Secure Programming in C/C++
Links from the class materials and other supplemental information, grouped by chapter:
Class files for labs
Chapter 1: Introduction
Chapter 2: Secure C/C++ Programming
Links from the text:
Chapter 3: Security and the software development life cycle
Links from the text:
- NIST SP 800-64
- Standards for Security Categorization of Federal Information and Information Systems is FIPS 199
- Secure Software Development Life Cycle Processes by Noopur Davis
- The emperor's old clothes by Charles Antony Richard Hoare
- Misuse and Abuse Cases: Getting Past the Positive by Paco Hope and Gary McGraw
- WEP insecurity
- The TI transponder cracking
- Info about the TCP design issues and security
- ``The Code Red Worm'' by Hal Berghel, Communications of the ACM, vol 44, no 12, December, 2001
- CERT Vulnerability Note VU#684820
- SMS DoS attack info
- Lecture notes for Introduction to Security---Fall '05 by Steve Bellovin
- CERT Secure Coding Standards
- Validating C and C++ for Safety and Security: A structured approach to manual code review
- Nimda information from ``All public hospitals in Gothenburg Sweden crippled by Nimda'' by Peter Hakanson, Forum on Risks to the Public in Computers and Related Systems, ACM Committee on Computers and Public Policy, vol 21, no 67, October, 2001
- Morris worm information
- Inside the Slammer worm by Moore et al.
- Misplaced Trust: Kerberos 4 Session Keys in Proceedings of the 1997 Symposium on Network and Distributed System Security
- CERT Vulnerability Note VU#623217
- ``A Trend Analysis of Exploitations'' by Hilary K. Browne, John McHugh, William A. Arbaugh, and William L. Fithen, University of Maryland CS department technical report CS-TR-4200 and UMIACS-TR-2000-76
- ``Windows of Vulnerability: A Case Study Analysis'' by William A. Arbaugh, William L. Fithen, and John McHugh, in IEEE Computer Volume: 33, Number: 12, Pages: 52--59
Chapter 4: Integer operations
Links from the text:
Chapter 5: Buffer overflow introduction
Links from the text:
Chapter 6: Stack overflows
Links from the text:
Additional links, not from the course text, or, software needed for the chapter:
Applying `design by contract'
by Meyer, B., from IEEE Computer v 25 n 10, pp 40--51.
Chapter 7: Heap and other data segment overflows
Links from the text:
Chapter 8: Pointer issues
Links from the text:
Chapter 9: Buffer overflow avoidance and mitigation
Links from the text:
Additional links, not from the course text, or, software needed for the chapter:
diehard-1.0.2-linux.tar.gz
diehard-1.0.2.zip (source code)
Chapter 10: Format string errors
Links from the text:
Additional links, not from the course text, or, software needed for the chapter:
pscan-1.2-1.fc4.i386.rpm
rats-2.1-win32.zip
rats-2.1.tar.gz
Chapter 11: Tips and techniques
Links from the text:
Additional links, not from the course text, or, software needed for the chapter:
flawfinder-1.27-1.noarch.rpm
flawfinder-1.27-1.src.rpm
flawfinder-1.27.tar.gz
rats-2.1-win32.zip
rats-2.1.tar.gz
splint-3.1.1.src.tgz
These are local copies.
Chapter 12: Process issues
Links from the text:
Additional links, not from the course text, or, software needed for the chapter:
RazorSignals.pdf (Local copy)
sendmail.8.13.3.tar.gz (Local copy)
Chapter 13: Filesystem Security Issues
Links from the text:
SkillBridge Training
Examples from the class notes (or,
all as one file).
Selected Solutions from the class notes (no
looking until you have solved the problems!). Note that all solutions
are in an appendix of your course book.
All solutions in a compressed tar file.
Evaluation form (if needed)