_s functions, such as scanf_s
, printf_s
seems to be optional standard. MSVC has implemented these functions, but gcc hasn't.
Is there specific reason for not implementing secure functions? Is scanf
of glibc secure enough?
The _s
functions are optional (Annex K of the C11 standard). They're widely regarded as 'not very beneficial'.
In the answers to my question Do you use the TR-24731 "safe" functions?, you can find information about where there are problems with the standard specification — such as crucial differences between the standard and Microsoft's implementation. TR 24731-1 was a technical report from the C standard committee. The report was incorporated almost verbatim — with an extra, previously omitted, function, memset_s()
— in the C11 standard as (optional but 'normative') Annex K. There's also TR 24731-2 for a different set of functions — without the _s
suffix. It ran into resistance for a different set of reasons.
Also, there is a proposal before the C Standard Committee that the functions defined in Annex K should be removed from the next revision of the standard:
That paper is a straightforward and compelling read of the reasons why the TR-24731 (*_s()
) functions have not been widely implemented.
Key reasons include:
*_s()
function is unnecessary.*_s()
functions, or the code which uses them.See the paper for more details. The paper ends with the section:
Suggested Technical Corrigendum
Despite more than a decade since the original proposal and nearly ten years since the ratification of ISO/IEC TR 24731-1:2007, and almost five years since the introduction of the Bounds checking interfaces into the C standard, no viable conforming implementations has emerged. The APIs continue to be controversial and requests for implementation continue to be rejected by implementers.
The design of the Bounds checking interfaces, though well-intentioned, suffers from far too many problems to correct. Using the APIs has been seen to lead to worse quality, less secure software than relying on established approaches or modern technologies. More effective and less intrusive approaches have become commonplace and are often preferred by users and security experts alike.
Therefore, we propose that Annex K be either removed from the next revision of the C standard, or deprecated and then removed.
Annex K was not removed from C17. Two new papers from the standards committee (ISO JTC1/SC22/WG14) discuss Annex K (and are in favour of retaining the functions):
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With