Are there more-secure string functions for C available?

[John Dallman]

I'm porting a huge library to WebAssembly. Most of it is written in a domain-specific language that compiles to C, and a few subsystems are C++. Emscripten provides the classic C string functions, such as strcpy(), strcat(), and so on, but I would prefer to use functions with more checking. On Windows, I use the strcpy_s() family, at customer insistence. On Linux and macOS, I use the builtin_strcpy_chk() family, which were created as part of the FORTIFY project. Emcc does not complain about calls to builtin_strcpy_chk(), but that creates a call to _strcpy_chk(), which wasm-ld can't find. Does Emscripten support FORTIFY? Adding -D_FORTIFY_SOURCE=2, which is the usual invocation, doesn't seem to make any difference. Are there other more-secure string functions I should be using?

Thanks in advance,

John

[Alon Zakai]

It does look like FORTIFY does not work atm. This seems to be a libc issue, as I tested (examples from [1]) with different flags, and the sysroot is what makes the problem happen. And it does look like FORTIFY support in musl is limited or at least very very recent (and maybe not on the main branch), see FORTIFY notes on these pages:

https://wiki.musl-libc.org/future-ideas

https://wiki.musl-libc.org/open-issues#Substitute-for-%3Ccode%3E_FORTIFY_SOURCE%3C/code%3E

So this should start to work after musl gets that support + after Emscripten updates to that version.

- Alon

[1] https://blog.quarkslab.com/clang-hardening-cheat-sheet.html

--
You received this message because you are subscribed to the Google Groups "emscripten-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to emscripten-disc...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/emscripten-discuss/CAH1xqgm3JhSgOYU6EtVMU-WyvdT%3Dxcpq44PvU1dC9%3Dxh6G%3Dw9w%40mail.gmail.com.

[John Dallman]

OK, I'll use strlcat/strlcpy meantime. 

Thanks,

John

To view this discussion visit https://groups.google.com/d/msgid/emscripten-discuss/CAEX4NpRux%2BaTLiPo1Va9XsGeBqMc-OK_7HWR10pUxW6VxaWdmw%40mail.gmail.com.