Re: Secure C programming

On Mon, 31 Dec 2007 13:46:14 -0600, Golden California Girls wrote
(in article <_tKdnU3lvLCH2uTanZ2dnUVZ_vGinZ2d@xxxxxxxxxxxxxxxxxxxxx>):

Chris Thomasson wrote:
"Rico Secada" <coolzone@xxxxx> wrote in message
news:20071230223029.f17f1c63.coolzone@xxxxxxxx
Hi.

Doesn't there exist any complete texts on what to do and not do when
programming in C, from a security perspective?

Preferably with examples.

Don't program C if you don't know how to avoid common pitfalls; C gets a
bad rap sometimes. It's the fault of all the _lazy/crap_ programmers out
there which frequently create applications that do not even seem to have
any sense of where there buffer(s) begin, or _end_!!

Yikes! ;^(...

Think your finger is pointing in the wrong direction. Anyone who knows
humans
knows that an IQ of 100 is average. A person who designs something that they
know will be used by an average person but doesn't design it for use by such
a
person is the one who should have the fault heaped on them.

So you suggest that programming languages should be designed for use by
average people from the general population? Or the standard library as
well? I'm quite confident that it wasn't believed that the average
person off the street was the target audience for C when it was
designed originally, but dmr may see fit to confirm or deny it.

If that is the goal today, it would certainly explain some of the new
languages that have appeared more recently. ;-)

When the standard
library and strings were defined, security may not have been an issue. Bad
future prediction I will forgive. However I can't forgive the standards
people
for continuing to permit it. Depreciated should be enforced. Yes, break the
program or make them compile it under the old standard.

You are now referring to things like gets() and company?



--
Randy Howard (2reply remove FOOBAR)
"The power of accurate observation is called cynicism by those
who have not got it." - George Bernard Shaw





.

Relevant Pages

  • Re: Is C99 the final C? (some suggestions)
    ... The C standard specifies what is UB and what's not. ... If you have multithreading, they you have to lock and unlock ... > your heap, or use other strategies to make sure one thread isn't in the middle ... Having a different set of condoned operators at each programming ...
    (comp.lang.c)
  • Re: [Lit.] Buffer overruns
    ... > support the good practice of safe system design. ... Even I can agree with that as a vague principle." ... I then gave a quote from Edsger W. Dijkstra: "A Programming Language is ... programming languages and the integrity of systems built using them. ...
    (sci.crypt)
  • Re: Portability: Harmony between PC and microcontroller
    ... int is the natural integer type for the system. ... You are, perhaps unintentionally, paraphrasing the standard in a way ... One of the things that you might not realize is that the C programming ... In the real world, most embedded systems have more complex jobs to do, ...
    (comp.lang.c)
  • Re: Sequence points
    ... They have been in the Standard since the Standard first appeared in 1989, ... you still don't understand sequence points. ... in areas outside of programming. ... programmers are in fact unequal to the demands of assembler language, ...
    (comp.programming)
  • Re: Code Review - is this code shit
    ... Good even though it's not in the Holy Standard. ... That is the stupidest analogy for a programming language I've ever ... A fortiori a program or a language is none of these things. ... The original message has the space there. ...
    (comp.lang.c)