7

I am looking for a comprehensive record of secure coding practices in C. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues like stack and heap based buffer overflows and underflows, integer overflows and underflows, format string attacks, null pointer dereferencing, heap/memory inspection attacks, etc..

NB: Besides coding practices, secure libraries that defend against these kind of attacks are worth mentioning too.

LE: As seen in this question Secure C++ coding practices but for C only.

Community
  • 1
  • 1
Shinnok
  • 6,279
  • 6
  • 31
  • 44
  • 2
    Since you are looking for secure coding practices, does this imply that the planned system does not yet exist? If so, perhaps it would be worthwhile to investigate a larger solution space, and include also programming languages other than C. Reading your list of vulnerabilities, there are industrial-strength programming languages which by design prevent stack and heap based under/overflows, integer under/overflows, format string attacks, pointer related issues (google for SPARK, for example). – Schedler Jan 24 '11 at 11:15
  • The basic solution to security is to code with strict contracts, and then throw in a few extra layers of safety in case you accidentally break one of your contracts. :-) – R.. GitHub STOP HELPING ICE Jan 24 '11 at 16:28
  • Title is an oxymoron. Like Schedler said, you're using the wrong language. Also look into ATS. – L̲̳o̲̳̳n̲̳̳g̲̳̳p̲̳o̲̳̳k̲̳̳e̲̳̳ Jan 25 '11 at 14:43

2 Answers2

10

The CERT C "de facto" standard is fairly well-known and addresses these issues at some extent:

SEI CERT C Coding Standard

There should be several static analyzers on the market that supports CERT C.

Chris O
  • 5,017
  • 3
  • 35
  • 42
Lundin
  • 195,001
  • 40
  • 254
  • 396
3

Same answer Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More

From the description:

Readers will learn:

  • How to avoid common programming errors, such as buffer overflows, race conditions, and format string problems

  • How to properly SSL-enable applications

  • How to create secure channels for client-server communication without SSL

  • How to integrate Public Key Infrastructure (PKI) into applications Best practices for using cryptography properly Techniques and strategies for properly validating input to programs

  • How to launch programs securely

  • How to use file access mechanisms properly

  • Techniques for protecting applications from reverse engineering