Product Cover Image

Secure Coding in C and C++, CourseSmart eTextbook, 2nd Edition

By Robert C. Seacord

Published by Addison-Wesley Professional

Published Date: Mar 16, 2013

More Product Info

Description

Learn the Root Causes of Software Vulnerabilities and How to Avoid Them

 

Commonly exploited software vulnerabilities are usually caused by avoidable software defects. Having analyzed tens of thousands of vulnerability reports since 1988, CERT has determined that a relatively small number of root causes account for most of the vulnerabilities.

 

Secure Coding in C and C++, Second Edition, identifies and explains these root causes and shows the steps that can be taken to prevent exploitation. Moreover, this book encourages programmers to adopt security best practices and to develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s. Drawing on the CERT’s reports and conclusions, Robert C. Seacord systematically identifies the program errors most likely to lead to security breaches, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives.

 

Coverage includes technical detail on how to

  • Improve the overall security of any C or C++ application
  • Thwart buffer overflows, stack-smashing, and return-oriented programming attacks that exploit insecure string manipulation logic
  • Avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions
  • Eliminate integer-related problems resulting from signed integer overflows, unsigned integer wrapping, and truncation errors
  • Perform secure I/O, avoiding file system vulnerabilities
  • Correctly use formatted output functions without introducing format-string vulnerabilities
  • Avoid race conditions and other exploitable vulnerabilities while developing concurrent code

 

The second edition features

  • Updates for C11 and C++11
  • Significant revisions to chapters on strings, dynamic memory management, and integer security
  • A new chapter on concurrency
  • Access to the online secure coding course offered through Carnegie Mellon’s Open Learning Initiative (OLI)

Secure Coding in C and C++, Second Edition, presents hundreds of examples of secure code, insecure code, and exploits, implemented for Windows and Linux. If you’re responsible for creating secure C or C++ software–or for keeping it safe–no other book offers you this much detailed, expert assistance.

Table of Contents

Foreword         xvii

Preface         xxi

Acknowledgments         xxv

About the Author         xxvii

 

Chapter 1: Running with Scissors         1

1.1 Gauging the Threat   5

1.2 Security Concepts   12

1.3 C and C++   17

1.4 Development Platforms   25

1.5 Summary   27

1.6 Further Reading   28

 

Chapter 2: Strings         29

2.1 Character Strings   29

2.2 Common String Manipulation Errors   42

2.3 String Vulnerabilities and Exploits   50

2.4 Mitigation Strategies for Strings   72

2.5 String-Handling Functions   84

2.6 Runtime Protection Strategies   101

2.7 Notable Vulnerabilities   117

2.8 Summary   118

2.9 Further Reading   120

 

Chapter 3: Pointer Subterfuge         121

3.1 Data Locations   122

3.2 Function Pointers   123

3.3 Object Pointers   124

3.4 Modifying the Instruction Pointer   125

3.5 Global Offset Table   127

3.6 The .dtorsSection   129

3.7 Virtual Pointers   131

3.8 The atexit()and on_exit()Functions   133

3.9 The longjmp()Function   134

3.10 Exception Handling   136

3.11 Mitigation Strategies   139

3.12 Summary   142

3.13 Further Reading   143

 

Chapter 4: Dynamic Memory Management         145

4.1 C Memory Management   146

4.2 Common C Memory Management Errors   151

4.3 C++ Dynamic Memory Management   162

4.4 Common C++ Memory Management Errors   172

4.5 Memory Managers   180

4.6 Doug Lea’s Memory Allocator   182

4.7 Double-Free Vulnerabilities   191

4.8 Mitigation Strategies   212

4.9 Notable Vulnerabilities   222

4.10 Summary   224

 

Chapter 5: Integer Security         225

5.1 Introduction to Integer Security   225

5.2 Integer Data Types   226

5.3 Integer Conversions   246

5.4 Integer Operations   256

5.5 Integer Vulnerabilities   283

5.6 Mitigation Strategies   288

5.7 Summary   307

 

Chapter 6: Formatted Output          309

6.1 Variadic Functions   310

6.2 Formatted Output Functions   313

6.3 Exploiting Formatted Output Functions   319

6.4 Stack Randomization   332

6.5 Mitigation Strategies   337

6.6 Notable Vulnerabilities   348

6.7 Summary   349

6.8 Further Reading   351

 

Chapter 7: Concurrency         353

7.1 Multithreading   354

7.2 Parallelism   355

7.3 Performance Goals   359

7.4 Common Errors   362

7.5 Mitigation Strategies   368

7.6 Mitigation Pitfalls   384

7.7 Notable Vulnerabilities   399

7.8 Summary   401

 

Chapter 8: File I/O         403

8.1 File I/O Basics   403

8.2 File I/O Interfaces   407

8.3 Access Control   413

8.4 File Identification   432

8.5 Race Conditions   450

8.6 Mitigation Strategies   461

8.7 Summary   472

 

Chapter 9: Recommended Practices         473

9.1 The Security Development Lifecycle   474

9.2 Security Training   480

9.3 Requirements   481

9.4 Design   486

9.5 Implementation   503

9.6 Verification   512

9.7 Summary   518

9.8 Further Reading   518

 

References         519

Acronyms          539

Index          545

 

Purchase Info ?

With CourseSmart eTextbooks and eResources, you save up to 60% off the price of new print textbooks, and can switch between studying online or offline to suit your needs.

Once you have purchased your eTextbooks and added them to your CourseSmart bookshelf, you can access them anytime, anywhere.

Buy Access

Secure Coding in C and C++, CourseSmart eTextbook, 2nd Edition
Format: Safari Book

$27.49 | ISBN-13: 978-0-13-298196-5