Secure Coding in C and C++ 2nd Edition

Author: Robert C. Seacord
Publisher: Addison-Wesley
Pages: 600
ISBN: 978-0321822130
Audience: Experienced C/C++ Programmers
Rating: 4.5
Reviewer: Mike James

In C we need to keep the security of our code in mind all the time otherwise it can be compromised and form a route into the machine. This book aims to help you fix the problem before it starts.

Security is a bigger problem for lower level languages in that it is generally the programmer's responsibility to make sure that code is secure. C and C++ are particularly prone to programme-induced problems because both languages give you enough freedom to make really big mistakes. 

It is worth saying at this point that in this context "security" doesn't mean coding or encryption, but ways in which your code can contain vulnerabilities which can be exploited to take over the machine or to access data or resources that should be out of bounds. 

This book is an attempt to make C/C++ programmers more aware of just how vulnerable their code is. Most of the exploits are at the C level because its more direct approach to memory use. C++ is often put forward as the way of solving the problems because it packages the way memory is accessed in a way that makes it safer - as long as you stick to the rules. 

 

Banner

 

There are nine chapters in total and what they deal with is fairly obvious from their titles. 

Chapter 1. Running with Scissors - general look at security
Chapter 2. Strings
Chapter 3. Pointer Subterfuge
Chapter 4. Dynamic Memory Management
Chapter 5. Integer Security
Chapter 6. Formatted Output
Chapter 7. Concurrency
Chapter 8. File I/O
Chapter 9. Recommended Practices

Each chapter starts out by explaining the basic functioning of the language. For example in Chapter 2 you are first taught the basics of strings in C and this can be a bit boring if you already know the material. From this point the book moves on to consider how things can go wrong with string handling and how this can result in a memory overrun into the stack. Next the book provides general ideas about how a given vulnerability might be used by an attacker. For example a stack incursion can be used to inject code. The coverage is up-to-date enough to include reasonably recent ideas such as return oriented programming ROP. 

As the book goes on you will learn more and more about the inner workings of both C and the operating system. If you don't know what a stack or a heap is then you will by the end of Chapter 2. If you don't know how the C++ manages memory then you will by the end of Chapters 3 and 4.

 

 

 

Chapter 5 introduces the theory and practice of numerical representations an how using say a signed integer as an index can be used against you. Chapter 6 introduces you to the many possible flaws in formatting most of which should be well known. Chapter 7 deals with the less well known topic of how concurrency can be used against you . Most of the discussion however is just as applicable to writing good quality concurrent programs that don't suffer race hazards or deadlock. Chapter 8 looks at file systems, mostly Unix/Posix, and how to work with data in a secure way. The book closes with a look at best practices.

It is shocking that we need such attention to detail to ensure that our C, and to a lesser extent C++, programmers don't commit the sort of errors that have been in circulation for a very long time - but we do. It is also slightly sad that to find a book on the inner workings of things that deals with the material at a practical level we have to be dealing with security issues. It is also worth noting that the assembly language and systems examples are x86 oriented. 

This is a very good book and highly recommended as long as you mostly want to know about flaws that arise in C. It doesn't really cover the security implications of working in C++ without dropping down to write some pure C. 

 

Banner


SQL Server Concurrency: Locking, Blocking and Row Versioning

Author: Kalen Delaney
Publisher: Red Gate
Pages: 202
ISBN: 978-1906434915
Audience: Professionals working with any RDBMS, despite being SQL Server specific
Rating: 4.5
Reviewed by: Nikos Vaggalis

While concurrency is always covered as part of a book on SQL Server, this title is totally dedicated to it. W [ ... ]



Joomla!: Visual QuickStart Guide (2e)

Author: Marni Derr & Tanya Symes
Publisher: Peachpit Press
Pages: 384
ISBN: 978-0321772985
Aimed at: Inexperienced Joomla! users
Rating: 3
Pros: Lots of detailed instructions
Cons: The good material is swamped
Reviewed by: Ian Elliot

This another introduction to Joomla!, 1.6 in this instance, but what [ ... ]


More Reviews

Last Updated ( Thursday, 19 June 2014 )
 
 

   
RSS feed of book reviews only
I Programmer Book Reviews
RSS feed of all content
I Programmer Book Reviews
Copyright © 2014 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.