Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library


Secure Coding in C and C++, Second Edition

  • April 2013
  • In this book, Robert Seacord describes how to write secure C and C++ code and avoid the software defects most likely to cause exploitable vulnerabilities.
  • Secure Coding
  • Publisher: Addison-Wesley Professional | ISBN: 0-321-82213-7, 978-0-321-82213-0
  • Abstract

    Write secure C and C++ code—and avoid the software defects most likely to cause exploitable vulnerabilities! Straight from the world-renowned security experts at CERT/CC, Secure Coding in C and C++ (2nd Edition) identifies the root causes of today's most widespread software vulnerabilities, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives. Fully updated for the new C++11 standard, Secure Coding in C and C++, Second Edition presents extensive new coverage of strings, dynamic memory management, integer security, and many other topics—including an entirely new chapter on writing secure concurrent code. It contains hundreds of Windows- and Linux-based examples of secure code, insecure code, and exploits; comprehensive practical guidance for adopting modern security best practices; and important new insights for developing a security mindset that can help you protect software against tomorrow's attacks, not just today's. This edition also provides unique access to CERT's pioneering Online Learning Initiative (OLI) course on secure coding, originally funded by Cisco, Siemens, and other industry leaders to provide internal training to their own mission-critical developers. For every C/C++ developer who wants to write more secure code.

    Format: Hardcover

    About the Author

    Robert C. Seacord is a computer scientist, computer security specialist, and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering. He has a Bachelor in computer science from Rensselaer Polytechnic Institute.

    Seacord manages the Secure Coding Initiative at the CERT Program, with is part of Carnegie Mellon University's Software Engineering Institute (SEI) in Pittsburgh, PA. CERT, among other security related activities, regularly analyzes software vulnerability reports and assesses the risk to the Internet and other critical infrastructure. Robert is an adjunct professor in the Carnegie Mellon University School of Computer Science and also in the Information Networking Institute.

    Robert started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System. [read more about Robert Seacord]

    About the Team

    Current and former members of the CERT staff who contributed to the development of this book are pictured to the right. From left to right: Daniel Plakosh, Archie Andrews, David Svoboda, Dean Sutherland, Brad Rubbo, Jason Rafail, Robert Seacord, Chad Dougherty.




    About the Author

    Chapter 1: Running with Scissors

    1.1    Gauging the Threat

             What Is the Cost?

    Who Is the Threat?

    Software Security

    1.2    Security Concepts

    Security Policy

    Security Flaws




    1.3    C and C++

    A Brief History

    What Is the Problem with C?

    Legacy Code

    Other Languages

    1.4    Development Platforms

    Operating Systems


    1.5    Summary

    1.6    Further Reading

    Chapter 2 Strings

    2.1    Character Strings

    String Data Type


    Wide Strings

    String Literals

    Strings in C++

    Character Types

    Sizing Strings

    2.2    Common String Manipulation Errors

    Improperly Bounded String Copies

    Off-by-One Errors

    Null-Termination Errors

    String Truncation

    String Errors without Functions

    2.3    String Vulnerabilities and Exploits

    Tainted Data

    Security Flaw: IsPasswordOkay

    Buffer Overflows

    Process Memory Organization

    Stack Management

    Stack Smashing

    Code Injection

    Arc Injection

    Return-Oriented Programming

    2.4    Mitigation Strategies for Strings

    String Handling

    C11 Annex K, Bounds-Checking Interfaces

    Dynamic Allocation Functions

    C++ std::basic_string

    Invalidating String Object References

    Other Common Mistakes in basic_string Usage

    2.5    String-Handling Functions



    C11 Annex K, Bounds-Checking Interfaces: gets()

    Dynamic Allocation Functions

    strcpy() and strcat()

    strncpy() and strncat()

    memcpy() and memmove()


    2.6    Runtime Protection Strategies

    Detection and Recovery

    Input Validation

    Object Size Checking

    Visual Studio Compiler-Generated Runtime Checks

    Operating System Strategies

    Nonexecutable Stacks

    Future Directions

    Chapter 3 Pointer Subterfuge

    3.1    Data Locations

    3.2    Function Pointers

    3.3    Data Pointers

    3.4    Modifying the Instruction Pointer

    3.5    Global Offset Table

    3.6    The .dtors Section

    3.7    Virtual Pointers

    3.8    The atexit() and on_exit() Functions

    3.9    The longjmp() Function

    3.10  Exception Handling

    Structured Exception Handling

    System Default Exception Handling

    3.11  Mitigation Strategies

    Stack Canaries


    Encoding and Decoding Function Pointers

    3.12  Summary

    3.13  Further Reading

    Chapter 4 Dynamic Memory Management

    4.1    C Memory Management

    C Standard Memory Management Functions


    alloca() and Variable Length Arrays

    4.2    Common C Memory Management Errors

    Initialization Errors

    Failing to Check Return Values

    Dereferencing Null or Invalid Pointers

    Referencing Freed Memory

    Freeing Memory Multiple Times

    Memory Leaks

    Zero-Length Allocations

    DR #400

    4.3    C++ Dynamic Memory Management

    Allocation Functions

    Deallocation Functions

    Garbage Collection

    4.4    Common C++ Memory Management Errors

    Failing to Correctly Check for Allocation Failure

    4.5    Improperly Paired Memory Management Functions

    Incorrectly Pairing C and C++ Allocation and Deallocation Functions

    Incorrectly Pairing Scalar and Array Operators

    new and operator new()

    Member new

    Placement new

    Improperly Paired Memory Management Functions Summary

    Freeing Memory Multiple Times

    Deallocation Function Throws an Exception

    4.6    Memory Managers

    4.7    Doug Lea's Memory Allocator

    Buffer Overflows on the Heap

    4.8    Double-Free Vulnerabilities

    Writing to Freed Memory


    Buffer Overflows (Redux)

    4.9    Mitigation Strategies

    Null Pointers

    Consistent Memory Management Conventions




    The jemalloc Memory Manager

    Static Analysis

    Runtime Analysis Tools

    4.10  Notable Vulnerabilities

    CVS Buffer Overflow Vulnerability

    Microsoft Data Access Components (MDAC)

    CVS Server Double-Free

    Vulnerabilities in MIT Kerberos 5

    4.11  Summary

    Chapter 5 Integer Security

    5.1    Introduction to Integer Security

    5.2    Integer Data Types

    Unsigned Integer Types


    Signed Integer Types

    Signed Integer Ranges

    Integer Overflow

    Character Types

    Data Models

    Other Integer Types

    5.3    Integer Conversions

    Converting Integers

    Integer Conversion Rank

    Integer Promotions

    Usual Arithmetic Conversions

    Conversions from Unsigned Integer Types

    Conversions from Signed Integer Types

    Conversion Implications

    5.4    Integer Operations





    Division and Remainder


    5.5    Integer Vulnerabilities



    Conversion and Truncation Errors

    Nonexceptional Integer Logic Errors

    Mitigation Strategies

    5.6    Mitigation Strategies

    Abstract Data Types

    Arbitrary-Precision Arithmetic

    Range Checking

    Precondition and Postcondition Testing

    Secure Integer Libraries

    Overflow Detection

    Compiler-Generated Runtime Checks

    As-If Infinitely Ranged Integer Model

    Testing and Analysis

    5.7    Summary

    Chapter 6 Formatted Output

    6.1    Variadic Functions

    6.2    Formatted Output Functions

    Format Strings


    Visual C++

    6.3    Exploiting Formatted Output Functions

    Buffer Overflow

    Output Streams

    Crashing a Program

    Viewing Stack Content

    Viewing Memory Content

    Overwriting Memory


    Wide-Character Format String Vulnerabilities

    6.4    Stack Randomization

    Defeating Stack Randomization

    Writing Addresses in Two Words

    Direct Argument Access

    6.5    Mitigation Strategies

    Exclude User Input from Format Strings

    Dynamic Use of Static Content

    Restricting Bytes Written

    C11 Annex K Bounds-Checking Interfaces

    iostream versus stdio


    Compiler Checks

    Static Taint Analysis

    Modifying the Variadic Function Implementation

    Exec Shield


    Static Binary Analysis

    6.6    Notable Vulnerabilities

    Washington University FTP Daemon

    CDE ToolTalk

    Ettercap v.NG-0.7.2

    6.7    Summary

    6.8    Further Reading

    Chapter 7 Concurrency

    7.1    Introduction



    Data Parallelism

    Task Parallelism

    7.2    Performance Goals

    Amdahl's Law

    7.3    Concurrency Pitfalls

    Race Conditions

    Corrupted Values

    7.4    Concurrency Mitigations

    Immutable Data Structures

    Mitigation Properties

    Mitigation Pitfalls

    The ABA Problem

    7.5    Concurrency in C and C++

    Memory Model

    C and C++ Concurrency Pitfalls

    Volatile Objects

    C and C++ Concurrency Mitigations


    Thread Role Analysis

    7.6    Concurrency Vulnerabilities

    DoS Attacks in Multicore Dynamic Random-Access Memory (DRAM) Systems

    Concurrency Vulnerabilities in System Call Wrappers

    Chapter 8 File I/O

    8.1    File I/O Basics

    File Systems

    Special Files

    8.2    File I/O Interfaces

    Data Streams

    Opening and Closing Files


    File I/O in C++

    8.3    Access Control

    UNIX File Permissions

    Process Privileges

    Changing Privileges

    Managing Privileges

    Managing Permissions

    8.4    File Identification

    Directory Traversal

    Equivalence Errors

    Symbolic Links


    Hard Links

    Device Files

    File Attributes

    8.5    Race Conditions

    Time of Check, Time of Use (TOCTOU)

    Create without Replace

    Exclusive Access

    Shared Directories

    8.6    Mitigation Strategies

    Closing the Race Window

    Eliminating the Race Object

    Controlling Access to the Race Object

    Race Detection Tools

    8.7    Summary

    Chapter 9 Recommended Practices

    9.1    The Security Development Lifecycle


    Planning and Tracking

    Quality Management

    9.2    Security Training

    9.3    Requirements

    Secure Coding Standards

    Systems Quality Requirements Engineering

    Use/Misuse Cases

    9.4    Design

    Secure Software Development Principles

    Threat Modeling

    Analyze Attack Surface

    Vulnerabilities in Existing Code

    Secure Wrappers

    Input Validation

    Trust Boundaries




    9.5    Implementation

    Compiler Security Features

    As-If Infinitely Ranged (AIR) Integer Model

    Safe Secure C/C++

    Static Analysis

    Source Code Analysis Laboratory (SCALe)

    Defense in Depth

    9.6    Verification

    Static Analysis

    Penetration Testing

    Fuzz Testing

    Code Audits

    Developer Guidelines and Checklists

    Independent Security Review

    Attack Surface Review

    9.7    Summary

    9.8    Further Reading




  • Notes

Cite This Book


title = {Secure Coding in C and C++},
publisher={Addison-Wesley Professional},