It is possible to write secure software that contains goto statements. In fact, a quick analysis of the CWE Top 25 list of programming errors reveals that most of these bugs are not caused by the use of goto statements. Yes, there is a link between many of these issues and the use of gotos, but that’s because they were written in languages (like C) that have gotos. The bugs would exist even if these languages didn’t have gotos.
The solution for avoiding security vulnerabilities is to avoid introducing any kind of bug into your software. This means avoiding bad coding practices like buffer overflows, command injection, format string exploits, and so on. The specific type of control statement you use has little or nothing to do with it.
In the last decade, a rising tide of software vulnerabilities has exposed millions of computer users to increased risk. In fact, the number of reported security vulnerabilities in software began increasing dramatically around 1993 and has risen exponentially since then. For example, here’s a chart showing the number of vulnerabilities reported by Symantec Corporation (previously Symantec Security Response) each year between 1996 and 2005:
During this same period, there were occasional reports that some people believed C’s goto statement to be a cause of software vulnerabilities (e.g., Wheeler 2005). In response, many organizations decided to ban the use of goto statements in their code bases. Then, as if on cue, two papers came out within months of each other showing that goto statements are not necessarily associated with poor security practices:
• Litchfield 2006
• Seacord 2006
This article is intended to provide further information about the relationship between the goto statement and security-related issues in software.
What do We Mean by Secure Software?
To begin this discussion, it will help if we first define what we mean by secure software. The word “secure” has multiple meanings in the context of software development; here, I’m referring specifically to software that is free of security bugs and vulnerabilities
The goto statement has been a part of the C language since its earliest days. It is not in C++, but it was shifted into the header file . The goto statement is often the subject of heated debate. Its supporters believe that it serves as a valuable tool to improve program structure and readability. Its detractors argue that it should not be used because it causes “spaghetti code” that is hard to understand and debug.
In this article I will demonstrate how the use of the goto statement can lead to security vulnerabilities in C programs. I will explain why these vulnerabilities occur and what you can do to prevent them from occurring in your code. This article will take you through an example of how attackers can exploit the goto statement to crash your program or introduce security vulnerabilities into it.
The goto statement is a relic from the days when programs had no structured control flow mechanisms. In today’s programming languages, goto statements are pretty much unnecessary and they should be avoided. The goto statement has been universally condemned as a programming construct that can make programs very difficult to understand and modify.
One of the most common criticisms leveled against the goto statement is that it makes it very easy to create spaghetti code. While this is true, some programmers have circumvented this problem by introducing standard coding conventions that limit the use of goto statements in their programs. For example, many programmers will only use a goto statement to jump backward in a program, rather than forward.
In addition to potentially making your code more difficult to understand and modify, the gotos may cause other problems. One of these problems occurs when you are trying to secure your code against buffer overflow attacks.
In a recent example, the goto label was heuristically detected by combining the results of several subanalyses that looked for specific security problems:
An analysis for integer overflows and underflows.
An analysis for null pointer dereferences and uninitialized variables.
An analysis for missing input validation, such as checking that pointers and integers are in valid ranges.
An analysis for unsafe string processing. These analyses collectively produced a list of problem locations in the source code. The list was then examined manually to see whether goto labels might cause any of these locations to be skipped. This technique is one example of how manual examination can improve the power of an automated analysis.
The goto statement is a fundamental programming construct. The goto statement is used to transfer control to another part of your program. You can use a goto statement to alter the normal sequence of statements, but it should be used with extreme caution.
The goto statement has been heavily criticized by some software developers. Many believe the use of goto statements makes programs unreadable, unmaintainable and bug-prone. They think that use of the got statement is indicative of sloppy programming practices.
Some programmers would actually ban the use of the goto statement altogether if they could. However, it does seem that there are cases in which the use of continue and break statements as a replacement for a goto statement results in code that is more complicated, less readable and less maintainable than using an equivalent goto statement.
In this article we are going to look at how to identify problems in code that result from using the gotos. I will also provide an example of one case where I think that replacing goto with break or continue would make things worse not better.
he goto statement is one of the most controversial features in the history of computer programming languages.
The goto statement is a target for a jump, so you can use it to break out of the middle of a loop, or to skip the rest of an if statement.
In the 1970s and 1980s, a lot of very smart people spent a lot of time studying structured programming. The idea was that programs should be well-structured and built out of small pieces, which are well-structured themselves. The reason that this was important was because some people were starting to realize that software was becoming as complex as it was due to poor program structure. This lead to the creation of tools like compilers and debuggers to help programmers build correct software better. However, many believed that programming would become easier with higher level languages that enforced good practices through their design (like Java).
goto statements are considered harmful because they violate the principle of structured programming – that is, programs should be written in terms of functions and control structures like “if” and “while.”
…