Secure C coding practices

Asked 24/1, 2011 at 10:20 Answered 24/1, 2011 at 12:2

I am looking for a comprehensive record of secure coding practices in C. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues like stack and heap based buffer overflows and underflows, integer overflows and underflows, format string attacks, null pointer dereferencing, heap/memory inspection attacks, etc..

NB: Besides coding practices, secure libraries that defend against these kind of attacks are worth mentioning too.

LE: As seen in this question Secure C++ coding practices but for C only.

Cleland answered 24/1, 2011 at 10:20 Comment(3)

Since you are looking for secure coding practices, does this imply that the planned system does not yet exist? If so, perhaps it would be worthwhile to investigate a larger solution space, and include also programming languages other than C. Reading your list of vulnerabilities, there are industrial-strength programming languages which by design prevent stack and heap based under/overflows, integer under/overflows, format string attacks, pointer related issues (google for SPARK, for example). – Gratification 24/1, 2011 at 11:15

The basic solution to security is to code with strict contracts, and then throw in a few extra layers of safety in case you accidentally break one of your contracts. :-) – Fess 24/1, 2011 at 16:28

Title is an oxymoron. Like Schedler said, you're using the wrong language. Also look into ATS. – Gurule 25/1, 2011 at 14:43

The CERT C "de facto" standard is fairly well-known and addresses these issues at some extent:

SEI CERT C Coding Standard

There should be several static analyzers on the market that supports CERT C.

Fidelia answered 24/1, 2011 at 12:2 Comment(0)

Same answer Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More

From the description:

Readers will learn:

How to avoid common programming errors, such as buffer overflows, race conditions, and format string problems
How to properly SSL-enable applications
How to create secure channels for client-server communication without SSL
How to integrate Public Key Infrastructure (PKI) into applications Best practices for using cryptography properly Techniques and strategies for properly validating input to programs
How to launch programs securely
How to use file access mechanisms properly
Techniques for protecting applications from reverse engineering

Magnetite answered 24/1, 2011 at 10:22 Comment(3)

Sounds like a book by somebody misusing the word "security" to mean "privacy/encryption". – Fess 24/1, 2011 at 16:27

"How to launch programs securely" rofl. proof that modern OS are garbage, you can't do anything without it being a security issue – Gurule 25/1, 2011 at 14:41

"Techniques for protecting applications from reverse engineering" This will just make your program insecure, especially when it's in C....... common sense people? – Gurule 25/1, 2011 at 14:42

Recommended topics

Hot tags