xorl %eax, %eax

Book: Secure Coding in C and C++

with 5 comments

The first time I’d read this book was in 2006. Since I recently had to reference it somewhere, I decided to write a quick review after reading it at least three times since 2006. Here we are…

Title: Secure Coding in C and C++
Author: Robert C. Seacord

Chapter 1: Running with Scissors
Obviously this is the introduction chapter. Here the author discusses the various terms used in this book as well as some general security principles.

Chapter 2: Strings
Starting from basic concepts such as string characteristics in C and C++ up to more advanced issues like string vulnerabilities, the author moves to exploitation in a theoretical level by identifying some well known techniques. Then he moves to prevention and detection and ends up the chapter with some real world case studies including known vulnerabilities in Kerberos, Metamail etc.

Chapter 3: Pointer Subterfuge
This is a small but pretty neat chapter since it deals with pointer issues. All the essentials of both C pointers and C++ virtual pointer are explained and then the most common vulnerabilities. Also, you can find information for uses of atexit(), _exit(), .dtors, .got etc. in exploitation as well as mitigation strategies ranging from W^X, canaries etc.

Chapter 4: Dynamic Memory Management
Here, after discussing the basics of memory management and dynamic memory management the author moves to security subjects like vulnerabilities in specific implementations such as Dou Lea’s memory allocator, RtlHeap etc. He then presents the known mitigation strategies used in the various operating systems, commercial and free and ends up with some case studies like CVS buffer overflow, Microsoft Data Access Components etc.

Chapter 5: Integer Security
As you might have guessed, apart from the expected integer types, conversions, promotions etc. it deals with integer overflows, truncations, signedness issues etc. Like the previous chapters, mitigation strategies is the following section and the last one is some notable vulnerabilities including Windows DirectX MIDI library and BASH.

Chapter 6: Formatted Output
Clearly the format is the same. First you can learn about the fundamentals like ANSI C standard arguments, format strings etc. in both GCC and Visual C++ .NET and then move to vulnerabilities and their exploitation process. After the many mitigation strategies that have been developed through the years it concludes with some neat vulnerabilities like Washington University FTP Daemon and CDE ToolTalk.

Chapter 7: File I/O
All of the essential knowledge for file I/O security flaws and vulnerabilities can be found here. From usual TOCTOU to mutual exclusion, temporary files and file locking as well as mitigation strategies are discussed in this chapter.

Chapter 8: Recommended Practices
This is the final chapter and it deals with the countless security models, technologies and strategies that could be employed by a developer to secure his software. It’s a nice write-up and it includes almost all of the technologies that have been developed for such purposes.

In my opinion it’s an excellent book for academic environments for getting students introduced with the basic concepts of secure programming mainly in C despite that it contains some information on C++ security issues. After all, we shouldn’t forget that this book is used by Carnegie Mellon University as one of the textbooks in the SEI training class. However, don’t expect to find any information on latest topics since most of the content is about “classic” stuff that in some cases do not even apply in the nowadays systems.

Written by xorl

September 21, 2010 at 01:31

Posted in books

5 Responses

Subscribe to comments with RSS.

  1. Thank you ~ It is nice book ~


    September 21, 2010 at 07:08

  2. GTFO


    September 21, 2010 at 11:10

  3. Would you recommend a book that talks about the latest trends in secure coding? Something maybe not as outdated at this one.


    September 21, 2010 at 11:54

  4. @ret: OMG <3
    @Pluto: I'm not really aware of any "secure programming in C" book that it's up-to-day right now :(


    September 21, 2010 at 17:42

  5. https://www.securecoding.cert.org is regularly updated, hardly a book though. *shrug*


    September 21, 2010 at 21:48

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s