Sanitizing Sensitive Data: How to Get It Right (or at Least Less Wrong…)

  • Roderick ChapmanEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10300)


Coding standards and guidance for secure programming call for sensitive data to be “sanitized” before being de-allocated. This paper considers what this really means in technical terms, why it is actually rather difficult to achieve, and how such a requirement can be realistically implemented and verified, concentrating on the facilities offered by Ada and SPARK. The paper closes with a proposed policy and coding standard that can be applied and adapted to other projects.


Security Sanitization SPARK Verification Volatile Optimization Proof 



The author would like to thank Robert Seacord, Florian Schanda, Bill Ellis and the conference reviewers for their comments on earlier drafts of this paper.


  1. 1.
    CESG. Coding Requirements and Guidance (IA Developers’ Note 6), CESG, Issue 1.1, October 2015.
  2. 2.
  3. 3.
    ISO/SC22/WG23. Information Technology — Programming Languages — Guidance to avoiding vulnerabilities in programming languages through language selection and use. TR 24772 (2013).
  4. 4.
    Mitre Corp. Common Weakness Enumeration (CWE).
  5. 5.
    Cryptography Coding Standard Project.
  6. 6.
    Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques and Tools, 2nd edn. Pearson, Upper Saddle River (2013). ISBN 978-1292024349Google Scholar
  7. 7.
    Percival, C.: Zeroing Buffers is Insufficient.
  8. 8.
    Programming Langauges – C. ISO/IEC 9899:2011 (2011).
  9. 9.
    Programming Langauges – C++. ISO/IEC 14822:2011 (2011).
  10. 10.
    Barnes, J.: With Altran Praxis. SPARK: The Proven Approach to High-Integrity Software (2012). ISBN: 978-0-9572905-0-1Google Scholar
  11. 11.
    McCormick, J.W., Chapin, P.C.: Building High-Integrity Applications with SPARK. Cambridge University Press, Cambridge (2015). ISBN 978-1-107-04073-1Google Scholar
  12. 12.
    SPARK 2014 Community Site.
  13. 13.
    Consolidated Ada 2012 Language Reference Manual. ISO/IEC 8652:2012/Cor 1:2016 (2016).
  14. 14.
    Regehr, J., Eide, E.: Volatiles are miscompiled and what to do about it. In: Proceedings of the Eighth ACM and IEEE International Conference on Embedded Software (EMSOFT), Atlanta, Georgia, October 2008. doi: 10.1145/1450058.1450093,
  15. 15.
    Comar, C., Dismukes, G., Gasperoni, F. The GNAT implementation of controlled types. In: Proceedings of Tri-Ada 1994, Baltimore. ACM Press (1994). doi: 10.1145/376503.376724
  16. 16.
    Kirtchev, H.: A new robust and efficient implementation of controlled types in the GNAT compiler. In: Proceedings of High-Integrity Language Technology 2012, ACM SIGAda Letters, vol. 32, issue. 3 pp. 43–50 (2012). doi: 10.1145/2402676.2402693
  17. 17.
  18. 18.
    GCC Online Documentation. Chap. 24 – Link Time Optimization.
  19. 19.
    LLVM Compiler Infrastructure. Link Time Optimization: Design and Implementation.
  20. 20.
    Leroy, X.: Formal verification of a realistic compiler. Commun. ACM, 52(7), (2009). doi: 10.1145/1538788.1538814
  21. 21.
    Kang, J., Kim, Y., Hur, C-K., Dreyer, D., Vafeiadis, V.: Lightweight verification of separate compilation. In: Proceedings of the 43rd Annual ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL) 2016, pp. 178–190. ACM Press. doi: 10.1145/2837614.2837642

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  1. 1.Protean Code LimitedBathUK

Personalised recommendations