Re: Secure C programming

---

• From: Chris Hills <chris@xxxxxxxxxxxx>
• Date: Mon, 31 Dec 2007 09:06:16 +0000

---

In article <20071230223029.f17f1c63.coolzone@xxxxx>, Rico Secada <coolzone@xxxxx> writes

Hi.

Doesn't there exist any complete texts on what to do and not do when
programming in C, from a security perspective?

No... In a word.

There are several general texts. For example Les Hatton's Safer C

Then there is https://www.securecoding.cert.org/confluence/display/seccode/CERT+Secure+
Coding+Standards

Parts of it are based on MISRA-C:1998.

There is an ISO working group on Vulnerabilities looking at language vulnerabilities generically and specifically across a range of languages including C. It is intended that the MISRA-C:2010 will also incorporate the relevant parts of OWG-V and cover C security as well as safety

The work shows that there is a major overlap between safety-reliability and security. In fact we found that the two communities were often looking at the same problem with a different perspective.

Safety wants a robust and reliable system no matter what happens i.e. random inputs and accidental problems etc. where as security wants the same but assumes intentional and intelligent abuse of the system. In many cases it is the same problem just worded differently.

The problem with C is there are two types of security threat. C language generic and architecture-compiler specific.

So it depends on what you are developing on what architecture with which compiler.

--
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\/\/\/\/\ Chris Hills Staffs England /\/\/\/\/
/\/\/ chris@xxxxxxxxxxxx www.phaedsys.org \/\/\
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/



.

---

• References:
  • Secure C programming
    • From: Rico Secada

• Prev by Date: function reading hour register either in 12 or 24 hour formats and returning properly
• Next by Date: Re: function reading hour register either in 12 or 24 hour formats and returning properly
• Previous by thread: Re: Secure C programming
• Next by thread: Re: Cannot compile with _FILE_OFFSET_BITS = 64
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: [Lit.] Buffer overruns ... have no impact on the safety or security of applications in the ... "Are you seriously claiming that the programming language used, ... What gives safety and security on the one side is PROTOCOL and on ... (sci.crypt) Re: [Lit.] Buffer overruns ... > Karl Malbrain wrote: ... C is the language of choice the vast majority ... > influence the security and/or safety of the resulting design. ... (sci.crypt) Re: [Lit.] Buffer overruns ... have no impact on the safety or security of applications in ... not the LANGUAGE level. ... It has a standard PROTOCOL ... security, but rather the PROTOCOL of the way you call it. ... (sci.crypt) Re: [Lit.] Buffer overruns ... the language used is specific to the needs of the higher level ... > concepts specified in the design. ... Safety & security come through the ... (sci.crypt) Re: Secure C programming ... programming in C, from a security perspective? ... future software security risks. ... I know of no such texts. ... I'm not trying to re-define anything. ... (comp.lang.c)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

coding.derkeiler.com  > Archive  > C_CPP  > comp.lang.c  > 2007-12