7

I am looking for a comprehensive record of secure coding practices in C. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues like stack and heap based buffer overflows and underflows, integer overflows and underflows, format string attacks, null pointer dereferencing, heap/memory inspection attacks, etc..

NB: Besides coding practices, secure libraries that defend against these kind of attacks are worth mentioning too.

LE: As seen in this question Secure C++ coding practices but for C only.

Improve this question
3
  • 2
    Since you are looking for secure coding practices, does this imply that the planned system does not yet exist? If so, perhaps it would be worthwhile to investigate a larger solution space, and include also programming languages other than C. Reading your list of vulnerabilities, there are industrial-strength programming languages which by design prevent stack and heap based under/overflows, integer under/overflows, format string attacks, pointer related issues (google for SPARK, for example). Commented Jan 24, 2011 at 11:15
  • The basic solution to security is to code with strict contracts, and then throw in a few extra layers of safety in case you accidentally break one of your contracts. :-) Commented Jan 24, 2011 at 16:28
  • Title is an oxymoron. Like Schedler said, you're using the wrong language. Also look into ATS. Commented Jan 25, 2011 at 14:43

2 Answers 2

Reset to default
10

The CERT C "de facto" standard is fairly well-known and addresses these issues at some extent:

SEI CERT C Coding Standard

There should be several static analyzers on the market that supports CERT C.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

3

Same answer Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More

From the description:

Readers will learn:

  • How to avoid common programming errors, such as buffer overflows, race conditions, and format string problems

  • How to properly SSL-enable applications

  • How to create secure channels for client-server communication without SSL

  • How to integrate Public Key Infrastructure (PKI) into applications Best practices for using cryptography properly Techniques and strategies for properly validating input to programs

  • How to launch programs securely

  • How to use file access mechanisms properly

  • Techniques for protecting applications from reverse engineering
Improve this answer

3 Comments

Sounds like a book by somebody misusing the word "security" to mean "privacy/encryption".
"How to launch programs securely" rofl. proof that modern OS are garbage, you can't do anything without it being a security issue
"Techniques for protecting applications from reverse engineering" This will just make your program insecure, especially when it's in C....... common sense people?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.