Book description
“At Cisco, we have adopted the CERT
C Coding Standard as the internal secure coding standard for all C
developers. It is a core component of our secure development
lifecycle. The coding standard described in this book breaks down
complex software security topics into easy-to-follow rules with
excellent real-world examples. It is an essential reference for any
developer who wishes to write secure and resilient software in C
and C++.”
—Edward D. Paradise, vice president,
engineering, threat response, intelligence, and development, Cisco
Systems
Secure programming in C can be more difficult than even many
experienced programmers realize. To help programmers write more
secure code, The CERT® C Coding Standard, Second
Edition, fully documents the second official release of
the CERT standard for secure coding in C. The rules laid forth in
this new edition will help ensure that programmers’ code
fully complies with the new C11 standard; it also addresses earlier
versions, including C99.
The new standard itemizes those coding errors that are the root
causes of current software vulnerabilities in C, prioritizing them
by severity, likelihood of exploitation, and remediation costs.
Each of the text’s 98 guidelines includes examples of
insecure code as well as secure, C11-conforming, alternative
implementations. If uniformly applied, these guidelines will
eliminate critical coding errors that lead to buffer overflows,
format-string vulnerabilities, integer overflow, and other common
vulnerabilities.
This book reflects numerous experts’ contributions to the open development and review of the rules and recommendations that comprise this standard.
Coverage includes
Preprocessor
Declarations and Initialization
Expressions
Integers
Floating Point
Arrays
Characters and Strings
Memory Management
Input/Output
Environment
Signals
Error Handling
Concurrency
Miscellaneous Issues
Table of contents
- About This eBook
- Title Page
- Copyright Page
- Dedication Page
- Contents
- Preface
- Acknowledgments
- Contributors
- About the Author
- Chapter 1. Preprocessor (PRE)
-
Chapter 2. Declarations and Initialization (DCL)
- DCL30-C. Declare objects with appropriate storage durations
- DCL31-C. Declare identifiers before using them
- DCL36-C. Do not declare an identifier with conflicting linkage classifications
- DCL37-C. Do not declare or define a reserved identifier
- DCL38-C. Use the correct syntax when declaring a flexible array member
- DCL39-C. Avoid information leakage in structure padding
- DCL40-C. Do not create incompatible declarations of the same function or object
- DCL41-C. Do not declare variables inside a switch statement before the first case label
-
Chapter 3. Expressions (EXP)
- EXP30-C. Do not depend on the order of evaluation for side effects
- EXP32-C. Do not access a volatile object through a nonvolatile reference
- EXP33-C. Do not read uninitialized memory
- EXP34-C. Do not dereference null pointers
- EXP35-C. Do not modify objects with temporary lifetime
- EXP36-C. Do not cast pointers into more strictly aligned pointer types
- EXP37-C. Call functions with the correct number and type of arguments
- EXP39-C. Do not access a variable through a pointer of an incompatible type
- EXP40-C. Do not modify constant objects
- EXP42-C. Do not compare padding data
- EXP43-C. Avoid undefined behavior when using restrict-qualified pointers
- EXP44-C. Do not rely on side effects in operands to sizeof, _Alignof, or _Generic
- EXP45-C. Do not perform assignments in selection statements
-
Chapter 4. Integers (INT)
- INT30-C. Ensure that unsigned integer operations do not wrap
- INT31-C. Ensure that integer conversions do not result in lost or misinterpreted data
- INT32-C. Ensure that operations on signed integers do not result in overflow
- INT33-C. Ensure that division and remainder operations do not result in divide-by-zero errors
- INT34-C. Do not shift an expression by a negative number of bits or by greater than or equal to the number of bits that exist in the operand
- INT35-C. Use correct integer precisions
- INT36-C. Converting a pointer to integer or integer to pointer
- Chapter 5. Floating Point (FLP)
-
Chapter 6. Arrays (ARR)
- ARR30-C. Do not form or use out-of-bounds pointers or array subscripts
- ARR32-C. Ensure size arguments for variable length arrays are in a valid range
- ARR36-C. Do not subtract or compare two pointers that do not refer to the same array
- ARR37-C. Do not add or subtract an integer to a pointer to a non-array object
- ARR38-C. Guarantee that library functions do not form invalid pointers
- ARR39-C. Do not add or subtract a scaled integer to a pointer
-
Chapter 7. Characters and Strings (STR)
- STR30-C. Do not attempt to modify string literals
- STR31-C. Guarantee that storage for strings has sufficient space for character data and the null terminator
- STR32-C. Do not pass a non-null-terminated character sequence to a library function that expects a string
- STR34-C. Cast characters to unsigned char before converting to larger integer sizes
- STR37-C. Arguments to character handling functions must be representable as an unsigned char
- STR38-C. Do not confuse narrow and wide character strings and functions
-
Chapter 8. Memory Management (MEM)
- MEM30-C. Do not access freed memory
- MEM31-C. Free dynamically allocated memory when no longer needed
- MEM33-C. Allocate and copy structures containing a flexible array member dynamically
- MEM34-C. Only free memory allocated dynamically
- MEM35-C. Allocate sufficient memory for an object
- MEM36-C. Do not modify the alignment of objects by calling realloc()
-
Chapter 9. Input/Output (FIO)
- FIO30-C. Exclude user input from format strings
- FIO31-C. Do not open a file that is already open
- FIO32-C. Do not perform operations on devices that are only appropriate for files
- FIO34-C. Distinguish between characters read from a file and EOF or WEOF
- FIO37-C. Do not assume that fgets() or fgetws() returns a nonempty string when successful
- FIO38-C. Do not copy a FILE object
- FIO39-C. Do not alternately input and output from a stream without an intervening flush or positioning call
- FIO40-C. Reset strings on fgets() or fgetws() failure
- FIO41-C. Do not call getc(), putc(), getwc(), or putwc() with a stream argument that has side effects
- FIO42-C. Close files when they are no longer needed
- FIO44-C. Only use values for fsetpos() that are returned from fgetpos()
- FIO45-C. Avoid TOCTOU race conditions while accessing files
- FIO46-C. Do not access a closed file
- FIO47-C. Use valid format strings
-
Chapter 10. Environment (ENV)
- ENV30-C. Do not modify the object referenced by the return value of certain functions
- ENV31-C. Do not rely on an environment pointer following an operation that may invalidate it
- ENV32-C. All exit handlers must return normally
- ENV33-C. Do not call system()
- ENV34-C. Do not store pointers returned by certain functions
- Chapter 11. Signals (SIG)
- Chapter 12. Error Handling (ERR)
-
Chapter 13. Concurrency (CON)
- CON30-C. Clean up thread-specific storage
- CON31-C. Do not destroy a mutex while it is locked
- CON32-C. Prevent data races when accessing bit-fields from multiple threads
- CON33-C. Avoid race conditions when using library functions
- CON34-C. Declare objects shared between threads with appropriate storage durations
- CON35-C. Avoid deadlock by locking in a predefined order
- CON36-C. Wrap functions that can spuriously wake up in a loop
- CON37-C. Do not call signal() in a multithreaded program
- CON38-C. Preserve thread-safety and liveness when using condition variables
- CON39-C. Do not join or detach a thread that was previously joined or detached
- CON40-C. Do not refer to an atomic variable twice in an expression
- CON41-C. Wrap functions that can fail spuriously in a loop
-
Chapter 14. Miscellaneous (MSC)
- MSC30-C. Do not use the rand() function for generating pseudorandom numbers
- MSC32-C. Properly seed pseudorandom number generators
- MSC33-C. Do not pass invalid data to the asctime() function
- MSC37-C. Ensure that control never reaches the end of a non-void function
- MSC38-C. Do not treat a predefined identifier as an object if it might only be implemented as a macro
- MSC39-C. Do not call va_arg() on a va_list that has an indeterminate value
- MSC40-C. Do not violate constraints
- Appendix A. Glossary
- Appendix B. Undefined Behavior
- Appendix C. Unspecified Behavior
- Bibliography
- Index
Product information
- Title: The CERT ® C Coding Standard: 98 Rules for Developing Safe, Reliable, and Secure Systems, Second Edition
- Author(s):
- Release date: April 2014
- Publisher(s): Addison-Wesley Professional
- ISBN: 9780133812275
You might also like
book
Java™ Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
“A must-read for all Java developers. . . . Every developer has a responsibility to author …
book
The CERT® C Secure Coding Standard
“I’m an enthusiastic supporter of the CERT Secure Coding Initiative. Programmers have lots of sources of …
book
Numerical C: Applied Computational Programming with Case Studies
Learn applied numerical computing using the C programming language, starting with a quick primer on the …
book
Practical Numerical C Programming: Finance, Engineering, and Physics Applications
Master the C code appropriate for numerical methods and computational modeling, including syntax, loops, subroutines, and …