Secure Coding in C and C++ 2nd Edition

Author: Robert C. Seacord
Publisher: Addison-Wesley
Pages: 600
ISBN: 978-0321822130
Print:0321822137
Kindle:B00C0OBZI0
Audience: Experienced C/C++ Programmers
Rating: 4.5
Reviewer: Mike James

In C we need to keep the security of our code in mind all the time otherwise it can be compromised and form a route into the machine. This book aims to help you fix the problem before it starts.

Security is a bigger problem for lower level languages in that it is generally the programmer's responsibility to make sure that code is secure. C and C++ are particularly prone to programme-induced problems because both languages give you enough freedom to make really big mistakes. 

It is worth saying at this point that in this context "security" doesn't mean coding or encryption, but ways in which your code can contain vulnerabilities which can be exploited to take over the machine or to access data or resources that should be out of bounds. 

This book is an attempt to make C/C++ programmers more aware of just how vulnerable their code is. Most of the exploits are at the C level because its more direct approach to memory use. C++ is often put forward as the way of solving the problems because it packages the way memory is accessed in a way that makes it safer - as long as you stick to the rules. 

 

Banner

 

There are nine chapters in total and what they deal with is fairly obvious from their titles. 

Chapter 1. Running with Scissors - general look at security
Chapter 2. Strings
Chapter 3. Pointer Subterfuge
Chapter 4. Dynamic Memory Management
Chapter 5. Integer Security
Chapter 6. Formatted Output
Chapter 7. Concurrency
Chapter 8. File I/O
Chapter 9. Recommended Practices

Each chapter starts out by explaining the basic functioning of the language. For example in Chapter 2 you are first taught the basics of strings in C and this can be a bit boring if you already know the material. From this point the book moves on to consider how things can go wrong with string handling and how this can result in a memory overrun into the stack. Next the book provides general ideas about how a given vulnerability might be used by an attacker. For example a stack incursion can be used to inject code. The coverage is up-to-date enough to include reasonably recent ideas such as return oriented programming ROP. 

As the book goes on you will learn more and more about the inner workings of both C and the operating system. If you don't know what a stack or a heap is then you will by the end of Chapter 2. If you don't know how the C++ manages memory then you will by the end of Chapters 3 and 4.

 

 

Chapter 5 introduces the theory and practice of numerical representations an how using say a signed integer as an index can be used against you. Chapter 6 introduces you to the many possible flaws in formatting most of which should be well known. Chapter 7 deals with the less well known topic of how concurrency can be used against you . Most of the discussion however is just as applicable to writing good quality concurrent programs that don't suffer race hazards or deadlock. Chapter 8 looks at file systems, mostly Unix/Posix, and how to work with data in a secure way. The book closes with a look at best practices.

It is shocking that we need such attention to detail to ensure that our C, and to a lesser extent C++, programmers don't commit the sort of errors that have been in circulation for a very long time - but we do. It is also slightly sad that to find a book on the inner workings of things that deals with the material at a practical level we have to be dealing with security issues. It is also worth noting that the assembly language and systems examples are x86 oriented. 

This is a very good book and highly recommended as long as you mostly want to know about flaws that arise in C. It doesn't really cover the security implications of working in C++ without dropping down to write some pure C. 

 

Banner


The Rust Programming Language, 2nd Ed

Author: Steve Klabnik and Carol Nichols
Publisher: No Starch Press
Date: June 2023
Pages: 560
ISBN: 978-1718503106
Print: 1718503105
Kindle: B0B7QTX8LL
Audience: Systems programmers
Rating: 4.8
Reviewer: Mike James

There's a new edition of what has become the standard text on Rust. Has it matured along with [ ... ]



T-SQL Fundamentals (Microsoft Press)

Author: Itzik Ben-Gan
Publisher: Microsoft Press
Pages: 608
ISBN: 978-0138102104
Print: 0138102104
Kindle: B0BTLBXF8V
Audience: T-SQL developers
Rating: 5
Reviewer: Kay Ewbank

Itzik Ben-Gan is a highly respected Microsoft Data Platform MVP, and the earlier editions of this book were already ver [ ... ]


More Reviews

Last Updated ( Saturday, 21 October 2017 )