Secure Programming in C/C++

Links from the class materials and other supplemental information, grouped by chapter:

Class files for labs

Chapter 1: Introduction

Chapter 2: Secure C/C++ Programming

Links from the text:

• Secure Programming for Linux and Unix HOWTO
• Apple Mac OS X SLP Daemon Service Registration Local Buffer Overflow Vulnerability
• Michael Howard's blog
• Bruce Schneier's blog and Crypto-gram newsletter
• Dr. Dobb's Portal, Security section
• DeveloperWorks Technical Library
• the ACM online calendar

Chapter 3: Security and the software development life cycle

Links from the text:

• NIST SP 800-64
• Standards for Security Categorization of Federal Information and Information Systems is FIPS 199
• Secure Software Development Life Cycle Processes by Noopur Davis
• The emperor's old clothes by Charles Antony Richard Hoare
• Misuse and Abuse Cases: Getting Past the Positive by Paco Hope and Gary McGraw
• WEP insecurity
• The TI transponder cracking
• Info about the TCP design issues and security
• ``The Code Red Worm'' by Hal Berghel, Communications of the ACM, vol 44, no 12, December, 2001
• CERT Vulnerability Note VU#684820
• SMS DoS attack info
• Lecture notes for Introduction to Security---Fall '05 by Steve Bellovin
• CERT Secure Coding Standards
• Validating C and C++ for Safety and Security: A structured approach to manual code review
• Nimda information from ``All public hospitals in Gothenburg Sweden crippled by Nimda'' by Peter Hakanson, Forum on Risks to the Public in Computers and Related Systems, ACM Committee on Computers and Public Policy, vol 21, no 67, October, 2001
• Morris worm information
• Inside the Slammer worm by Moore et al.
• Misplaced Trust: Kerberos 4 Session Keys in Proceedings of the 1997 Symposium on Network and Distributed System Security
• CERT Vulnerability Note VU#623217
• ``A Trend Analysis of Exploitations'' by Hilary K. Browne, John McHugh, William A. Arbaugh, and William L. Fithen, University of Maryland CS department technical report CS-TR-4200 and UMIACS-TR-2000-76
• ``Windows of Vulnerability: A Case Study Analysis'' by William A. Arbaugh, William L. Fithen, and John McHugh, in IEEE Computer Volume: 33, Number: 12, Pages: 52--59

Chapter 4: Integer operations

Links from the text:

• CWE 189
• CWE 197
• CVE-2006-0145
• C99 standard
• The sshd bug
• Integer Handling with the C++ SafeInt Class
• CWE 190
• CWE 191
• The backwards-counting vote canvassing
• The one counterexample to closed-source election software that I am aware of
• The information about Microsoft delaying XP SP2
• image overflow code example
• Reviewing Code for Integer Manipulation Vulnerabilities, by Michael Howard
• Integer Handling with the C++ SafeInt Class by David LeBlanc
• An Overlooked Construct and an Integer Overflow Redux by Michael Howard
• Strsafe.h: Safer String Handling in C by Michael Howard
• GNU MP
• CERT® Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library
• CERT® Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines
• CERT® Advisory CA-2002-25 Integer Overflow In XDR Library
• Apple QuickTime contains an integer overflow in the ``QuickTime.qts'' extension
• Microsoft Windows LoadImage API vulnerable to integer overflow
• CWE 195
• CWE 196
• The Apache chunked encoding error
• One exploit for it
• CWE 127
• Open Source Vulnerability Database
• iDefense Security Advisory 09.23.06: FreeBSD i386_set_ldt Integer Signedness Vulnerability
• view the diffs of sys_machdep.c versions
• Integer overflow in OpenBSD kernel

Chapter 5: Buffer overflow introduction

Links from the text:

• CWE 124
• CWE 120
• information about buffer overflow history

Chapter 6: Stack overflows

Links from the text:

• Smashing The Stack For Fun And Profit
• CWE 124
• CWE 120
• Apache mod_rewrite contains off-by-one error in ldap scheme handling
• How to use assertions in C
• ASCII table

Additional links, not from the course text, or, software needed for the chapter:

Applying `design by contract' by Meyer, B., from IEEE Computer v 25 n 10, pp 40--51.

Chapter 7: Heap and other data segment overflows

Links from the text:

• ``Third Generation Exploitation'' by Halvar Flake
• ``Windows Heap Overflows'' by David Litchfield
• ``Reliable Windows Exploits'' by Matt Conover, Oded Horowitz
• CWE 124
• CWE 120
• The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal Heap Overflow of Windows
• Microsoft IE wininet.dll Long Hostname Heap Corruption Code Execution
• Microsoft Windows ASN.1 Double Free Code Execution
• w00w00 on Heap Overflows
• Microsoft RPCSS DCOM Interface Long Filename Heap Corruption Vulnerability

Chapter 8: Pointer issues

Links from the text:

• Protecting against Pointer Subterfuge (Kinda!)
• GnuPG: remotely controllable function pointer
• C++ virtual destructors
• Virtual function entry at Wikipedia
• A description of the GOT
• Another description of the GOT
• How to hijack the Global Offset Table with pointers for root shells
• GOT/DTORS
• The article by Samy appears to have disappeared. An archive copy is here
• atexit in memory bugs
• w00w00 on Heap Overflows
• Exploit: Stack Overflows - Exploiting SEH on win32
• The gcc manual

Chapter 9: Buffer overflow avoidance and mitigation

Links from the text:

• CWE 242
• Library Solutions in C/C++
• Saying Goodbye to an Old Friend
• mib string library
• OpenBSD
• libsafe
• Parasoft Insure++
• Dmalloc
• Microsoft's application verifier
• A paper by Poul-Henning Kamp about PhkMalloc
• PhkMalloc
• Electric Fence
• Die Hard randomized heap
• Valgrind
• StackShield
• StackGuard
• The original Stackguard paper
• ProPolice (formerly SSP)
• Run-time Detection of Heap-based Overflows
• Defeating Windows XP SP2 Heap protection and DEP bypass
• A new way to bypass Windows heap protections
• Die Hard web site

Additional links, not from the course text, or, software needed for the chapter:

diehard-1.0.2-linux.tar.gz
diehard-1.0.2.zip (source code)

Chapter 10: Format string errors

Links from the text:

• CWE 134
• Exploiting Format String Vulnerabilities
• Format String Exploits
• RATS---Rough Auditing Tool for Security
• PScan
• Fedora RPM for PScan
• the RPM database
• Open Source Vulnerability Database
• Wikipedia entry for ASLR
• PaX documentation

Additional links, not from the course text, or, software needed for the chapter:

pscan-1.2-1.fc4.i386.rpm
rats-2.1-win32.zip
rats-2.1.tar.gz

Chapter 11: Tips and techniques

Links from the text:

• The CERT C++ Secure Coding Standard
• ``Failing Securely'', by Sean Barnum and Michael Gegick
• Mozilla Thunderbird Insecure SMTP Authentication Protocol Negotiation Weakness
• TCP Wrappers PARANOID Reverse DNS ACL Bypass
• CWE 20
• CWE 116
• Why C++ on .NET is good for security
• CVE-2006-0058
• CWE 391
• Strive for Logical Completeness
• gcc manual
• A more complete list of static code analysis tools
• Fortify
• Coverity
• RATS
• flawfinder
• valgrind
• Etnus TotalView
• Purify Plus

Additional links, not from the course text, or, software needed for the chapter:

flawfinder-1.27-1.noarch.rpm
flawfinder-1.27-1.src.rpm
flawfinder-1.27.tar.gz
rats-2.1-win32.zip
rats-2.1.tar.gz
splint-3.1.1.src.tgz
These are local copies.

Chapter 12: Process issues

Links from the text:

• CWE 226
• util-linux information leak
• ``Data Lifetime is a Systems Problem''
• MEM03-A. Clear sensitive information stored in dynamic memory prior to deallocation
• CWE 387
• CWE 364
• the article by Michal Zalewski about signal race conditions
• latest sendmail source

Additional links, not from the course text, or, software needed for the chapter:

RazorSignals.pdf (Local copy)
sendmail.8.13.3.tar.gz (Local copy)

Chapter 13: Filesystem Security Issues

Links from the text:

• Remembrance of Data Passed: A Study of Disk Sanitization Practices by Simson L. Garfinkel and Abhi Shelat
• Hard-Disk Risk by Simson Garfinkel
• CWE 200
• CWE 226
• CWE 367
• Craig Lowery, ``A Tour of TOCTTOUs''
• One way to detect and thereby avoid race conditions in /tmp
• [8lgm] SunOS passwd advisory
• iDefense MacOS X advisory
• Borisov et al., ``Fixing Races for Fun and Profit,'' 14th USENIX Security Symposium (2005)
• IE5 cross-site scripting exploit using temp file races
• RaceGuard, a Linux kernel modification that can detect race condition attacks on files/tmp
• CWE 378
• CWE 377
• ISS Advisory ``Multiple scripts temporary file overwrite'' (Sep 30, 2004)

SkillBridge Training

Examples from the class notes (or, all as one file).

Selected Solutions from the class notes (no looking until you have solved the problems!). Note that all solutions are in an appendix of your course book. All solutions in a compressed tar file.

Evaluation form (if needed)