Secure Coding in C and C++, 2nd Edition
• Book
Publisher
Addison-Wesley Professional
ISBN
978-0-321-82213-0Subjects
Abstract
Write secure C and C++ code—and avoid the software defects most likely to cause exploitable vulnerabilities! Straight from the world-renowned security experts at CERT/CC, Secure Coding in C and C++ (2nd Edition) identifies the root causes of today's most widespread software vulnerabilities, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives. Fully updated for the new C++11 standard, Secure Coding in C and C++, Second Edition presents extensive new coverage of strings, dynamic memory management, integer security, and many other topics—including an entirely new chapter on writing secure concurrent code. It contains hundreds of Windows- and Linux-based examples of secure code, insecure code, and exploits; comprehensive practical guidance for adopting modern security best practices; and important new insights for developing a security mindset that can help you protect software against tomorrow's attacks, not just today's. This edition also provides unique access to CERT's pioneering Online Learning Initiative (OLI) course on secure coding, originally funded by Cisco, Siemens, and other industry leaders to provide internal training to their own mission-critical developers. For every C/C++ developer who wants to write more secure code.
Format: Hardcover
About the Author
Robert C. Seacord is a computer scientist, computer security specialist, and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering. He has a Bachelor in computer science from Rensselaer Polytechnic Institute.
Robert started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System.
About the Team
Current and former members of the CERT staff who contributed to the development of this book are pictured to the right. From left to right: Daniel Plakosh, Archie Andrews, David Svoboda, Dean Sutherland, Brad Rubbo, Jason Rafail, Robert Seacord, Chad Dougherty.
Contents
Foreword
Preface
About the Author
Chapter 1: Running with Scissors
1.1 Gauging the Threat
What Is the Cost?
Who Is the Threat?
Software Security
1.2 Security Concepts
Security Policy
Security Flaws
Vulnerabilities
Exploits
Mitigations
1.3 C and C++
A Brief History
What Is the Problem with C?
Legacy Code
Other Languages
1.4 Development Platforms
Operating Systems
Compilers
1.5 Summary
1.6 Further Reading
Chapter 2 Strings
2.1 Character Strings
String Data Type
UTF-8
Wide Strings
String Literals
Strings in C++
Character Types
Sizing Strings
2.2 Common String Manipulation Errors
Improperly Bounded String Copies
Off-by-One Errors
Null-Termination Errors
String Truncation
String Errors without Functions
2.3 String Vulnerabilities and Exploits
Tainted Data
Security Flaw: IsPasswordOkay
Buffer Overflows
Process Memory Organization
Stack Management
Stack Smashing
Code Injection
Arc Injection
Return-Oriented Programming
2.4 Mitigation Strategies for Strings
String Handling
C11 Annex K, Bounds-Checking Interfaces
Dynamic Allocation Functions
C++ std::basic_string
Invalidating String Object References
Other Common Mistakes in basic_string Usage
2.5 String-Handling Functions
gets()
C11
C11 Annex K, Bounds-Checking Interfaces: gets()
Dynamic Allocation Functions
strcpy() and strcat()
strncpy() and strncat()
memcpy() and memmove()
strlen()
2.6 Runtime Protection Strategies
Detection and Recovery
Input Validation
Object Size Checking
Visual Studio Compiler-Generated Runtime Checks
Operating System Strategies
Nonexecutable Stacks
Future Directions
Chapter 3 Pointer Subterfuge
3.1 Data Locations
3.2 Function Pointers
3.3 Data Pointers
3.4 Modifying the Instruction Pointer
3.5 Global Offset Table
3.6 The .dtors Section
3.7 Virtual Pointers
3.8 The atexit() and on_exit() Functions
3.9 The longjmp() Function
3.10 Exception Handling
Structured Exception Handling
System Default Exception Handling
3.11 Mitigation Strategies
Stack Canaries
W^X
Encoding and Decoding Function Pointers
3.12 Summary
3.13 Further Reading
Chapter 4 Dynamic Memory Management
4.1 C Memory Management
C Standard Memory Management Functions
Alignment
alloca() and Variable Length Arrays
4.2 Common C Memory Management Errors
Initialization Errors
Failing to Check Return Values
Dereferencing Null or Invalid Pointers
Referencing Freed Memory
Freeing Memory Multiple Times
Memory Leaks
Zero-Length Allocations
DR #400
4.3 C++ Dynamic Memory Management
Allocation Functions
Deallocation Functions
Garbage Collection
4.4 Common C++ Memory Management Errors
Failing to Correctly Check for Allocation Failure
4.5 Improperly Paired Memory Management Functions
Incorrectly Pairing C and C++ Allocation and Deallocation Functions
Incorrectly Pairing Scalar and Array Operators
new and operator new()
Member new
Placement new
Improperly Paired Memory Management Functions Summary
Freeing Memory Multiple Times
Deallocation Function Throws an Exception
4.6 Memory Managers
4.7 Doug Lea's Memory Allocator
Buffer Overflows on the Heap
4.8 Double-Free Vulnerabilities
Writing to Freed Memory
RtlHeap
Buffer Overflows (Redux)
4.9 Mitigation Strategies
Null Pointers
Consistent Memory Management Conventions
Phkmalloc
Randomization
OpenBSD
The jemalloc Memory Manager
Static Analysis
Runtime Analysis Tools
4.10 Notable Vulnerabilities
CVS Buffer Overflow Vulnerability
Microsoft Data Access Components (MDAC)
CVS Server Double-Free
Vulnerabilities in MIT Kerberos 5
4.11 Summary
Chapter 5 Integer Security
5.1 Introduction to Integer Security
5.2 Integer Data Types
Unsigned Integer Types
Wraparound
Signed Integer Types
Signed Integer Ranges
Integer Overflow
Character Types
Data Models
Other Integer Types
5.3 Integer Conversions
Converting Integers
Integer Conversion Rank
Integer Promotions
Usual Arithmetic Conversions
Conversions from Unsigned Integer Types
Conversions from Signed Integer Types
Conversion Implications
5.4 Integer Operations
Assignment
Addition
Subtraction
Multiplication
Division and Remainder
Shifts
5.5 Integer Vulnerabilities
Vulnerabilities
Wraparound
Conversion and Truncation Errors
Nonexceptional Integer Logic Errors
Mitigation Strategies
5.6 Mitigation Strategies
Abstract Data Types
Arbitrary-Precision Arithmetic
Range Checking
Precondition and Postcondition Testing
Secure Integer Libraries
Overflow Detection
Compiler-Generated Runtime Checks
As-If Infinitely Ranged Integer Model
Testing and Analysis
5.7 Summary
Chapter 6 Formatted Output
6.1 Variadic Functions
6.2 Formatted Output Functions
Format Strings
GCC
Visual C++
6.3 Exploiting Formatted Output Functions
Buffer Overflow
Output Streams
Crashing a Program
Viewing Stack Content
Viewing Memory Content
Overwriting Memory
Internationalization
Wide-Character Format String Vulnerabilities
6.4 Stack Randomization
Defeating Stack Randomization
Writing Addresses in Two Words
Direct Argument Access
6.5 Mitigation Strategies
Exclude User Input from Format Strings
Dynamic Use of Static Content
Restricting Bytes Written
C11 Annex K Bounds-Checking Interfaces
iostream versus stdio
Testing
Compiler Checks
Static Taint Analysis
Modifying the Variadic Function Implementation
Exec Shield
FormatGuard
Static Binary Analysis
6.6 Notable Vulnerabilities
Washington University FTP Daemon
CDE ToolTalk
Ettercap v.NG-0.7.2
6.7 Summary
6.8 Further Reading
Chapter 7 Concurrency
7.1 Introduction
Multithreading
Parallelism
Data Parallelism
Task Parallelism
7.2 Performance Goals
Amdahl's Law
7.3 Concurrency Pitfalls
Race Conditions
Corrupted Values
7.4 Concurrency Mitigations
Immutable Data Structures
Mitigation Properties
Mitigation Pitfalls
The ABA Problem
7.5 Concurrency in C and C++
Memory Model
C and C++ Concurrency Pitfalls
Volatile Objects
C and C++ Concurrency Mitigations
Fences
Thread Role Analysis
7.6 Concurrency Vulnerabilities
DoS Attacks in Multicore Dynamic Random-Access Memory (DRAM) Systems
Concurrency Vulnerabilities in System Call Wrappers
Chapter 8 File I/O
8.1 File I/O Basics
File Systems
Special Files
8.2 File I/O Interfaces
Data Streams
Opening and Closing Files
POSIX
File I/O in C++
8.3 Access Control
UNIX File Permissions
Process Privileges
Changing Privileges
Managing Privileges
Managing Permissions
8.4 File Identification
Directory Traversal
Equivalence Errors
Symbolic Links
Canonicalization
Hard Links
Device Files
File Attributes
8.5 Race Conditions
Time of Check, Time of Use (TOCTOU)
Create without Replace
Exclusive Access
Shared Directories
8.6 Mitigation Strategies
Closing the Race Window
Eliminating the Race Object
Controlling Access to the Race Object
Race Detection Tools
8.7 Summary
Chapter 9 Recommended Practices
9.1 The Security Development Lifecycle
TSP-Secure
Planning and Tracking
Quality Management
9.2 Security Training
9.3 Requirements
Secure Coding Standards
Systems Quality Requirements Engineering
Use/Misuse Cases
9.4 Design
Secure Software Development Principles
Threat Modeling
Analyze Attack Surface
Vulnerabilities in Existing Code
Secure Wrappers
Input Validation
Trust Boundaries
Blacklisting
Whitelisting
Testing
9.5 Implementation
Compiler Security Features
As-If Infinitely Ranged (AIR) Integer Model
Safe Secure C/C++
Static Analysis
Source Code Analysis Laboratory (SCALe)
Defense in Depth
9.6 Verification
Static Analysis
Penetration Testing
Fuzz Testing
Code Audits
Developer Guidelines and Checklists
Independent Security Review
Attack Surface Review
9.7 Summary
9.8 Further Reading
References
Acronyms
Index