Secure Coding Checks for CERT C, CWE, and ISO/IEC TS 17961 Standards

These checks are used to validate that code generated by Embedded Coder® complies with the CERT C, CWE, and ISO/IEC TS 17961 (Embedded Coder) secure coding standards.

Check configuration parameters for secure coding standards

Check ID: mathworks.security.CodeGenSettings

Identify configuration parameters that might impact compliance with secure coding standards.

Description

Following the recommendations of this check increases the likelihood of generating code that complies with CERT C, CWE, ISO/IEC TS 17961 secure coding standards.

Available with Embedded Coder and Simulink® Check™.

Results and Recommended Actions

ConditionRecommended Action
Diagnostics
Configuration parameter Inf or NaN block output is set to none.Set Inf or NaN block output to warning or error.
Configuration parameter Model Verification block enabling is set to Use local settings or Enable All.Set Model Verification block enabling to Disable All.
Configuration parameter Undirected event broadcasts is set to none or warning.Set Undirected event broadcasts to error.
Configuration parameter Wrap on overflow is set to none.Set Wrap on overflow to warning or error.
Hardware Implementation
Configuration parameter Production hardware signed integer division rounds to is set to Undefined.Set Production hardware signed integer division rounds to to Zero or Floor.
Configuration parameter Shift right on a signed integer as arithmetic shift is selected.Clear Shift right on a signed integer as arithmetic shift .
Simulation Target
Configuration parameter Compile-time recursion limit for MATLAB functions is set to a value other than 0 .Set Compile-time recursion limit for MATLAB functions to 0 .
Configuration parameter Dynamic memory allocation in MATLAB functions is selected.Clear Dynamic memory allocation in MATLAB functions.
Configuration parameter Enable run-time recursion for MATLAB functions is selected.Clear Enable run-time recursion for MATLAB functions.
Code Generation
Configuration parameter Code replacement library is not set to None or AUTOSAR 4.0.Set Code replacement library to None or AUTOSAR 4.0.
Configuration parameter External mode is selected.Clear External mode.

Configuration parameter Include commentsis cleared.

Select Include comments.
Configuration parameter MAT-file logging is selected.Clear MAT-file logging.
For ERT-based target systems, configuration parameter MATLAB user comments is cleared.Select MATLAB user comments.
Configuration parameter Replace multiplications by powers of two with signed bitwise shifts is selected.Clear Replace multiplications by powers of two with signed bitwise shifts.
For ERT-based target systems, configuration parameter Support continuous time is selected Clear Support continuous time.
Configuration parameter Support non-finite numbers is selected.

Clear Support: non-finite numbers

For ERT-based target systems, configuration parameter Support non-inlined S-functions is selected Clear Support non-inlined S-functions.
Configuration parameter System target file is set to a GRT-based target.Set System target file to an ERT-based target.
Configuration parameter Use dynamic memory allocation for model initialization is selected.Clear Use dynamic memory allocation for model initialization.

Action Results

Clicking Modify All changes the parameter values to the recommended values.

Subchecks depend on the results of the subchecks noted with D in the results table in the Model Advisor window.

See Also

Secure Coding Standards (Embedded Coder)

Check for blocks not recommended for C/C++ production code deployment

Check ID: mathworks.codegen.PCGSupport

Identify blocks not supported by code generation or not recommended for C/C++ production code deployment.

Description

This check partially identifies model constructs that are not recommended for C/C++ production code generation as identified in the Simulink Block Support (Simulink Coder) tables for Simulink Coder™ and Embedded Coder. If you are using blocks with support notes for code generation, review the information and follow the given advice.

Following the recommendations of this check increases the likelihood of generating code that complies with the CERT C, CWE, ISO/IEC TS 17961 standards.

Available with Embedded Coder and Simulink Check.

Results and Recommended Actions

ConditionRecommended Action
The model or subsystem contains blocks that should not be used for production code deployment.Consider replacing the blocks listed in the results. Click an element from the list of questionable items to locate condition.

Capabilities and Limitations

You can:

  • Run this check on your library models.

  • Analyzes content of library linked blocks.

  • Analyzes content in all masked subsystems.

  • Exclude blocks and charts from this check if you have a Simulink Check license.

Edit-Time Checking.  This check is supported by edit-time checking.

See Also

Check for blocks not recommended for secure coding standards

Check ID: mathworks.security.BlockSupport

Identify blocks not recommended for compliance with secure coding standards.

Description

Following the recommendations of this check increases the likelihood of generating code that complies with CERT C, CWE, ISO/IEC TS 17961 secure coding standards.

Available with Embedded Coder and Simulink Check.

Results and Recommended Actions

ConditionRecommended Action

Lookup Table blocks using cubic spline interpolation or extrapolation methods were found in the model or subsystem. Specific blocks are:

Consider other interpolation and extrapolation methods for the Lookup Table blocks.

Deprecated Lookup Table blocks were found in the model or subsystem. Specific blocks are:

  • Lookup Table

  • Lookup Table (2-D)

Consider replacing the deprecated Lookup Table blocks.
S-Function Builder blocks were found in the model or subsystem.Consider replacing the S-Function Builder blocks with blocks recommended for production.
From Workspace blocks were found in the model or subsystemConsider replacing the From Workspace blocks with blocks recommended for production.

String blocks were found in the model or subsystem. Specific blocks are:

Consider replacing the String blocks with blocks recommended for production.

Capabilities and Limitations

You can:

  • Run this check on your library models.

  • Exclude blocks and charts from this check if you have a Simulink Check license.

Edit-Time Checking.  This check is supported by edit-time checking.

See Also

Check usage of Assignment blocks

Check ID: mathworks.misra.AssignmentBlocks

Identify Assignment blocks that do not have block parameter Action if any output element is not assigned set to Error or Warning.

Description

This check applies to the Assignment block that is available in the Simulink block library under Simulink > Math Operations.

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C, CWE, ISO/IEC TS 17961 standards.

Available with Embedded Coder and Simulink Check.

Results and Recommended Actions

ConditionRecommended Action
The model or subsystem might contain Assignment blocks with incomplete array initialization that do not have block parameter Action if any output element is not assigned set to Error or Warning.

Set block parameter Action if any output element is not assigned to one of the recommended values:

  • Error, if Assignment block is not in an Iterator subsystem.

  • Warning, if Assignment block is in an Iterator subsystem.

Capabilities and Limitations

  • Runs on library models.

  • Analyzes content of library linked blocks.

  • Analyzes content in masked subsystems.

  • If you have a Simulink Check license, allows exclusions of blocks and charts.

Edit-Time Checking.  This check is supported by edit-time checking. However, the following check condition is not supported because edit-time checking is unable to determine whether the Assignment block is an Iterator subsystem.

Set block parameter Action if any output element is not assigned to one of the recommended values:

  • Error, if Assignment block is not in an Iterator subsystem.

  • Warning, if Assignment block is in an Iterator subsystem.

See Also

Check for switch case expressions without a default case

Check ID: mathworks.misra.SwitchDefault

Identify switch case expressions that do not have a default case.

Description

The check flags model objects that have switch case expressions without a default case.

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C, CWE, ISO/IEC TS 17961 standards.

The check does not flag blocks without default cases if they are justified with a Polyspace® annotation. When you run the check, the Blocks with justification table lists blocks without default cases that have a justification.

Available with Embedded Coder and Simulink Check.

Results and Recommended Actions

ConditionRecommended Action

Model object has a switch case expression without a default case.

For Switch Case blocks, consider selecting block parameter Show default case to explicitly specify a default case.

Capabilities and Limitations

You can:

  • Run this check on your library models.

  • Exclude blocks and charts from this check if you have a Simulink Check license.

Edit-Time Checking.  This check is supported by edit-time checking.

See Also

Check for bitwise operations on signed integers

Check ID: mathworks.misra.CompliantCGIRConstructions

Identify Simulink blocks that contain bitwise operations on signed integers.

Description

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C and CWE standards.

Available with Embedded Coder and Simulink Check.

This check requires a Stateflow® license when Stateflow is used in the model.

Results and Recommended Actions

ConditionRecommended Action
The model has blocks that contain bitwise operations on signed integers.Consider using unsigned integers for bitwise operations.

Capabilities and Limitations

You can:

  • The check assumes that code is generated for the whole model. When code is generated by a subsystem build or export functions, the check can product incorrect results.

  • Exclude blocks and charts from this check if you have a Simulink Check license.

See Also

Check for equality and inequality operations on floating-point values

Check ID: mathworks.misra.CompareFloatEquality

Identify equality and inequality operations on floating-point values.

Description

The check flags sources causing equality or inequality operations on floating-point values.

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C and CWE standards.

The check does not flag blocks with equality or inequality operations on floating-point values if they are justified with a Polyspace annotation. When you run the check, the Blocks with justification table lists blocks with equality or inequality operations that have a justification.

Available with Embedded Coder and Simulink Check.

Results and Recommended Actions

ConditionRecommended Action

Model object has an equality or inequality operation on a floating-point value.

Consider using non-floating-point values for equality or inequality operations.

Capabilities and Limitations

You can:

  • Exclude blocks and charts from this check if you have a Simulink Check license.

See Also

Check integer word length

Check ID: mathworks.misra.IntegerWordLengths

Identify integer word lengths that do not comply with hardware implementation settings

Description

The check flags integers whose word lengths exceed the number of bits permitted via the hardware implementation settings.

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C and CWE standards.

Available with Embedded Coder and Simulink Check.

Results and Recommended Actions

ConditionRecommended Action

Model object contains integer word lengths that are not compliant with hardware implementation settings.

Update the integer so its length does not exceed the permitted number of bits. You can view the permitted number of bits in the Configuration Parameters dialog box, on the Hardware Implementation > Device details pane.

Capabilities and Limitations

You can:

  • Exclude blocks and charts from this check if you have a Simulink Check license.

See Also

Detect Dead Logic

Check ID: mathworks.sldv.deadlogic

Identify logic that stays inactive during simulation.

Description

This check identifies portions of your model that stay inactive during simulation.

You can run a more detailed analysis that identifies both dead logic and active logic using Simulink Design Verifier™ design error detection. For more information, see Detect Dead Logic Caused by an Incorrect Value (Simulink Design Verifier).

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C and CWE standards

Results and Recommended Actions

ResultRecommended Action
Failed, model incompatible

Resolve the model incompatibility. See:

Also see Handle Incompatibilities with Automatic Stubbing (Simulink Design Verifier).

Dead logic found in modelSimulink Design Verifier proved that these decision and condition outcomes cannot occur and are dead logic in the model. Dead logic can also be a side effect of specified constraints on parameters or specified minimum and maximum constraints on input ports. In rare cases, dead logic can result from approximations performed by Simulink Design Verifier. It is possible that there are objectives that this analysis did not decide. To extend the results of this analysis, use Simulink Design Verifier design error detection to also identify active logic. From the Simulink Editor, select Analysis > Design Verifier > Options. In the Design Error Detection pane, select both Dead logic and Identify active logic.
Dead logic not found in modelSimulink Design Verifier did not find dead logic in the model. It is possible that there are objectives that this analysis did not decide. To extend the results of this analysis, use Simulink Design Verifier design error detection to also identify active logic. From the Simulink Editor, select Analysis > Design Verifier > Options. In the Design Error Detection pane, select both Dead logic and Identify active logic.

See Also

Detect Integer Overflow

Check ID: mathworks.sldv.integeroverflow

Detects integer or fixed-point data overflow errors in your model

Description

This check identifies operations that exceed the data type range for integer or fixed-point operations.

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C, CWE, ISO/IEC TS 17961 standards.

Results and Recommended Actions

ResultRecommended Action
Failed, model incompatible

Resolve the model incompatibility. See

Also see Handle Incompatibilities with Automatic Stubbing (Simulink Design Verifier).

Integer overflow found in model

To view the conditions that cause the integer overflow, create a harness model. When you simulate the harness, the inputs replicate the error. Click View test case in the Model Advisor report.

See Also

Detect Division by Zero

Check ID: mathworks.sldv.divbyzero

Detects division-by-zero errors in your model

Description

This check identifies operations in your model that cause division-by-zero errors.

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C, CWE, ISO/IEC TS 17961 standards.

Results and Recommended Actions

ResultRecommended Action
Failed, model incompatible

Resolve the model incompatibility. See

Also see Handle Incompatibilities with Automatic Stubbing (Simulink Design Verifier).

Division by zero found in model

To view the conditions that cause the division by zero, create a harness model. When you simulate the harness, the inputs replicate the error. Click View test case in the Model Advisor report.

See Also

Detect Out Of Bound Array Access

Check ID: mathworks.sldv.arraybounds

Detects operations that access outside the bounds of an array index

Description

This check detects instances of out of bound array access in Simulink Design Verifier.

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C, CWE, ISO/IEC TS 17961 standards.

Results and Recommended Actions

ResultRecommended Action
Failed, model incompatible

Resolve the model incompatibility. See

Also see Handle Incompatibilities with Automatic Stubbing (Simulink Design Verifier).

Out of bound array access found in model

To view the conditions that cause the out of bound array access, create a harness model. When you simulate the harness, the inputs replicate the error. Click View test case in the Model Advisor report.

See Also

Detect Specified Minimum and Maximum Value Violations

Check ID: mathworks.sldv.minmax

Detect signals which exceed specified minimum and maximum values

Description

This analysis checks the specified minimum and maximum values (the design ranges) on intermediate signals throughout the model and on the output ports. If the analysis detects that a signal exceeds the design range, the results identify where in the model the errors occurred.

Following the recommendations of this check increases the likelihood of generating MISRA C:2012 compliant code for embedded applications, as well as code that complies with the CERT C and CWE standards.

Results and Recommended Actions

ResultRecommended Action
Failed, model incompatible

Resolve the model incompatibility. See

Also see Handle Incompatibilities with Automatic Stubbing (Simulink Design Verifier).

Violation of minimum and/or maximum found in model

To view the conditions that cause the violation, create a harness model. When you simulate the harness, the inputs replicate the error. Click View test case in the Model Advisor report.

See Also