Secure Coding in C and C++, 2nd Edition

Write secure C and C++ code—and avoid the software defects most likely to cause exploitable vulnerabilities! Straight from the world-renowned security experts at CERT/CC, Secure Coding in C and C++ (2nd Edition) identifies the root causes of today's most widespread software vulnerabilities, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives. Fully updated for the new C++11 standard, Secure Coding in C and C++, Second Edition presents extensive new coverage of strings, dynamic memory management, integer security, and many other topics—including an entirely new chapter on writing secure concurrent code. It contains hundreds of Windows- and Linux-based examples of secure code, insecure code, and exploits; comprehensive practical guidance for adopting modern security best practices; and important new insights for developing a security mindset that can help you protect software against tomorrow's attacks, not just today's. This edition also provides unique access to CERT's pioneering Online Learning Initiative (OLI) course on secure coding, originally funded by Cisco, Siemens, and other industry leaders to provide internal training to their own mission-critical developers. For every C/C++ developer who wants to write more secure code.

Format: Hardcover

Robert C. Seacord is a computer scientist, computer security specialist, and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering. He has a Bachelor in computer science from Rensselaer Polytechnic Institute.

Robert started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System.

Current and former members of the CERT staff who contributed to the development of this book are pictured to the right. From left to right: Daniel Plakosh, Archie Andrews, David Svoboda, Dean Sutherland, Brad Rubbo, Jason Rafail, Robert Seacord, Chad Dougherty.

Foreword

Preface

About the Author

Chapter 1: Running with Scissors

1.1 Gauging the Threat

What Is the Cost?

Who Is the Threat?

Software Security

1.2 Security Concepts

Security Policy

Security Flaws

Vulnerabilities

Exploits

Mitigations

1.3 C and C++

A Brief History

What Is the Problem with C?

Legacy Code

Other Languages

1.4 Development Platforms

Operating Systems

Compilers

1.5 Summary

1.6 Further Reading

Chapter 2 Strings

2.1 Character Strings

String Data Type

UTF-8

Wide Strings

String Literals

Strings in C++

Character Types

Sizing Strings

2.2 Common String Manipulation Errors

Improperly Bounded String Copies

Off-by-One Errors

Null-Termination Errors

String Truncation

String Errors without Functions

2.3 String Vulnerabilities and Exploits

Tainted Data

Security Flaw: IsPasswordOkay

Buffer Overflows

Process Memory Organization

Stack Management

Stack Smashing

Code Injection

Arc Injection

Return-Oriented Programming

2.4 Mitigation Strategies for Strings

String Handling

C11 Annex K, Bounds-Checking Interfaces

Dynamic Allocation Functions

C++ std::basic_string

Invalidating String Object References

Other Common Mistakes in basic_string Usage

2.5 String-Handling Functions

gets()

C11

C11 Annex K, Bounds-Checking Interfaces: gets()

Dynamic Allocation Functions

strcpy() and strcat()

strncpy() and strncat()

memcpy() and memmove()

strlen()

2.6 Runtime Protection Strategies

Detection and Recovery

Input Validation

Object Size Checking

Visual Studio Compiler-Generated Runtime Checks

Operating System Strategies

Nonexecutable Stacks

Future Directions

Chapter 3 Pointer Subterfuge

3.1 Data Locations

3.2 Function Pointers

3.3 Data Pointers

3.4 Modifying the Instruction Pointer

3.5 Global Offset Table

3.6 The .dtors Section

3.7 Virtual Pointers

3.8 The atexit() and on_exit() Functions

3.9 The longjmp() Function

3.10 Exception Handling

Structured Exception Handling

System Default Exception Handling

3.11 Mitigation Strategies

Stack Canaries

W^X

Encoding and Decoding Function Pointers

3.12 Summary

3.13 Further Reading

Chapter 4 Dynamic Memory Management

4.1 C Memory Management

C Standard Memory Management Functions

Alignment

alloca() and Variable Length Arrays

4.2 Common C Memory Management Errors

Initialization Errors

Failing to Check Return Values

Dereferencing Null or Invalid Pointers

Referencing Freed Memory

Freeing Memory Multiple Times

Memory Leaks

Zero-Length Allocations

DR #400

4.3 C++ Dynamic Memory Management

Allocation Functions

Deallocation Functions

Garbage Collection

4.4 Common C++ Memory Management Errors

Failing to Correctly Check for Allocation Failure

4.5 Improperly Paired Memory Management Functions

Incorrectly Pairing C and C++ Allocation and Deallocation Functions

Incorrectly Pairing Scalar and Array Operators

new and operator new()

Member new

Placement new

Improperly Paired Memory Management Functions Summary

Freeing Memory Multiple Times

Deallocation Function Throws an Exception

4.6 Memory Managers

4.7 Doug Lea's Memory Allocator

Buffer Overflows on the Heap

4.8 Double-Free Vulnerabilities

Writing to Freed Memory

RtlHeap

Buffer Overflows (Redux)

4.9 Mitigation Strategies

Null Pointers

Consistent Memory Management Conventions

Phkmalloc

Randomization

OpenBSD

The jemalloc Memory Manager

Static Analysis

Runtime Analysis Tools

4.10 Notable Vulnerabilities

CVS Buffer Overflow Vulnerability

Microsoft Data Access Components (MDAC)

CVS Server Double-Free

Vulnerabilities in MIT Kerberos 5

4.11 Summary

Chapter 5 Integer Security

5.1 Introduction to Integer Security

5.2 Integer Data Types

Unsigned Integer Types

Wraparound

Signed Integer Types

Signed Integer Ranges

Integer Overflow

Character Types

Data Models

Other Integer Types

5.3 Integer Conversions

Converting Integers

Integer Conversion Rank

Integer Promotions

Usual Arithmetic Conversions

Conversions from Unsigned Integer Types

Conversions from Signed Integer Types

Conversion Implications

5.4 Integer Operations

Assignment

Addition

Subtraction

Multiplication

Division and Remainder

Shifts

5.5 Integer Vulnerabilities

Vulnerabilities

Wraparound

Conversion and Truncation Errors

Nonexceptional Integer Logic Errors

Mitigation Strategies

5.6 Mitigation Strategies

Abstract Data Types

Arbitrary-Precision Arithmetic

Range Checking

Precondition and Postcondition Testing

Secure Integer Libraries

Overflow Detection

Compiler-Generated Runtime Checks

As-If Infinitely Ranged Integer Model

Testing and Analysis

5.7 Summary

Chapter 6 Formatted Output

6.1 Variadic Functions

6.2 Formatted Output Functions

Format Strings

GCC

Visual C++

6.3 Exploiting Formatted Output Functions

Buffer Overflow

Output Streams

Crashing a Program

Viewing Stack Content

Viewing Memory Content

Overwriting Memory

Internationalization

Wide-Character Format String Vulnerabilities

6.4 Stack Randomization

Defeating Stack Randomization

Writing Addresses in Two Words

Direct Argument Access

6.5 Mitigation Strategies

Exclude User Input from Format Strings

Dynamic Use of Static Content

Restricting Bytes Written

C11 Annex K Bounds-Checking Interfaces

iostream versus stdio

Testing

Compiler Checks

Static Taint Analysis

Modifying the Variadic Function Implementation

Exec Shield

FormatGuard

Static Binary Analysis

6.6 Notable Vulnerabilities

Washington University FTP Daemon

CDE ToolTalk

Ettercap v.NG-0.7.2

6.7 Summary

6.8 Further Reading

Chapter 7 Concurrency

7.1 Introduction

Multithreading

Parallelism

Data Parallelism

Task Parallelism

7.2 Performance Goals

Amdahl's Law

7.3 Concurrency Pitfalls

Race Conditions

Corrupted Values

7.4 Concurrency Mitigations

Immutable Data Structures

Mitigation Properties

Mitigation Pitfalls

The ABA Problem

7.5 Concurrency in C and C++

Memory Model

C and C++ Concurrency Pitfalls

Volatile Objects

C and C++ Concurrency Mitigations

Fences

Thread Role Analysis

7.6 Concurrency Vulnerabilities

DoS Attacks in Multicore Dynamic Random-Access Memory (DRAM) Systems

Concurrency Vulnerabilities in System Call Wrappers

Chapter 8 File I/O

8.1 File I/O Basics

File Systems

Special Files

8.2 File I/O Interfaces

Data Streams

Opening and Closing Files

POSIX

File I/O in C++

8.3 Access Control

UNIX File Permissions

Process Privileges

Changing Privileges

Managing Privileges

Managing Permissions

8.4 File Identification

Directory Traversal

Equivalence Errors

Symbolic Links

Canonicalization

Hard Links

Device Files

File Attributes

8.5 Race Conditions

Time of Check, Time of Use (TOCTOU)

Create without Replace

Exclusive Access

Shared Directories

8.6 Mitigation Strategies

Closing the Race Window

Eliminating the Race Object

Controlling Access to the Race Object

Race Detection Tools

8.7 Summary

Chapter 9 Recommended Practices

9.1 The Security Development Lifecycle

TSP-Secure

Planning and Tracking

Quality Management

9.2 Security Training

9.3 Requirements

Secure Coding Standards

Systems Quality Requirements Engineering

Use/Misuse Cases

9.4 Design

Secure Software Development Principles

Threat Modeling

Analyze Attack Surface

Vulnerabilities in Existing Code

Secure Wrappers

Input Validation

Trust Boundaries

Blacklisting

Whitelisting

Testing

9.5 Implementation

Compiler Security Features

As-If Infinitely Ranged (AIR) Integer Model

Safe Secure C/C++

Static Analysis

Source Code Analysis Laboratory (SCALe)

Defense in Depth

9.6 Verification

Static Analysis

Penetration Testing

Fuzz Testing

Code Audits

Developer Guidelines and Checklists

Independent Security Review

Attack Surface Review

9.7 Summary

9.8 Further Reading

References

Acronyms

Index

Software Engineering Institute