide vscanf	Width specifiers
`vfwscanf`	Buffer overflow	Wide vfscanf	Width specifiers
`vswscanf`	Buffer overflow	Wide vsscanf	Width specifiers

Thread-Unsafe Functions (Static Buffers)¶

Function	Risk	Reason	Safer Alternative
`strtok`	Data races	Uses static internal state	`strtok_r`
`asctime`	Data races	Returns pointer to static buffer	`strftime`
`ctime`	Data races	Returns pointer to static buffer	`strftime`
`gmtime`	Data races	Returns pointer to static struct	`gmtime_r`
`localtime`	Data races	Returns pointer to static struct	`localtime_r`
`strerror`	Data races	May return static buffer	`strerror_r`

Environment/System Functions¶

Function	Risk	Reason	Safer Alternative
`getenv`	Data races	Pointer may be invalidated by other threads	Copy immediately
`tmpnam`	TOCTOU race	Time-of-check to time-of-use vulnerability	`mkstemp`

Numeric Conversion Functions¶

Function	Risk	Reason	Safer Alternative
`atoi`	No error detection	Undefined behavior on overflow	`strtol` with error check
`atol`	No error detection	Undefined behavior on overflow	`strtol` with error check
`atoll`	No error detection	Undefined behavior on overflow	`strtoll` with error check
`atof`	No error detection	No way to detect failure	`strtod` with error check

Multibyte/Wide Character Conversion¶

Function	Risk	Reason	Safer Alternative
`wctomb`	Not reentrant	Uses static internal state	`wcrtomb`
`mbstowcs`	No size validation	No destination buffer size check	`mbsrtowcs`
`wcstombs`	No size validation	No destination buffer size check	`wcsrtombs`

Legacy POSIX Functions¶

Function	Risk	Reason	Safer Alternative
`getwd`	Buffer overflow	Fixed buffer size assumed	`getcwd`
`getpass`	Obsolete	Echo handling issues, no length limit	`readpassphrase` (BSD)

Resolution¶

Replace banned functions with secure alternatives. macOS provides excellent BSD-heritage safe functions:

// Before - DANGEROUS
char buffer[256];
strcpy(buffer, user_input);
sprintf(buffer, "User: %s", username);

// After - SECURE (BSD/macOS style)
char buffer[256];
strlcpy(buffer, user_input, sizeof(buffer));
snprintf(buffer, sizeof(buffer), "User: %s", username);

// Thread-safe time functions
struct tm result;
time_t now = time(NULL);
localtime_r(&now, &result);  // NOT localtime()

// Thread-safe tokenization
char *saveptr;
char *token = strtok_r(str, delim, &saveptr);  // NOT strtok()

Apple-Specific Guidance¶

For Objective-C and Swift code, prefer Foundation types:

// Objective-C - Use NSString instead of C strings
NSString *safe = [NSString stringWithFormat:@"User: %@", username];

// Swift - String is memory-safe by default
let safe = "User: \(username)"

Compiler Flags¶

# Clang on macOS - Enable format string warnings
clang -Wformat -Wformat-security program.c

# Enable all security warnings
clang -Wall -Wextra -Wformat-security -Wstack-protector program.c

# Enable Address Sanitizer during development
clang -fsanitize=address program.c