CERT-SEI

Secure Coding in C and C++, Second Edition

Secure Coding in C and C++, Second Edition

Write secure C and C++ code—and avoid the software defects most likely to cause exploitable vulnerabilities. Secure Coding in C and C++ (2nd Edition) identifies the root causes of today's most widespread software vulnerabilities, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives.

Fully updated for the new C++11 standard, Secure Coding in C and C++, Second Edition presents extensive new coverage of strings, dynamic memory management, integer security, and many other topics—including an entirely new chapter on writing secure concurrent code. It contains hundreds of Windows- and Linux-based examples of secure code, insecure code, and exploits; comprehensive practical guidance for adopting modern security best practices; and important new insights for developing a security mindset that can help you protect software against tomorrow's attacks, not just today's.

This edition also provides unique access to the CERT Online Learning Initiative (OLI) course on secure coding, originally funded by Cisco, Siemens, and other industry leaders to provide internal training to their own mission-critical developers. For every C/C++ developer who wants to write more secure code.

Author: Robert C. Seacord (foreword by Richard D. Pethia, Director, CERT Division)

Related Training, Products, and Tools

Secure Coding in C and C++ Training Course
This four-day course provides a detailed explanation of common programming errors in C and C++ and describes how these errors can lead to code that is vulnerable to exploitation. The course concentrates on security issues intrinsic to the C and C++ programming languages and associated libraries. The intent is for this course to be useful to anyone involved in developing secure C and C++ programs regardless of the specific application.

Secure Coding Training Course
An ongoing development effort in collaboration with the Software Engineering Institute's CERT Division, this course focuses on common security issues in C and C++ development. With security expert Robert Seacord serving as lead content author, the course addresses a key need in professional education for software developers. Topics to be covered include the secure and insecure use of integers, arrays, strings, dynamic memory, formatted input/output functions, and file I/O. Continued development is being funded by partnerships with industry.

Source Code Analysis Laboratory (SCALe)
SCALe consists of commercial, open source, and experimental analysis that is used to analyze various code bases, including those from the DoD, energy delivery systems, medical devices, and more. SCALe provides value to the customer, but it also aids research into the effectiveness of coding rules and analysis.

Rosecheckers Tool
The CERT Division's Rosecheckers tool performs static analysis on C/C++ source files. It is designed to enforce the rules in the CERT C Coding standard.

Integer Security Tool
The CERT Division's Secure Coding researchers are working on a number of solutions for addressing the issue of integer security, including our prototype tool and a secure integer library.

Get the Book

Order Secure Coding in C and C++, Second Edition.

Order the Book Today

This book provides a meticulous treatment of the most common problems faced by software developers and provides practical solutions. 

—Richard Pethia, Director, CERT Division

Robert Seacord in 2012Robert C. Seacord is a computer scientist, computer security specialist, and writer. He is the author of books on computer security, legacy system modernization, and component-based software engineering. He has a bachelor's degree in computer science from Rensselaer Polytechnic Institute.

Seacord manages the Secure Coding Initiative at the CERT Division, which is part of Carnegie Mellon University's Software Engineering Institute (SEI) in Pittsburgh, PA. The CERT Division, among other security related activities, regularly analyzes software vulnerability reports and assesses the risk to the internet and other critical infrastructure. Robert is an adjunct professor in the Carnegie Mellon University School of Computer Science and also in the Information Networking Institute.

Robert started programming professionally for IBM in 1982, working in communications and operating system software, processor development, and software engineering. Robert also has worked at the X Consortium, where he developed and maintained code for the Common Desktop Environment and the X Window System.

Secure Coding Team 2012

Current and former members of the CERT staff who contributed to the development of this book are pictured to the right. From left to right: Daniel Plakosh, Archie Andrews, David Svoboda, Dean Sutherland, Brad Rubbo, Jason Rafail, Robert Seacord, and Chad Dougherty.

Foreword

Preface

About the Author

Chapter 1: Running with Scissors

1.1 Gauging the Threat
What Is the Cost?
Who Is the Threat?
Software Security

1.2 Security Concepts
Security Policy
Security Flaws
Vulnerabilities
Exploits
Mitigations

1.3 C and C++
A Brief History
What Is the Problem with C?
Legacy Code
Other Languages

1.4 Development Platforms
Operating Systems
Compilers

1.5 Summary

1.6 Further Reading

Chapter 2 Strings

2.1 Character Strings
String Data Type
UTF-8
Wide Strings
String Literals
Strings in C++
Character Types
Sizing Strings

2.2 Common String Manipulation Errors
Improperly Bounded String Copies
Off-by-One Errors
Null-Termination Errors
String Truncation
String Errors without Functions

2.3 String Vulnerabilities and Exploits
Tainted Data
Security Flaw: IsPasswordOkay
Buffer Overflows
Process Memory Organization
Stack Management
Stack Smashing
Code Injection
Arc Injection
Return-Oriented Programming

2.4 Mitigation Strategies for Strings
String Handling
C11 Annex K, Bounds-Checking Interfaces
Dynamic Allocation Functions
C++ std::basic_string
Invalidating String Object References
Other Common Mistakes in basic_string Usage

2.5 String-Handling Functions
gets()
C11
C11 Annex K, Bounds-Checking Interfaces: gets()
Dynamic Allocation Functions
strcpy() and strcat()
strncpy() and strncat()
memcpy() and memmove()
strlen()

2.6 Runtime Protection Strategies
Detection and Recovery
Input Validation
Object Size Checking
Visual Studio Compiler-Generated Runtime Checks
Operating System Strategies
Nonexecutable Stacks
Future Directions

Chapter 3 Pointer Subterfuge

3.1 Data Locations

3.2 Function Pointers

3.3 Data Pointers

3.4 Modifying the Instruction Pointer

3.5 Global Offset Table

3.6 The .dtors Section

3.7 Virtual Pointers

3.8 The atexit() and on_exit() Functions

3.9 The longjmp() Function

3.10 Exception Handling
Structured Exception Handling
System Default Exception Handling

3.11 Mitigation Strategies
Stack Canaries
W^X
Encoding and Decoding Function Pointers

3.12 Summary

3.13 Further Reading

Chapter 4 Dynamic Memory Management

4.1 C Memory Management
C Standard Memory Management Functions
Alignment
alloca() and Variable Length Arrays

4.2 Common C Memory Management Errors
Initialization Errors
Failing to Check Return Values
Dereferencing Null or Invalid Pointers
Referencing Freed Memory
Freeing Memory Multiple Times
Memory Leaks
Zero-Length Allocations
DR #400

4.3 C++ Dynamic Memory Management|
Allocation Functions
Deallocation Functions
Garbage Collection

4.4 Common C++ Memory Management Errors
Failing to Correctly Check for Allocation Failure

4.5 Improperly Paired Memory Management Functions
Incorrectly Pairing C and C++ Allocation and Deallocation Functions
Incorrectly Pairing Scalar and Array Operators
new and operator new()
Member new
Placement new
Improperly Paired Memory Management Functions Summary
Freeing Memory Multiple Times
Deallocation Function Throws an Exception

4.6 Memory Managers

4.7 Doug Lea's Memory Allocator
B uffer Overflows on the Heap

4.8 Double-Free Vulnerabilities
Writing to Freed Memory
RtlHeap
Buffer Overflows (Redux)

4.9 Mitigation Strategies
Null Pointers
Consistent Memory Management Conventions
Phkmalloc
Randomization
OpenBSD
The jemalloc Memory Manager
Static Analysis
Runtime Analysis Tools

4.10 Notable Vulnerabilities
CVS Buffer Overflow Vulnerability
Microsoft Data Access Components (MDAC)
CVS Server Double-Free
Vulnerabilities in MIT Kerberos 5

4.11 Summary

Chapter 5 Integer Security

5.1 Introduction to Integer Security
5.2 Integer Data Types
Unsigned Integer Types
Wraparound
Signed Integer Types
Signed Integer Ranges
Integer Overflow
Character Types
Data Models
Other Integer Types

5.3 Integer Conversions
Converting Integers
Integer Conversion Rank
Integer Promotions
Usual Arithmetic Conversions
Conversions from Unsigned Integer Types
Conversions from Signed Integer Types
Conversion Implications

5.4 Integer Operations
Assignment
Addition
Subtraction
Multiplication
Division and Remainder
Shifts

5.5 Integer Vulnerabilities
Vulnerabilities
Wraparound
Conversion and Truncation Errors
Nonexceptional Integer Logic Errors
Mitigation Strategies

5.6 Mitigation Strategies
Abstract Data Types
Arbitrary-Precision Arithmetic
Range Checking
Precondition and Postcondition Testing
Secure Integer Libraries
Overflow Detection
Compiler-Generated Runtime Checks
As-If Infinitely Ranged Integer Model
Testing and Analysis

5.7 Summary

Chapter 6 Formatted Output

6.1 Variadic Functions
6.2 Formatted Output Functions
Format Strings
GCC
Visual C++

6.3 Exploiting Formatted Output Functions
Buffer Overflow
Output Streams
Crashing a Program
Viewing Stack Content
Viewing Memory Content
Overwriting Memory
Internationalization
Wide-Character Format String Vulnerabilities

6.4 Stack Randomization
Defeating Stack Randomization
Writing Addresses in Two Words
Direct Argument Access

6.5 Mitigation Strategies
Exclude User Input from Format Strings
Dynamic Use of Static Content
Restricting Bytes Written
C11 Annex K Bounds-Checking Interfaces
iostream versus stdio
Testing
Compiler Checks
Static Taint Analysis
Modifying the Variadic Function Implementation
Exec Shield
FormatGuard
Static Binary Analysis

6.6 Notable Vulnerabilities
Washington University FTP Daemon
CDE ToolTalk
Ettercap v.NG-0.7.2

6.7 Summary
6.8 Further Reading

Chapter 7 Concurrency

7.1 Introduction
Multithreading
Parallelism
Data Parallelism
Task Parallelism

7.2 Performance Goals
Amdahl's Law

7.3 Concurrency Pitfalls
Race Conditions
Corrupted Values

7.4 Concurrency Mitigations
Immutable Data Structures
Mitigation Properties
Mitigation Pitfalls
The ABA Problem

7.5 Concurrency in C and C++
Memory Model
C and C++ Concurrency Pitfalls
Volatile Objects
C and C++ Concurrency Mitigations
Fences
Thread Role Analysis

7.6 Concurrency Vulnerabilities
DoS Attacks in Multicore Dynamic Random-Access Memory (DRAM) Systems
Concurrency Vulnerabilities in System Call Wrappers

Chapter 8 File I/O

8.1 File I/O Basics
File Systems
Special Files

8.2 File I/O Interfaces
Data Streams
Opening and Closing Files
POSIX
File I/O in C++

8.3 Access Control
UNIX File Permissions
Process Privileges
Changing Privileges
Managing Privileges
Managing Permissions

8.4 File Identification
Directory Traversal
Equivalence Errors
Symbolic Links
Canonicalization
Hard Links
Device Files
File Attributes

8.5 Race Conditions
Time of Check, Time of Use (TOCTOU)
Create without Replace
Exclusive Access
Shared Directories

8.6 Mitigation Strategies
Closing the Race Window
Eliminating the Race Object
Controlling Access to the Race Object
Race Detection Tools

8.7 Summary

Chapter 9 Recommended Practices

9.1 The Security Development Lifecycle
TSP-Secure
Planning and Tracking
Quality Management

9.2 Security Training
9.3 Requirements
Secure Coding Standards
Systems Quality Requirements Engineering
Use/Misuse Cases

9.4 Design
Secure Software Development Principles
Threat Modeling
Analyze Attack Surface
Vulnerabilities in Existing Code
Secure Wrappers
Input Validation
Trust Boundaries
Blacklisting
Whitelisting
Testing

9.5 Implementation
Compiler Security Features
As-If Infinitely Ranged (AIR) Integer Model
Safe Secure C/C++
Static Analysis
Source Code Analysis Laboratory (SCALe)
Defense in Depth

9.6 Verification
Static Analysis
Penetration Testing
Fuzz Testing
Code Audits
Developer Guidelines and Checklists
Independent Security Review
Attack Surface Review

9.7 Summary
9.8 Further Reading

References

Acronyms

Index

[Aleph 1996]
"Aleph One. Smashing the Stack for Fun and Profit." Phrack 7(49), 1996.

[Alexander 2003]
Alexander, I. "Misuse Cases: Use Cases with Hostile Intent." IEEE Software 20(1): 58–66, 2003.

[Alexandrescu 2010]
Alexandrescu, A. The D Programming Language. Upper Saddle River, NJ: Addison-Wesley, 2010.

[Alhazmi 2005a]
Alhazmi, O. H. and Y. K. Malaiya. Modeling the Vulnerability Discovery Process. In Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering: ISSRE 2005, Chicago, November 8–11, 2005. Los Alamitos, CA: IEEE Computer Society Press, 2005.

[Alhazmi 2005b]
Alhazmi, O.; Y. K. Malaiya; & I. K. Ray. Security Vulnerabilities in Software Systems: A Quantitative Perspective Technical Report, CS T&R, AMR05. Fort Collins: Computer Science Department, Colorado State University, 2005.

[Allen 2001]
Allen, J. H. The CERT Guide to System and Network Security Practices. Boston: Addison-Wesley, 2001.

[Amarasinghe 2007]
Amarasinghe, S. Lecture 4, "Concurrent Programming," 6.189 IAP 2007. MIT, 2007.

[Andersen 2004]
Andersen, D., D. M. Cappelli, J. J. Gonzalez, M. Mojtahedzadeh, A. P. Moore, E. Rich, J. M. Sarriegui, T. J. Shimeall, J. M. Stanton, E. A. Weaver and A. Zagonel. Preliminary System Dynamics Maps of the Insider Cyber-Threat Problem. In Proceedings of the 22nd International Conference of the System Dynamics Society, Oxford, England, July 25–29, 2004. Albany, NY: System Dynamics Society, 2004.

[ANSI 1989]
American National Standards Institute. American National Standard for Information Systems: Programming Language C (X3.159-1989). Washington, DC: Author, 1989.

[argp 2012]
argp, huku. "Pseudomonarchia jemallocum." Phrack 0x0e, 0x44, Phile #0x0a of 0x13, April 2012.

[Aslani 2008]
Aslani, M, N. Chung, J. Doherty, N. Stockman, and W. Quach. "Comparison of Blackbox and Whitebox Fuzzers in Finding Software Bugs." Presented at the Team for Research in Ubiquitous Secure Technology (TRUST) Autumn 2008 Conference, Nashville, TN, 2008.

[AusCERT 2006]
Australian Computer Emergency Response Team. "Australian Computer Crime and Security Survey," 2006.

[Baratloo 2000]
Baratloo, A., N. Singh, and T. Tsai. Transparent Run-Time Defense against Stack Smashing Attacks. In Proceedings of 2000 USENIX Annual Technical Conference, San Diego, CA, June 18–23, 2000, pp. 251–262. Berkeley, CA: USENIX Association, 2000.

[Barbic 2007]
Barbic, J. "Multi-Core Architectures," (class lecture slides), 2007.

[Barney 2012]
Barney, B. "Introduction to Parallel Computing." Livermore Computing, Lawrence Livermore National Laboratory, 2012.

[Bass 2013]
Bass, L., P. Clements, and R. Kazman. Software Architecture in Practice, 3rd ed. SEI Series in Software Engineering. Upper Saddle River, NJ: Addison-Wesley Professional, 2013.

[Behrends 2004]
Behrends, R., R. Stirewalt, and L. Dillon. "Avoiding Serialization Vulnerabilities Through the Use of Synchronization Contracts." In Workshops at the 19th International Conference of Automated Software Engineering, Linz, Austria, September 20–24, 2004, pp. 207–219. Vienna, Austria: Österreichische Computer Gesellschaft, 2004.

[Bergin 1996]
Bergin, T. J. and R. G. Gibson, eds. History of Programming Languages II. New York and Reading, MA: ACM Press/Addison-Wesley, 1996.

[Bessey 2010]
Bessey, A., K. Block, B. Chelf, A. Chou, B. Fulton, S. Hallem, C. Henri-Gros, A. Kamsky, S. McPeak, and D. Engler. "A Few Billion Lines of Code Later: Using Static Analysis to Find Bugs in the Real World." Communications of the ACM, 53(2): 66–75, 2010.

[Bier 2011]
Bier, N., M. Lovett, and R. Seacord. "An Online Learning Approach to Information Systems Security Education." In Proceedings of the 15th Colloquium for Information Systems Security Education, June 13–15, 2011, Fairborn, OH. Severn, MD: CISSE, 2011.

[Boehm 2004]
Boehm, H.-J. "The 'Boehm-Demers-Weiser' Conservative Garbage Collector." Hewlett-Packard Development Co., 2004.

[Boehm 2009]
Boehm, H.-J. and M. Spertus. "Garbage Collection in the Next C++ Standard." In Proceedings of the 2009 ACM SIGPLAN International Symposium on Memory Management (ISMM '09), Dublin, Ireland, June 19–20, 2009, pp. 30–38. New York: ACM Press, 2009.

[Boehm 2012]
Boehm H. J. "Threads and Shared Variables in C++11 and Elsewhere." Hewlett-Packard Labs, April 2012.

[Bouchareine 2005]
Bouchareine, P. "__atexit in Memory Bugs—Specific Proof of Concept with Statically Linked Binaries and Heap Overflows," 2005.

[Bourque 2005]
Bourque, P. and R. Dupuis. Guide to the Software Engineering Body of Knowledge. Los Alamitos, CA: IEEE Computer Society, 2005.

[Buchanan 2008]
Buchanan, E., R. Roemer, H. Shacham, and S. Savage. "When Good Instructions Go Bad: Generalizing Return-Oriented Programming to RISC." In Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, Virginia, October 27–31, 2008. New York: ACM Press, 2008.

[Bulba 2000]
Bulba and Kil3r. "Bypassing StackGuard and StackShiel." Phrack, vol. 0xa, no. 0x38 05.01.2000 0x05[0x10, 2000.

[Burley 2011]
Burley, D. and M. Bishop. "Summit on Education in Secure Software: Final Report," June 2011.

[Burrell 2011]
Burrell, T. "Compiler Security Enhancements in Visual Studio 11," December, 2011.

[Burrell 2012]
Burrell, T. "Enhancements to /GS in Visual Studio 11," January 2011.

[Callaghan 1995]
Callaghan, B., B. Pawlowski, and P. Staubach. "IETF RFC 1813 NFS Version 3 Protocol Specification," June 1995.

[Cappelli 2012]
Cappelli, D. M., A. P. Moore, and R. F. Trzeciak. The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud). SEI Series in Software Engineering. Boston: Addison-Wesley Professional, 2012.

[Cesare 2000]
Cesare, S. "Shared Library Call Redirection via ELF PLT Infection." Phrack, vol. 0xa, no. 0x38, 05.01.2000, 0x07[0x10], 2000.

[Chari 2009]
Chari, S., S. Halevi, and W. Venema. "Where Do You Want to Go Today? Escalating Privileges by Pathname Manipulation," March 2009.

[Charney 2003]
Charney, S. "Prepared Testimony of Scott Charney," Chief Trustworthy Computing Strategist, Microsoft Corporation, before the Subcommittee on Commerce, Trade and Consumer Protection House Committee on Energy and Commerce. U.S. House of Representatives, Hearing on Cybersecurity and Consumer Data: What's at Risk for the Consumer? November 2003.

[Chen 2002]
Chen, H., D. Wagner, and D. Dean. "Setuid Demystified." In Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, August 5–9, 2002, pp. 171–190, Dan Boneh (Ed.). Berkeley, CA: USENIX Association, 2002.

[Chen 2004]
Chen, P., M. Dean, D. Ojoko-Adams, H. Osman, L. Lopez, N. Xie, and N. Mead. Systems Quality Requirements Engineering (SQUARE) Methodology: Case Study on Asset Management System (CMU/SEI-2004-SR-015, ADA431068). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2004.

[Choi 2000]
Choi S.-E. and E. C. Lewis. "A Study Of Common Pitfalls In Simple Multi-Threaded Programs." In SIGCSE'00: Proceedings of the 31st SIGCSE Technical Symposium on Computer Science Education, Austin, TX, March 7–12, 2000, pp. 325–329. New York: ACM Press, 2000.

[Conover 1999]
Conover, M. "w00w00 on Heap Overflows," 1999.

[Conover 2004]
Conover, M. and O. Horowitz. "Reliable Windows Heap Exploits," CanSecWest, April 2004.

[Cowan 2000]
Cowan, C., P. Wagle, C. Pu, S. Beattie, and J. Walpole. "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade." In Proceedings of the DARPA Information Survivability Conference and Exposition (DISCEX'00), Hilton Head Island, SC, January 25–27, 2000, pp. 119–129. Los Alamitos, CA: IEEE Computing Society, 2000.

[Cowan 2001]
Cowan, C., M. Barringer, S. Beattie, G. Kroah-Hartman, M. Frantzen, and J. Lokier. "FormatGuard: Automatic Protection from printf Format String Vulnerabilities." In Proceedings of the Tenth USENIX Security Symposium, Washington, DC, August 13–17, 2001, pp. 191–199. Berkeley, CA: USENIX Association, 2001.

[Cox 1986]
Cox, B. J. Object-Oriented Programming: An Evolutionary Approach. Reading, MA: Addison-Wesley, 1986.

[CSI 2011]
Computer Security Institute. "15th Annual 2010/2011 Computer, Crime and Security Survey 2011," 2011.

[CSIS 2008]
Center for Strategic and International Studies (CSIS). "Securing Cyberspace for the 44th Presidency: A Report of the CSIS Commission on Cybersecurity for the 44th Presidency." Washington, DC: CSIS, 2008.

[CSO 2010]
CSO Magazine. "2010 CyberSecurity Watch Survey—Survey Results. Conducted by CSO in Cooperation with the U.S. Secret Service," Software Engineering Institute CERT Division at Carnegie Mellon University and Deloitte, 2010.

[Dannenberg 2010]
Dannenberg, R. B., W. Dormann, D. Keaton, R. C. Seacord, D. Svoboda, A. Volkovitsky, T. Wilson and T. Plum. "As-If Infinitely Ranged Integer Model." In Proceedings of the 2010 IEEE 21st International Symposium on Software Reliability Engineering (ISSRE '10), Washington, DC, pp. 91–100. Los Alamitos, CA: IEEE Computer Society, 2010.

[Davis 2003]
Davis, N. and J. Mullaney. The Team Software Process (TSP) in Practice: A Summary of Recent Results (CMU/SEI-2003-TR-014, ADA418430). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2003.

[de Kere 2003]
de Kere, C. "'MSBlast' / LovSan Write up," 2003.

[Deloitte 2011]
Deloitte Touche Tohmatsu Limited's (DTTL). "Raising the Bar: 2011 TMT Global Security Study—Key Findings." Fifth edition of DTTL's Global Security Study for the Technology, Media and Telecommunications (TMT) Industry, 2011.

[Dennelly 2000]
Donnelly, J. M. Navy Names Nations Posing Cyber Threats. King Communications Group. Navy News Week, September 11, 2000, p. 1.

[Denning 2000]
Denning, D. E. "Cyberterrorism," 2000.

[Dewhurst 2005]
Dewhurst, S.C. C++ Common Knowledge: Essential Intermediate Programming. Upper Saddle River, NJ: Addison-Wesley, 2005.

[Dhurjati 2006]
Dhurjati, D. and V. Adve. "Backwards-Compatible Array Bounds Checking for C with Very Low Overhead." In Proceedings of the 28th International Conference on Software Engineering (ICSE), May 20–28, 2006, Shanghai, China, pp. 162–171. New York: ACM Press, 2006.

[Dormann 2008]
Dormann, W. and D. Plakosh. "Vulnerability Detection in ActiveX Controls through Automated Fuzz Testing," 2008.

[Vulnerability Note VU#444213]
Vulnerability Notes Database. "AVI video codec image height heap overflow," September 5, 2009.

[Dormann 2012a]
Dormann, W. "Microsoft Indeo Video codecs Contain Multiple Vulnerabilities," [Vulnerability Note VU#228561], January 12, 2012.

[Dormann 2012b]
Dormann, W. "Adobe Flash ActionScript AVM2 newfunction Vulnerability,"[Vulnerability Note VU#486225], January 12, 2012.

[Dougherty 2009]
Dougherty, C., K. Sayre, R. Seacord, D. Svoboda, and K. Togashi. Secure Design Patterns (CMU/SEI-2009-TR-010). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2009.

[Dowd 2006]
Dowd, M., J. McDonald, and J. Schuh. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Boston: Addison-Wesley, 2006 (updates and errata).

[Dowd 2007]
Dowd, M., J. McDonald, and J. Schuh. "The Art of Software Security Assessment: Attacking delete and delete[] in C++," 2007.

[Drepper 2004]
Drepper, U. "Security Enhancements in Red Hat Enterprise Linux (Beside SELinux)," 2004.

[Ellis 1990]
Ellis, M. A. and B. Stroustrup. The Annotated C++ Reference Manual. Reading, MA: Addison-Wesley, 1990.

[Ergonul 2012]
Ergonul, M. Research. "NYU Poly Application Security Discussions/Exploiting Concurrency Vulnerabilities in System Call Wrappers," April 2012.

[Etoh 2000]
Etoh, H. and K. Yoda. "Protecting from Stack-Smashing Attacks." IBM Research Division, Tokyo Research Laboratory, 2004.

[Evans 1998]
Evans, C. "Nasty Security Hole in 'lprm'" (Bugtraq Archive), 1998.

[Evans 2006]
Evans, J. A. "Scalable Concurrent malloc(3) Implementation for FreeBSD" 2006.

[Fallon 2012]
Fallon, E. "Experience Report: Applying and Introducing TSP to Electronic Design Automation." In Proceedings of the 2012 Team Software Process Symposium, St. Petersburg, FL, September 17–20, 2012.

[FFmpeg 2012]
FFmpeg Developers. Website of FFmpeg.org, 2012.

[Firesmith 2003]
Firesmith, D. G. "Security Use Cases." Journal of Object Technology 2(3): 53–64, 2003.

[Fisher 2010]
Fisher, K., Y. Mandelbaum, and D. Walker. The Next 700 Data Description Languages. Journal of the ACM 57(2): article 10, 2010.

[Fithen 2004]
Fithen, W. L, S. V. Hernan, P. F. O'Rourke, and D. A. Shinberg. "Formal Modeling of Vulnerability." Bell Labs Technical Journal 8(4): 173–186, 2004.

[Foote 2011]
Foote, J. JasPer Memory Corruption Vulnerabilities [Vulnerability Note #VU887409], December 9, 2011.

[Forrester 2000]
Forrester, J. E, B. P. Miller, and USENIX Association. "An Empirical Study of the Robustness of Windows NT Applications Using Random Testing." In Proceedings of the 4th Conference on USENIX Windows Systems Symposium—Vol. 4. Berkeley, CA: USENIX Association, 2000.

[Forrester 2000]
Forrester, J. E. and B. P. Miller. "An Empirical Study of the Robustness of Windows NT Applications Using Random Testing." In Proceedings of the 4th USENIX Windows System Symposium, August 3–4, 2000, Seattle, WA, pp.9–68. Berkeley, CA: USENIX Association, 2000.

[FSF 2004]
Free Software Foundation. "GCC Online Documentation," 2004.

[Gamma 1995]
Gamma, E., R. Helm, R. Johnson, and J. M. Vlissides. Design Patterns: Elements of Reusable Object-Oriented Software. Boston: Addison-Wesley, 1995.

[Garfinkel 1996]
Garfinkel, S., and G. Spafford. Practical UNIX & Internet Security, 2nd ed. Sebastopol, CA: O'Reilly Media, 1996.

[Gehani 1989]
Gehani, N. H., and W. D. Roome. Concurrent C. Summit, NJ: Silicon Press, 1989.

[gera 2002]
gera, and riq. "Advances in Format String Exploitation." Phrack 0x0b, Issue 0x3b, Phile #0x07 of 0x12, 2002.

[Godefroid 2008]
P. Godefroid, M. Y. Levin, and D. Molnar. "Automated Whitebox Fuzz Testing." In Proceedings of the Network and Distributed System Security Symposium, February 10–13, 2008, San Diego, CA. Reston, VA: The Internet Society, 2008.

[Godefroid 2010]
Godefroid, P. "From Blackbox Fuzzing to Whitebox Fuzzing Towards Verification." In Proceedings of the 19th International Symposium on Software Testing and Analysis (ISSTA), Trento, Italy, July 12–16, 2010, pp. 1–38. New York: ACM Press, 2010.

[Graff 2003]
Graff, M. G. and K. R. van Wyk. Secure Coding Principles & Practices: Designing and Implementing Secure Applications. Sebastopol, CA: O'Reilly, 2003.

[Griffiths 2006]
Griffiths, A. 2006. "Clutching at Straws: When You Can Shift the Stack Pointer." Phrack 0x0b(0x3f), phile #0x0e of 0x14.

[Grossman 2005]
Grossman, D., M. Hicks, J. Trevor, and G. Morrisett. "Cyclone: A Type-safe Dialect of C." C/C++ Users Journal, 23(1): 6–13,2005.

[Hocevar 2007]
Hocevar, S. "Zzuf—Multiple Purpose Fuzzer". Presented at the Free and Open Source Software Developers' European Meeting (FOSDEM), Brussels, Belgium, 2007.

[Hoogstraten 2003]
Van Hoogstraten, J. SANS Malware FAQ: What Is W32/Blaster Worm? 2003.

[Horovitz 2002]
Horovitz, O. Big Loop Integer Protection. Phrack Vol. 0x0b, Issue 0x3c, Phile #0x09 of 0x10, 2002.

[Householder 2012a]
Householder, A. Well There's Your Problem: Isolating the Crash-Inducing Bits in a Fuzzed File (CMU/SEI-2012-TN-018). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012.

[Householder 2012b]
Householder, A. and J. Foote. Probability-Based Parameter Selection for Black-Box Fuzz Testing (CMU/SEI-2012-TN-019). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012.

[Howard 1997]
Howard, J. D. An Analysis of Security Incidents on the Internet 1989–1995. PhD Diss. Carnegie Mellon University, 1997.

[Howard 2002]
Howard, M. and D. C. LeBlanc. Writing Secure Code, 2nd ed. Redmond, WA: Microsoft Press, 2002.

[Howard 2003a]
Howard, M. "An Overlooked Construct and an Integer Overflow Redux," 2003.

[Howard 2003b]
Howard, M., J. Pincus, and J. M., Wing. "Measuring Relative Attack Surfaces." In Proceedings of Workshop on Advanced Developments in Software and Systems Security, Taipei, Taiwan, December 5–7, 2003. 2003.

[Howard 2006]
Howard, M. and S. Lipner. The Security Development Lifecycle. Redmond, WA: Microsoft Press, 2006.

[Howard 2011]
Howard, M., M. Miller, J. Lambert, and M. Thomlinson. "Windows ISV Software Security Defenses." MSDN, 2011.

[huku 2012]
huku, argp. "The Art of Exploitation: Exploiting VLC, A jemalloc Case Study." Phrack, Vol. 0x0e, Issue 0x44, Phile #0x0d of 0x13, April 2012.

[Humphrey 2002]
Humphrey, W. S. Winning with Software: An Executive Strategy. Boston: Addison-Wesley, 2002.

[IBM 2004]
IBM. "Rational PurifyPlus," 2004.

[IBM 2012]
IBM. Writing Reentrant and Thread-Safe Code, 2012.

[IEEE Std 1003.1-2008]
IEEE Standard for Information Technology. Portable Operating System Interface (POSIX) Base Specifications," Issue 7, IEEE Std 1003.1-2008 (revision of IEEE Std 1003.1-2004), pp. c1–3826, December 1, 2008.

[Intel 2004]
Intel Corporation. IA-32 Intel® Architecture Software Developer's Manual, 2004.

[Intel 2010]
Intel Corporation. "Intel® 64 and IA-32 Architectures Software Developer's Manual, Instruction Set Reference, A-M, Volume 2A," 2010.

[Internet Society 2000]
The Internet Society. "Internet Security Glossary (RFC 2828)," 2000.

[Internet Society 2007]
Network Working Group, R. Shirey. "Internet Security Glossary (RFC 4949), Version 2 (Obsoletes: 2828)," August 2007.

[ISO/IEC 14882: 2011]
ISO/IEC (International Organization for Standardization, International Electrotechnical Commission). "Programming Languages—C++," 2011. (ISO/IEC 14882-1998).

[ISO/IEC 1998]
ISO/IEC. Programming Languages—C++ (ISO/IEC 14882-1998). Geneva, Switzerland: ISO/IEC, 1998.

[ISO/IEC 1999]
ISO/IEC. Programming Languages—C, 2nd ed. (INCITS/ISO/IEC 9899-1999). Geneva, Switzerland: ISO/IEC, 1999.

[ISO/IEC 2005]
ISO/IEC. "Extensions to the C Library—Part I," (ISO/IEC WDTR 24731). Geneva, Switzerland: ISO/IEC, 2005.

[ISO/IEC 2007]
ISO/IEC. Extensions to the C Library—Part I: Bounds-Checking Interfaces (ISO/IEC TR 24731-1: 2007). Geneva, Switzerland: ISO/IEC, 2007.

[ISO/IEC 9945: 2003]
ISO/IEC. "Information Technology—Programming Languages, Their Environments and System Software Interfaces—Portable Operating System Interface (POSIX®)," (ISO/IEC 9945: 2003) (including Technical Corrigendum 1). Geneva, Switzerland: ISO/IEC, 2003.

[ISO/IEC TR 24731-2: 2010]
ISO/IEC. "Extensions to the C Library—Part II: Dynamic Allocation Functions," (ISO/IEC TR 24731-2). Geneva, Switzerland: ISO/IEC, 2010.

[ISO/IEC/IEEE 9945: 2009]
ISO/IEC/IEEE. "IEEE Standard for Information Technology—Portable Operating System Interface (POSIX®) Base Specifications," Issue 7. Geneva, Switzerland: ISO/IEC, 2009.

[Jack 2007]
Jack, B. Vector. "Rewrite Attack" (White Paper). Juniper Networks, May 2007.

[Johnson 1973]
Johnson, S. C. and B. W. Kernighan. The Programming Language B (Computing Science Technical Report No. 8). Murray Hill, NJ: Bell Labs, 1973.

[Jones 1997]
Jones, R. W. M. and P. H. J. Kelley. "Backwards-Compatible Bounds Checking for Arrays and Pointers in C Programs." In Proceedings of the Third International Workshop on Automatic Debugging (AADEBUG'97), Linkoping, Sweden, May 26–27, 1997, pp. 13–26. Linkoping, Sweden: Linkopings Universitet, 1997.

[Jones 2007]
Jones, M. T. "Anatomy of the Linux File System: A Layered Structure-Based Review," October 2007.

[Kaminsky2011]
Kaminsky, D. "Fuzzmarking: Towards Hard Security Metrics for Software Quality? March 2011.

[Kamp 1998]
Kamp, P. H. Malloc(3) Revisited. In Proceedings of 1998 USENIX Annual Technical Conference: Invited Talks and Freenix Track, New Orleans, LA, June 15–19, 1998, pp. 93–198. Berkeley, CA: USENIX Association, 1998.

[Kath 1993]
Kath, R. Managing Virtual Memory in Win32, 1993.

[Kernighan 1978]
Kernighan, B. W. and D. M. Ritchie. The C Programming Language. Englewood Cliffs, NJ: Prentice-Hall, 1978.

[Kernighan 1988]
Kernighan, B. W. and D. M. Ritchie. The C Programming Language, 2nd ed. Englewood Cliffs, NJ: Prentice-Hall, 1988.

[Kerr 2004]
Kerr, K. "Putting Cyberterrorism into Context," 2004.

[Kirwan 2004]
Kirwan, M. "The Quest for Secure Code," 2004.

[Knuth 1997]
Knuth, D. E. Ch. 2, "Information Structures." In Art of Computer Programming, Vol. 1: Fundamental Algorithms, 3rd ed., pp. 438–442. Reading, MA: Addison-Wesley, 1997.

[Landwehr 2008]
Landwehr, C. "IARPA STONESOUP Proposers Day." IARPA, 2008.

[Lanza 2003]
Lanza, J. P. Multiple FTP Clients Contain Directory Traversal Vulnerabilities, March 14, 2003.

[LaRue 2012]
LaRue, M. and J. Lee. "Attack Surface Analyzer 1.0," (released August 2012).

[Leiserson 2008]
Leiserson, C. E., and I. B. Mirman. How to Survive the Multicore Software Revolution (or at Least Survive the Hype) [e-book]. Santa Clara, CA: Cilk Arts, 2008.

[Lemos 2004]
Lemos, R. "MSBlast Epidemic Far Larger than Believed," 2004.

[Linux 2008]
"Linux Programmer's Manual." October 2008.

[Lipner 2005]
Lipner, S., and M. Howard. The Trustworthy Computing Security Development Lifecycle. In Proceedings of 20th Annual Computer Security Applications Conference, Tucson, AZ, December 6–10, 2004, pp. 2–13. Los Alamitos, CA: IEEE Computer Society, 2004 (updated 2005).

[Litchfield 2003a]
Litchfield, D. Variations in Exploit Methods between Linux and Windows, 2003.

[Litchfield 2003b]
Litchfield, D. Defeating the Stack-Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server, 2003.

[Liu 2010]
Liu, V. Concurrency vs. Multi-Threading Blog, May 2010.

[Long 2011]
Long, F. The CERT Oracle Secure Coding Standard for Java, 2012.

[Manadhata 2010]
Manadhata, P. K. and J. M. Wing. "An Attack Surface Metric." IEEE Transactions on Software Engineering 36(1), 2010.

[McAndrews 2000]
McAndrews, D. The Team Software Process (TSP): An Overview and Preliminary Results of Using Disciplined Practices (CMU/SEI-2000-TR-015, ADA387260). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2000.

[McDermott 1999]
McDermott, J. and C. Fox. "Using Abuse Case Models for Security Requirements Analysis." In Proceedings 15th Annual Computer Security Applications Conference, Scottsdale, AZ, December 6–10, 1999, pp. 55–64. Los Alamitos, CA: IEEE Computer Society Press, 1999.

[McDermott 2001]
McDermott, J. Abuse-Case-Based Assurance Arguments. In Proceedings of the 17th Annual Computer Security Applications Conference, New Orleans, LA, December 10–14, 2001, pp. 366–374. Los Alamitos, CA: IEEE Computer Society Press, 2001.

[Mead 2010]
Mead, N. R., T. B. Hilburn, and R. C. Linger. Software Assurance Curriculum Project Volume II: Undergraduate Course Outlines, 2010. (CMU/SEI-2010-TR-019), 2010.

[Meier 2003]
Meier, J. D., A. Mackman, S. Vasireddy, R. Escamilla, and A. Murukan. Improving Web Application Security Threats and Countermeasures, 2003.

[Meyer 1988]
Meyer, B. Object-Oriented Software Construction. New York: Prentice-Hall, 1988.

[Meyers 1998]
Meyers, S. Effective C++: 50 Specific Ways to Improve Your Programs and Designs, 2nd ed. Reading, MA: Addison-Wesley, 1998.

[Michael 1996]
Michael, M. M. and M. L. Scott. "Simple, Fast, and Practical Non-Blocking and Blocking Concurrent Queue Algorithms." In Proceedings of 15th Annual ACM Symposium Principles of Distributed Computing, Philadelphia, PA, May 23–26, 1996, pp. 267–275, New York: ACM Press, 1996.

[Microsoft 2009]
Microsoft Corporation. Microsoft Security Research & Defense. "Safe Unlinking in the Kernal Pool," 2009.

[Microsoft 2010]
Microsoft Corporation. "Simplified Implementation of the Microsoft SDL," November 4, 2010.

[Microsoft 2011]
Microsoft Corporation. "Microsoft Secure Development Lifecycle (SDL) Process Guidance Version 5.1," June, 3, 2011.

[Microsoft 2012]
Microsoft Corporation. "Dev-Center Desktop, Introduction," 2012.

[MISRA 2005]
MISRA (Motor Industry Software Reliability Association). "MISRA-C: 2004: Guidelines for the Use of the C Language in Critical Systems." Nuneaton, UK: MIRA, 2005.

[Molnar 2009]
Molnar, D., X. C. Li, D. A. Wagner, and USENIX Association. "Dynamic Test Generation to Find Integer Bugs in x86 Binary Linux Programs," 2009.

[Morrow 2012]
Morrow, T., R. Seacord, J. Bergey, and P. Miller. Supporting the Use of CERT Secure Coding Standards in DoD Acquisitions (CMU/SEI-2012-TN-016). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2012.

[Moscibroda 2007]
Moscibroda, T. and O. Mutlu. "Memory Performance Attacks: Denial of Memory Service in Multi-Core Systems." In Proceedings of the 16th USENIX Security Symposium, Boston, MA, August 6–10, 2007, pp. 257–274, 2007.

[Nagarakatte 2009]
Nagarakatte, S., J. Zhao, M. M. K. Martin, and S. Zdancewic. "SoftBound: Highly Compatible and Complete Spatial Memory Safety for C." In Proceedings of ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), Dublin, Ireland, June 15–21, 2009. New York: ACM Press, 2009.

[Nelson 1991]
Nelson, G. Systems Programming with Modula-3. EnglewoodCliffs, NJ: Prentice-Hall, 1991.

[Netzer 1990]
Netzer, R. and B. Miller. "On the Complexity of Event Ordering for Shared-Memory Parallel Program Executions." In Proceedings of the 1990 International Conference on Parallel Processing, Pennsylvania State University, University Park, PA, August 1–17, 1990, pp. 93–97. University Park: Pennsylvania State University Press, 1990.

[NIST 2002]
National Institute of Standards and Technology. "Software Errors Cost U.S. Economy $59.5 Billion Annually, (NIST 2002-10), 2002.

[Nowak 2004]
Nowak, T. "Functions for Microsoft Windows NT/2000," 2004.

[Okun 2009]
Okun, V., R. Gaucher, and P. E. Black, eds. Static Analysis Tool Exposition (SATE) 2008. (NIST Special Publication 500-279). Gaithersburg, MD: National Institute of Standards and Technology, 2009.

[Parasoft 2004]
Parasoft. "Automating C/C++ Application Testing with Parasoft Insure++ (Insure++ Technical Papers)," 2004.

[Pethia 2003a]
Pethia, R. D. "Cyber Security—Growing Risk from Growing Vulnerability." Testimony before the House Select Committee on Homeland Security Subcommittee on Cybersecurity, Science, and Research and Development. Hearing on Overview of the Cyber Problem—A Nation Dependent and Dealing with Risk, 2003.

[Pethia 2003b]
Pethia, R. D. "Viruses and Worms: What Can We Do about Them?" Testimony before the House Committee on Technology, Information Policy, Intergovernmental Relations and the Census. Hearing on Worm and Virus Defense: How Can We Protect the Nation's Computers From These Threats?, 2003.

[Pfenning 2004]
Pfenning, F. "Lectures Notes on Type Safety: Foundations of Programming Languages," Lecture 6, pp. 15–312. Carnegie Mellon University, 2004.

[Pincus 2002]
Pincus, J. "Infrastructure for Correctness Tools," (PowerPoint Presentation), 2002.

[Pincus 2004]
Pincus, J. and B. Baker. "Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns." IEEE Security & Privacy 2(4): 20–27, 2004.

[Plum 2005]
Plum, T. and D. M. Keaton. "Eliminating Buffer Overflows, Using the Compiler or a Standalone Tool." In Proceedings of the Workshop on Software Security Assurance Tools, Techniques, and Metrics, National Institute of Standards and Technology (NIST), Long Beach, CA, November 7–8, 2005.

[Plum 2008]
Plum, T. and A. Barjanki. "Encoding and Decoding Function Pointers," (SC22/WG14/N1332), 2008.

[Provos 2003a]
Provos, N., M. Friedl, and P. Honeyman. "Preventing Privilege Escalation." In Proceedings of the 12th USENIX Security Symposium, Washington, DC, August 4–8, 2003, pp. 231–242. Berkeley, CA: USENIX Association, 2003.

[Provos 2003b]
Provos, N. "Improving Host Security with System Call Policies." In Proceedings of the 12th USENIX Security Symposium, Washington, DC, August 4–8, 2003, pp. 257–272. Berkeley, CA: USENIX Association, 2003.

[Purczynski 2002]
Purczynski, W. "GNU Fileutils—Recursive Directory Removal Race Condition (Bugtraq Archive)," 2002.

[Randazzo 2004]
Randazzo, M. R., M. Keeney, D. Cappelli, A. Moore, and E. Kowalski. Insider Threat Study: Illicit Cyber Activity in the Banking and Finance Sector, 2004.

[Rational 2003]
Rational Software Corporation. "Rational PurifyPlus, Rational Purify, Rational PureCoverage, Rational Quantify: Installing and Getting Started," Version: 2003.06.00, Part Number: 800-026184-000 (Product Manual), 2003.

[Reinders 2007]
James, R. Intel Threading Building Blocks. Sebastopol, CA: O'Reilly, 2007.

[Richards 1979]
Richards, M. and C. Whitby-Strevens. BCPL: The Language and Its Compiler. New York: Cambridge University Press, 1979.

[Richarte 2002]
Richarte, G. "Four Different Tricks to Bypass StackShield and StackGuard Protection," 2002.

[Richter 1999]
Richter, J. Programming Applications for Microsoft, 4th ed. Redmond, WA: Microsoft Press, 1999.

[Rivas 2001]
Rivas, J. M. B. "Overwriting the .dtors Section," 2001.

[rix 2000]
rix. "Smashing C++ Vptrs." Phrack, Vol. 0xa, Issue 0x38, 05.01.2000, 0x08[0x10], 2000.

[Rodrigues 2008]
Rodrigues, G. "Taming the OOM Killer." LWN.net, 2008.

[Ruwase 2004]
Ruwase, O. and M. S. Lam. "A Practical Dynamic Buffer Overflow Detector." In Proceedings of the 11th Annual Network and Distributed System Security Symposium, San Diego, CA, February 5–6 2004, pp. 159–169. Reston, VA: Internet Society, 2004.

[Saltzer 1974]
Saltzer, J. H. "Protection and the Control of Information Sharing in Multics." Communications of the ACM 17(7): 388–402, 1974.

[Saltzer 1975]
Saltzer, J. H. and M. D. Schroeder. "The Protection of Information in Computer Systems." Proceedings of the IEEE 63(9): 1278–1308, 1975.

[Schneider 1999]
Schneider, F. B., ed., National Research Council, Committee on Information Systems Trustworthiness. Trust in Cyberspace. Washington, DC: National Academy Press, 1999.

[Schneier 2004]
Schneier, B. Secrets and Lies: Digital Security in a Networked World. Indianapolis, IN: Wiley, 2004.

[Scut 2001]
Scut/Team Teso. "Exploiting Format String Vulnerabilities," 2001.

[Seacord 2005a]
Seacord, R. C. Secure Coding in C and C++. Boston: Addison-Wesley, 2005.

[Seacord 2005b]
Seacord, R. C. and A. Householder. A Structured Approach to Classifying Security Vulnerabilities (CMU/SEI-2005-TN-003). Software Engineering Institute, Carnegie Mellon University, 2005.

[Seacord 2005c]
Seacord, R. C. "Wide-Character Format String Vulnerabilities Strategies for Handling Format String Weaknesses." Dr. Dobb's Journal 30(12): 63–66, 2005.

[Seacord 2008]
Seacord, R. C. The CERT C Secure Coding Standard. Boston: Addison-Wesley, 2008.

[Seacord 2010]
Seacord, R., W. Dormann, J. McCurley, P. Miller, R. Stoddard, D. Svoboda, and J. Welch. Source Code Analysis Laboratory (SCALe) for Energy Delivery Systems (CMU/SEI-2010-TR-021). Software Engineering Institute, Carnegie Mellon University, 2010.

[Seacord 2012]
Seacord, R., et al. "ISO/IEC TS 17961 Draft. Information Technology—Programming Languages, Their Environments and System Software Interfaces—C Secure Coding Rules," 2012.

[SEI 2012a]
Software Engineering Institute. Secure Coding Standards, 2012.

[SEI 2012b]
Software Engineering Institute. "CERT C++ Secure Coding Standard, 2012."

[SEI 2012c]
Software Engineering Institute. "CERT Perl Secure Coding Standard," 2012.

[SEI 2012d]
Software Engineering Institute. "CERT C Secure Coding Standard," 2012.

[Shacham 2007]
Shacham, H. (2007). "The Geometry of Innocent Flesh on the Bone: Return-Into-Libc Without Function Calls (on the x86)." In Proceedings of the 14th ACM Conference/Computer and Communications Security (CCS '07), Whistler, Canada, October 28–31, 2007. New York: ACM Press.

[Shankar 2001]
Shankar, U., K. Talwar, J. S. Foster, and D. Wagner. "Detecting Format String Vulnerabilities with Type Qualifiers." In Proceedings of the 10th USENIX Security Symposium, Washington, DC, August 13–17, 2001, pp. 201–218. Berkeley, CA: USENIX Association, 2001.

[Shannon 2011]
Shannon, G. E. "Statement of Gregory E. Shannon," Chief Scientist for Computer Emergency Readiness Team (Cert). In Examining the Homeland Security Impact of the Obama Administration's Cybersecurity Proposal. Hearing before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies of the Committee on Homeland Security. House of Representatives, One Hundred Twelfth Congress, First Session, Serial No. 112–33. June 24, 2011. Software Engineering Institute, Carnegie Mellon University, 2011.

[Sheridan 2012]
Sheridan, F. Deploying Static Analysis. Dr. Dobb's Journal, August 2012.

[Sindre 2000]
Sindre, G. and A. Opdahl. "Eliciting Security Requirements by Misuse Cases." In Proceedings of TOOLS Pacific 2000, Sydney, Australia, November 20–23, 2000, pp. 120–130. Los Alamitos, CA: IEEE Computer Society Press, 2000.

[Sindre 2002]
Sindre, G., S. Opdahl, and B. Brevik. "Generalization/Specialization as a Structuring Mechanism for Misuse Cases (CD-ROM)." In Proceedings of the Second Symposium on Requirements Engineering for Information Security (SREIS 2002), Raleigh, NC, October 16, 2002. Lafayette, IN: CERIAS, Purdue University, 2002.

[Sindre 2003]
Sindre, G., D. G. Firesmith, and A. L. Opdahl. "A Reuse-Based Approach to Determining Security Requirements." In Proceedings of the 9th International Workshop on Requirements Engineering: Foundation for Software Quality (REFSQ'03), Klagenfurt/Velden, Austria, June 16–17, 2003, pp. 127–136. Essen, Germany: Essener Informatik Beitrage, 2003.

[Sinha 2005]
Sinha, P. "A Memory-Efficient Doubly Linked List." Linux Journal 129: 38, 2005.

[Smashing 2005]
BSD Heap Smashing, 2005.

[Solar 2000]
Solar Designer. "JPEG COM Marker Processing Vulnerability in Netscape Browsers," 2000.

[Soo Hoo 2001]
Soo Hoo, K., J. W. Sudbury, and J. R. Jaquith. "Tangible ROI through Secure Software Engineering." Secure Business Quarterly 1(2): 1–3, 2001.

[Stein 2001]
Stein, L. D. Network Programming with Perl. Boston: Addison-Wesley, 2001.

[Stroustrup 1986]
Stroustrup, B. The C++ Programming Language. Reading, MA: Addison-Wesley, 1986.

[Stroustrup 1997]
Stroustrup, B. The C++ Programming Language, 3rd ed. Reading, MA: Addison-Wesley, 1997.

[Stroustrup 2012]
Stroustrup, B. C++11—The Recently Approved New ISO C++ Standard, 2012.

[Sutter 2005]
Sutter, H. and Alexandrescu, A. C++ Coding Standards: 101 Rules, Guidelines, and Best Practices. Boston: Addison-Wesley, 2005.

[Sutter 2008]
Sutter, H. Lock-Free Code: A False Sense of Security. Dr. Dobb's Journal, September 2008. Retrieved 9/25/2012.

[Swiderski 2004]
Swiderski, F. and W. Snyder. Threat Modeling. Redmond, WA: Microsoft Press, 2004.

[Taylor 2012]
Taylor, B., M. Bishop, D. Burley, S. Cooper, R. Dodge, and R. Seacord. "Teaching Secure Coding: Report From Summit on Education in Secure Software." In Proceedings of the 43rd ACM Technical Symposium on Computer Science Education (SIGCSE '12), Raleigh, NC, February 29–March 3, 2012, pp. 581–582, New York: ACM Press.

[Thinking 1990]
Thinking Machines Corporation. Getting Started in C. Cambridge, MA: Thinking Machines Corporation, 1990.

[Thomas 2002]
Thomas, D. "Cyber Terrorism and Critical Infrastructure Protection." Testimony Before the Committee on House Government Reform Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations. July 24, 2002.

[TIS 1995]
Tool Interface Standard Committee. "Tool Interface Standard (TIS) Executable and Linking Format (ELF) Specification, Version 1.2," 1995.

[Tsai 2001]
Tsai, T. and N. Singh. "Libsafe 2.0: Detection of Format String Vulnerability Exploits." White paper, Avaya Labs, February 6, 2001.

[Valgrind 2004]
Valgrind. "Valgrind Latest News," 2004.

[van de Ven 2004]
van de Ven, A. "New Security Enhancements in Red Hat Enterprise Linux v.3," update 3, 2004.

[Viega 2000]
Viega, J., J. T. Bloch, Y. Kohno, and G. McGraw. "ITS4: A Static Vulnerability Scanner for C and C++ Code." In Proceedings of the 16th Annual Computer Security Applications Conference (ACSAC'00), New Orleans, LA, December 11–15, 2000, pp. 257–267. Los Alamitos, CA: IEEE Computer Society Press, 2000.

[Viega 2002]
Viega, J. and G. McGraw. Building Secure Software: How to Avoid Security Problems the Right Way. Boston, MA: Addison-Wesley, 2002.

[Viega 2003]
Viega, J. and M. Messier. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003.

[Wagle 2003]
Wagle, P. and C. Cowan. "StackGuard: Simple Stack Smash Protection for GCC." In Proceedings of the GCC Developers Summit, Ottawa, Ontario, Canada, May 25–27, 2003, pp. 243–256.

[Wallnau 2002]
Wallnau, K. C., S. Hissam, and R. C. Seacord. Building Systems from Commercial Components. Boston: Addison-Wesley, 2002.

[Warren 2003]
Warren, Jr., H. S. Hacker's Delight. Boston: Addison-Wesley, 2003.

[Watson 2007]
Watson, R. N. M. "Xploiting Concurrency Vulnerabilities in System Call Wrappers." In Proceedings of 1st USENIX Workshop on Offensive Technologies, Boston, MA, August 6–10, 2007. Berkeley, CA: USENIX Association, 2007.

[Weaver 2004]
Weaver, N. and V. Paxson. "A Worst-Case Worm." The Third Annual Workshop on Economics and Information Security (WEIS04), Minneapolis, MN, May 13–14, 2004.

[Wheeler 2003]
Wheeler, D. "Secure Programming for Linux and Unix HOWTO—Creating Secure Software," 2003.

[Wheeler 2004]
Wheeler, D. A. "Secure Programmer: Countering Buffer Overflows," 2004.

[Wikipedia 2012a]
Wikipedia. "Amdahl's Law," 2012 (retrieved 9/25/2012).

[Wikipedia 2012b]
Wikipedia. "Concurrency (Computer Science)," 2012.

[Wikipedia 2012c]
Wikipedia. "Concurrent Computing," 2012.

[Wilander 2003]
Wilander, J. and M. Kamkar. "A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention." In Proceedings of the 10th Network and Distributed System Security Symposium, San Diego, California, February 6–7, 2003, pp. 149–162. Reston, VA: Internet Society, 2003.

[Wilson 2003]
Wilson, M. "Generalized String Manipulation: Access Shims and Type Tunneling." C/C++. Users Journal 21(8): 24–35, 2003.

[Wojtczuk 1998]
Wojtczuk, R. "Defeating Solar Designer Non-Executable Stack Patch (Bugtraq Archive)," 1998.

[Xie 2004]
Xie, N., N. R. Mead, P. Chen, M. Dean, L. Lopez, D. Ojoko-Adams, and H. Osman. SQUARE Project: Cost/Benefit Analysis Framework for Information Security Improvement Projects in Small Companies (CMU/SEI-2004-TN-045, ADA431118). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2004.

[Yu 2009]
Yu, F., T. Bultan, and O. H. Ibarra. "Symbolic String Verification: Combining String Analysis and Size Analysis." In Proceedings of the 15th International Conference on Tools and Algorithms for the Construction and Analysis of Systems: Held as Part of the Joint European Conferences on Theory and Practice of Software, York, UK, March 22–29, 2009. Series Lecture Notes in Computer Science. Berlin: Springer-Verlag, 2009.

Please contact us to submit your comments and corrections to the author.

           
Location Currently Reads Should Read
Ch. 1, p. 12 (last para) Therefore, software components cannot have vulnerabilities because they are not executable outside of the context of a program. However, it is worthwhile to manage security flows in components as vulnerabilities because these components may be reused by many programs.

Ch. 1, p. 25 (para. 3)

IA-32

x86-32

Ch. 2, p. 29 Dan Plakosh Daniel Plakosh
Ch. 2, p. 38 "MSC00-C. Compile cleanly at high warning levels" The CERT C Secure Coding Standard [Seacord 2008], "MSC00-C. Compile cleanly at high warning levels"
Ch. 2, p. 38 "STR04-C. Use plain char for characters in the basic character set" The CERT C Secure Coding Standard [Seacord 2008], "STR04-C. Use plain char for characters in the basic character set"
 Ch. 2, p. 39 "STR00-C. Represent characters using an appropriate type" The CERT C Secure Coding Standard [Seacord 2008], "STR00-C. Represent characters using an appropriate type"

Ch. 2, p. 42

Example 2.1 Reading from stdin()

Example 2.1 Reading from stdin

Ch. 2, p. 43 (para. 4)

Reading data from unbounded sources (such as stdin()) creates an interesting problem for a programmer

Reading data from unbounded sources (such as stdin) creates an interesting problem for a programmer.

Ch. 2, p. 46 (para. 4)

The extraction operation can be limited to a specified number of characters (thereby avoiding the possibility of an out-of-bound s write) if the field width inherited member (ios_base::width) is set to a value greater than 0. In this case, the extraction ends one character before the count of characters extracted reaches the value of field width, leaving space for the ending null character. After a call to this extraction operation, the value of the field width is reset to 0.

This paragraph is duplicative and should be removed.

 Ch. 2, p. 48

1 int main(void) (
2   char a[16];
3   char b[16];
4   char c[16];
5   strncpy(a, "0123456789abcdef", sizeof(a));0123456789abcdef",
6   strncpy(b, "0123456789abcdef",
7   strcpy(c, a);
8   /* ... */
9 )

01 int main(void) (
02  char a[16];
03  char b[16];
04  char c[16];
05  strncpy(a, "0123456789abcdef", sizeof(a));0123456789abcdef",
06  strncpy(b, "0123456789abcdef",
07  strcpy(c, a);
08  /* ... */
09   exit(EXIT_SUCCESS)
10
)

Ch. 2, p. 63 (Fig. 2.14)

Return Addr Caller —main 4 bytes) "W>*!" (return to line 6 was line 3)

Return Addr Caller —main (4 bytes) "j>∗!" (return to line 6 was line 3)

Ch. 2, p. 65 cd 50 cd 80
Ch. 2, p. 66 int $0x50 int $0x80
Ch. 2, p. 68 int $80 int $0x80
Ch. 2, p. 91 (Example 2.15)

Example 2.15 shows the Open Watcom implementation of the strcp_s() function. The runtime-constraint error checks are followed by comments.

Example 2.14 shows the Open Watcom implementation of the strcp_s() function. The runtime-constraint error checks are followed by comments.

Ch. 2, p. 92 However, the destination string is set to the  null string and a nonzero value is returned if either the source or destination  pointer is NULL or if the maximum length of the destination buffer is equal to  0 or greater than RSIZE_MAX.

The strcat_s() function returns 0 on success. A  runtime-constraint violation occurs if the source or destination string is a  null pointer, copying takes place between overlapping objects, the maximum  length of the destination buffer is equal to 0 or greater than RSIZE_MAX, the  destination string is not properly null-terminated, or there is insufficient  space remaining in the destination string to copy the source string.  If there is a runtime-constraint violation,  and the destination string is not a null pointer and the maximum length of the  destination buffer is equal to 0 or greater than RSIZE_MAX, then the  destination string is set to the null string.

Ch. 2, p. 115

memcpy_s(pBuff, 4096);

memcpy_s(pBuff, ...);

Ch. 3, p. 122 (list item 2)

2. For a loop limited by upper bound, a loop limited by Hi, or a loop limited by null terminator, the buffer must be at a lower memory address than the target function or object pointer. For a loop limited by lower bound or a loop limited by Lo, the buffer must be at a lower memory address than the target function or object pointer.

2. For a loop limited by upper bound, a loop limited by Hi, or a loop limited by null terminator, the buffer must be at a lower memory address than the target function or object pointer. For a loop limited by lower bound or a loop limited by Lo, the buffer must be at a higher memory address than the target function or object pointer.

Ch. 3, p. 128, fn 3

IA-32

x86-32

Ch. 3, p. 137 (last para)

EXCEPTION_HANDLER

EXCEPTION_REGISTRATION

Ch. 3, p. 139 (table 3.1)

ebp cbp

ebp of caller

Ch. 3, p. 141

However, this inverse relationship between encode_pointer and decode_pointer()

However, this inverse relationship between encode_pointer() and decode_pointer()

Ch. 4, p. 156 (para. 2)

A write from or read to

A write to or read from

Ch. 4, p. 158 (para. 3)

This technique might also be used to probe error recovery code for double-free vulnerabilities and other security flaws.

Delete sentence

Ch. 4, p. 183 (Fig. 4.4)

Size of last 4 bytes or prev (occur 3 times)

Size or last 4 bytes of foregoing

Ch. 4, p. 185 (para. 2)

There are, however, well-known techniques that are not difficult to adapt to exploit common programming flaws in dynamic memory management. Buffer overflows, for example, can be used to corrupt data structures used by the memory manager to execute arbitrary code. Both the unlink and frontlink techniques described in this section can be used for this purpose.

There are, however, well-known techniques that are not difficult to adapt to exploit common programming flaws in dynamic memory management. Buffer overflows, for example, can be used to corrupt data structures used by the memory manager to execute arbitrary code. Both the unlink technique and the frontlink technique described in the next section can be used for this purpose.

Ch. 4, p. 191 (para.2)

The most difficult part of this exploit is determining the size of the first chunk so that the boundary tag for the second argument can be precisely overwritten.

The most difficult part of this exploit is determining the size of the first chunk so that the boundary tag for the second chunk can be precisely overwritten.

Ch. 5, p. 227 (para. 5) C requires that unsigned integer types represent values using a pure binary system with no offset. This means that the value of the binary number is 
Ch. 5, p. 227 (para. 5)
 
C requires that unsigned integer types represent values using a pure binary system with no offset. This means that the value of the binary number is 
Ch. 5, p. 227 (para. 5)
 

Ch. 5, p. 227

printf("\xdc\xf5\x42\x01%08x.%08x.%08x%n");

Delete the two decimals:
  printf("\xdc\xf5\x42\x01%08x%08x%08x%n");

Ch. 5, p.  230 If you have counted 32,768 events, you probably do not expect the code  to act as if no events occurred after the next event is registered. If you have counted 32,767 events, you probably  do not expect the code to act as if no events occurred after the next event is  registered.

Ch. 5, p. 332 (para. 1)

Wide-character formatted output functions are susceptible to format string and buffer overflow vulnerabilities in a similar manner to narrow formatted output functions, even in the extraordinary case where Unicode strings are converted from ASCII.

Delete "extraordinary"

Ch. 5, p. 332 (para. 2)

For example, multibyte-character strings are terminated by a byte with all bits set to 0, called the null character, making it impossible to embed a null byte in the middle of a string.

For example, narrow strings are terminated by a byte with all bits set to 0, called the null character, making it impossible to embed a null byte in the middle of a string.

Ch. 5, p. 233 Starting from the rightmost bit int, the binary representation and increment i from 0 to N, the weight of each bit is 2i, except for the leftmost bit, whose weight is −2i. Starting from the rightmost bit in the binary representation and incrementing i from 0 to N, the weight of each bit is 2i, except for the leftmost bit, whose weight is −2i.

Ch. 5, p. 340

These security-enhanced functions include fprintf_s(), printf_s(), snprintf_s(), sprintf(), vfprintf_s(), vprintf_s(), vsnprintf_s(), vsprintf_s(), and their wide-character equivalents.

These security-enhanced functions include fprintf_s(), printf_s(), snprintf_s(), sprintf_s(), vfprintf_s(), vprintf_s(), vsnprintf_s(), vsprintf_s(), and their wide-character equivalents.

Ch. 5, p. 253

For example, for an implementation in which the width of int is greater than the width of short, the following code has implementation-defined behavior or may raise an implementation-defined signal:

For example, for an implementation in which the width of long int is greater than the width of signed char, the following code has implementation-defined behavior or may raise an implementation-defined signal:

Ch. 5, p. 253

The following code can be used, for example, to convert  from a signed int to a signed char:

The following code can be used, for example, to convert  from a signed long int to a signed char:

Ch.5, p. 255 If the value is negative, the resulting unsigned value is evaluated as a large signed integer. If the value is negative, the resulting unsigned value is evaluated as having a large positive integer.
Ch. 5, p. 255 Table 5.9, Row for "char to unsigned long" conversion, Method column:    

Sign-extend to unsigned long; convert long to unsigned  long

Table 5.9, Row for "char to unsigned long" conversion, Method column:

Sign-extend to long; convert long to unsigned  long

Ch. 5, p. 255

Table 5.9, From column in all four instances: char

Table 5.9, From column in all four instances: signed char

Ch. 5, p. 261

Consequently, the result of any integer operation can be represented in any type with a width greater than the width of the larger addend.

Consequently, the result of any integer addition can be represented in any type with a width greater than the width of the larger addend.

Ch. 5, p. 270 (para. 2)

Ch. 5, p. 270 (para. 2)
Ch. 5, p. 270 (para. 2)

Ch. 5, p. 270 (para. 2)
Ch. 5, p. 270 (para. 2)

Ch. 5, p. 281 E1/2E2but E1/2E2
Ch. 5, p. 282 Another way to mitigate buffer overflows in these situations is to use snprintf() in preference to sprintf(), which will truncate the string to the destination size. Another way to mitigate buffer overflows in these situations is to use snprintf() in preference to sprintf(), which will discard output characters beyond the n-1st character written to the array before appending a null character.
Ch. 5, p. 283 a left shift should be used only when bit manipulation is the goal a right shift should be used only when bit manipulation is the goal
Ch. 5, p. 287 cbBuf is used as the size on the call to memcpy() size is used as the size on the call to memcpy()

Ch. 5, p. 288 (para. 2)

table[pos] = value; is equivalent to (table + (pos * sizeof(int))) = value;

table[pos] = value; is equivalent to
*(int *)((char *)table + (pos * sizeof(int))) = value

Ch. 5, p. 299 However, without operator overriding, it is necessary to nest function calls to replace normal inline arithmetic operations. However, without operator overloading, it is necessary to nest function calls to replace normal inline arithmetic operations.

Ch. 6, p. 320

Example 6.5 Stretchable Buffer

Example 6.5 Buffer Expansion

Ch. 6, p. 342 (para. 2)

The only format string vulnerability that does require the argument pointer to be advanced is buffer expansion.

The only format string vulnerability that does require the argument pointer to be advanced is buffer expansion, as shown in Example 6.5.

Ch. 5, p. 359 For example, the average, minimum value, binary, or geometric mean of a dataset. . . . For example, the average, minimum value, binary or, and geometric mean of a dataset. . . .

Ch. 7, p. 365 (para. 1)

If the platform were to write a 16-bit short int, it might do so by writing first the upper 8 bits in one instruction and then the lower 8 bits in a second instruction. If two threads simultaneously perform a write to the same short int, it might receive the lower 8 bytes from one thread but the upper 8 bytes from the other thread.

If the platform were to write a 16-bit short int, it might do so by writing first the upper 8 bits in one instruction and then the lower 8 bits in a second instruction. If two threads simultaneously perform a write to the same short int, it might receive the lower 8 bits from one thread but the upper 8 bits from the other thread.

Ch. 7, p. 371 The specific order of the operations is irrelevant. Delete sentence.
Ch.  7, p. 386 (para. 3) Each thread must acquire both locks before accessing the value. If one thread acquires lock 0 first, and a second thread acquires lock 1, the program  will deadlock. Each thread must acquire all locks before accessing the value. If  thread 0, for example, has acquired a lock required by thread 1, and thread 1  has acquired a lock required by thread 0, the program will deadlock.

Ch. 8, p. 410 (para. 8)

The value of a file descriptor is from 0 to OPEN_MAX.

The value of a file descriptor is from 0 to {OPEN_MAX}-1.

Ch. 8, p. 415 (last para.)

The effective user ID (EUID) is the actual ID used when permissions are checked by the kernel, and it consequently determines the permissions for the process.

The effective user ID (EUID) is the actual ID used when privileges are checked by the kernel, and it consequently determines the privileges for the process.

Ch. 8, p. 416 (para. 4)

However, when the program executes, it executes with the permissions of the parent process.

However, when the program executes, it executes with the privileges of the parent process.

Ch. 8, p. 417, fig. 8.6

before

after

Ch. 8, p. 426 (last para.)

The setgroups() function sets the supplementary group IDs for the process. Only the superuser may use this function.

The setgroups() function is a privileged operation that sets the supplementary group IDs for the process.

Ch. 8, p. 427

Potential consequences include reading a privileged file (information disclosure), truncating a file, clobbering a file (that is, size always 0), appending to a file, or changing file permissions.

Potential consequences include reading a privileged file (information disclosure), truncating a file, appending to a file, or changing file permissions.

Ch. 8, p. 445, code line 3

(!S_ISREG(stbl.st_mode)) &&

(S_ISREG(stbl.st_mode)) &&

Ch. 8, p. 447 (para. 1)

Both the initial stat() and the O_NONBLOCK are needed. Dropping the stat() and just relying on O_NONBLOCK is insufficient.

Both the initial lstat() and the O_NONBLOCK are needed. Dropping the lstat() and just relying on O_NONBLOCK is insufficient

Ch. 8, p. 453 (para. 3)

To eliminate any potential race condition, both the test to determine if the file exists, and the open operation, must both be performed automatically.

To eliminate any potential race condition, both the test to determine if the file exists and the open operation must be performed atomically.

Ch. 8, p. 455 (para. 2)

Presumably the flawed thinking behind this code is that if a file can be opened for reading, it must exist.

Presumably the flawed thinking behind this code is that if a file can be opened for reading, it must not exist.

Ch. 8, p. 471 (para. 2)

This section surveys three categories of race condition tools, offering a brief representative examination of tools and some key characteristics.

Race conditions have been studied extensively, and a number of tools have been developed to detect race conditions in C and C++ programs. This section describes the use of both static and dynamic analysis to discover race conditions.

Ch. 8, p. 471 (para. 3)

The tool parses the source code (or, in some cases, the binary executable), sometimes relying on user-supplied search information and criteria.

The tool parses the source code (or, in some cases, the binary executable) to build an abstract syntax tree (AST) and other graphs, depending on the analysis being performed.

Ch. 9, p. 517 (para. 2)

Periodically measuring the attack surface allows developers to determine if the attack surface is growing or shrinking and, in the latter case, evaluate if this growth is necessary.

Periodically measuring the attack surface allows developers to determine if the attack surface is growing or shrinking and, in the former case, evaluate if this growth is necessary.