问题
It is known that it is a good practice to pass arguments (specially if they are of big size like structures) to functions by reference. And to apply the principle of "least privilege", if that function is not supposed to change the values of these passed variables then we need to pass their references as a pointer to constant. My question is, passing as a pointer to constant can not prevent changing the values within the function (You may consider the attached code), so how can we prevent such practice?
void print(const int *ptr) {
printf("%d\n", *ptr);
int * p = ptr;
*p = 11;
}
I am not discussing here whether we can change the value of a constant through pointers or not. I know that we can. But my question is how to prevent such practice to enforce the principle of least privilege? otherwise what is the use of passing a reference as a pointer to constant if we can play around it easily as shown in the code above
回答1:
Since C is unmanaged, there's not really anything you can do to prevent a locally called C function from messing up stuff outside itself. Even if the language enforced "const-ness" somehow, there'd by many other things that print() could do, if it were so inclined, that would violate least privilege.
Instead C provides ways to cooperatively implement safer programs. In this case print() has to cooperate by declaring p as a pointer to a const int.
As a point of comparison: from a security perspective, a C caller and a C function are within the same trust boundary. Specifically they are within the same process (thus excluding calls across trust boundaries, like IPCs or RPC, from this discussion). Within a given trust boundary all actors (almost) always have the same set of privileges. "Privilege" here meaning an externally granted right to perform an action as opposed to self imposed restrictions.
Actors within the same trust boundary are "free" to tamper with each other. If function A tampers with caller B, there's no greater threat than if B acted on its own. B can do the same things whether acting on its own or whether caused to do something by A. From a security perspective A and B are equally privileged.
So it might be more helpful to think of "principal of least self-allowed action" rather than "principal of least privilege" in the case of C callers/functions.
回答2:
This code int * p = ptr; is ill-formed, it is not valid C.
According to the rules of simple assignment (6.5.16.1), emphasis mine:
One of the following shall hold:
/--/
- the left operand has atomic, qualified, or unqualified pointer type, and (considering the type the left operand would have after lvalue conversion) both operands are pointers to qualified or unqualified versions of compatible types, and the type pointed to by the left has all the qualifiers of the type pointed to by the right;
Qualifiers means type qualifiers, such as const or volatile. The left operand in your code doesn't have the same qualifiers as the right operand, so it should not compile.
回答3:
As "Functions can always cast pointers to strip off any const restrictions" (see comment by jotik), you cannot prevent it by ways of the language.
What remains is to write it down in your company's coding standard and explicitly include it in code reviews to spot where a programmer still does it.
When such use is spotted, then the reason could be investigated. Maybe the programmer is right and the function signature should be changed (or a new function introduced).
来源:https://stackoverflow.com/questions/35936554/pointer-to-constant