SECURE_CODING 概要 zz

最新推荐文章于 2024-08-12 22:17:57 发布
转载 最新推荐文章于 2024-08-12 22:17:57 发布 · 891 阅读 · 0
文章标签:

#buffer #string #function

本文总结了安全编程中的常见问题,特别是使用strcpy、sprintf、strcat等函数可能导致缓冲区溢出的风险,并提供了安全替代方案。

以下总结的内容来自于Coverity Prevent分析,SECURE_CODING 是Prevent中关于编码安全方面的一个检查器,是全球百万余开发人员从历史上的各种安全漏洞事件中总结出来的。

 

× [VERY RISKY]. Use of "strcpy" has been known to cause a buffer overflow when used incorrectly.  If the destination string of a strcpy() is not large enough then anything might happen. Use strncpy() instead

 

 

×[VERY RISKY]. Use of "sprintf" has been known to cause a buffer overflow when used incorrectly.  Because sprintf() assumes an arbitrarily long string, callers must be careful not to overflow the actual space of the destination. Use snprintf() instead, or correct precision specifiers.

 

×[VERY RISKY]. Use of "strcat" has been known to cause a buffer overflow when used incorrectly.  The destination of a strcat() call must have enough space to accept the source. Use strncat() instead.

 

×You should never use the gets() function because you cannot control the amount of data that is read.

 

From: http://www.51testing.com/?uid-10851-action-viewspace-itemid-106174

lychee007
关注
Secure.Coding.in.C.and.Cplusplus.2nd.Edition.0321822137.epub
07-20
Learn the Root Causes of Software Vulnerabilities and How to Avoid Them Commonly exploited software vulnerabilities are usually caused by avoidable software defects. Having analyzed tens of thousands of vulnerability reports since 1988, CERT has determined that a relatively small number of root causes account for most of the vulnerabilities. Secure Coding in C and C++, Second Edition, identifies and explains these root causes and shows the steps that can be taken to prevent exploitation. Moreover, this book encourages programmers to adopt security best practices and to develop a security mindset that can help protect software from tomorrow’s attacks, not just today’s. Drawing on the CERT’s reports and conclusions, Robert C. Seacord systematically identifies the program errors most likely to lead to security breaches, shows how they can be exploited, reviews the potential consequences, and presents secure alternatives. Coverage includes technical detail on how to Improve the overall security of any C or C++ application Thwart buffer overflows, stack-smashing, and return-oriented programming attacks that exploit insecure string manipulation logic Avoid vulnerabilities and security flaws resulting from the incorrect use of dynamic memory management functions Eliminate integer-related problems resulting from signed integer overflows, unsigned integer wrapping, and truncation errors Perform secure I/O, avoiding file system vulnerabilities Correctly use formatted output functions without introducing format-string vulnerabilities Avoid race conditions and other exploitable vulnerabilities while developing concurrent code The second edition features Updates for C11 and C++11 Significant revisions to chapters on strings, dynamic memory management, and integer security A new chapter on concurrency Access to the online secure coding course offered through Carnegie Mellon’s Open Learning Initiative (OLI) Secure Coding in C and C++, Second Edition, presents hundreds of examples of secure code, insecure code, and exploits, implemented for Windows and Linux. If you’re responsible for creating secure C or C++ software–or for keeping it safe–no other book offers you this much detailed, expert assistance. Table of Contents Chapter 1 Running with Scissors Chapter 2 Strings Chapter 3 Pointer Subterfuge Chapter 4 Dynamic Memory Management Chapter 5 Integer Security Chapter 6 Formatted Output Chapter 7 Concurrency Chapter 8 File I/O Chapter 9 Recommended Practices
Secure Network Coding for a P2P System
12-08
Network coding is a data transmission technique which allows intermediate nodes in a network to re-code data in transit. In contrast to traditional network communication where a node repeats incoming ...
Apple - Secure Coding Guide
AI工程化、开源分享、文档翻译、代码笔记
06-22 1678
一、安全编码指南简介 1、概览 黑客和攻击者 没有平台是免疫的 2、如何使用本文档 3、另见 二、安全漏洞的类型 1、缓冲区溢出 2、未经验证的输入 3、Race 条件 4、进程间通信 5、不安全的文件操作 6、访问控制问题 7、安全存储和加密 8、社会工程学 三、避免缓冲区溢出和下溢 1、堆栈溢出 2、堆溢出 3、字符串处理 4、计算缓冲区大小 5、避免整数溢出和下溢 6、检测缓冲区溢出 7、避免缓冲区下溢 8、可以提供帮助的安全功能 地址空间布局随机化 不可执行的堆栈和堆 调试堆损坏错误 其他影响安全性
CERT C/C++ Secure Coding Standard
yasi_xi的专栏
10-28 4027
CERT C Secure Coding Standard CERT C++ Secure Coding Standard
security 相关标准secure coding
cnbird's blog
12-20 1055
http://www.cert.org/secure-coding/scstandards.html http://cwe.mitre.org/top25/index.html
IOS安全编码指南 Secure Coding Guide -- 01 Introduction 上
静静燃烧的雪的专栏
06-05 1108
IOS安全编码指南 Secure Coding Guide -- 01 Introduction 上 Introduction to Secure Coding Guide     Secure coding is the practice of writing programs that are resistant to attack by maliciou
Apple Secure Coding Guide 2012
08-18
Secure coding is the practice of writing programs that are resistant to attack by malicious or mischievous people or programs. Secure coding helps protect a user’s data from theft or corruption. In ...
The CERT Oracle Secure Coding Standard for Java
01-21
《The CERT Oracle Secure Coding Standard for Java》是由Fred Long、Dhruv Mohindra、Robert C. Seacord、Dean F. Sutherland和David Svoboda编写的一本书籍。该书由Addison Wesley出版社出版于2011年,属于软件...
secure Secure Coding in C and C++.rar
03-22
Secure Coding in C and C++》是一本深入探讨C和C++编程中安全问题的专业书籍。该书聚焦于如何在这些语言中编写安全的代码,防止潜在的安全漏洞,如缓冲区溢出、类型错误、资源管理不当等。C和C++是底层编程的重要...
Top 10 Secure Coding Practices
我编程,我快乐
02-09 1564
Top 10 Secure Coding Practices  Validate input. Validate input from all untrusted data sources. Proper input validation can eliminate the vast majority of software vulnerabilities. Be suspicious
IOS开发NSSecureCoding
李小源的博客
02-04 665
NSSecureCoding 官方解释:A protocol that enables encoding and decoding in a manner that is robust against object substitution attacks. 一种协议,它以一种抗对象替换攻击的健壮方式实现编码和解码。 NSSecureCoding相对NSCoding来说对数据的处理添加了一定的安全性 存与取 NSData *data = [NSData dataWithContentsOf.
什么是安全编码,为什么它很重要?
软件行业技术文化交流。
07-31 801
通过遵循 OWASP 和 SEI CERT 等标准,您可以使您的软件对用户更安全,并避免因任何漏洞利用、黑客攻击或违规而导致的法律和财务复杂性。安全编码的重要性:幸运的是,通过遵循一些已经建立的安全编码标准,比如OWASP(开放网络应用安全项目)和SEI Cert(软件工程研究所的认证),可以缓解大多数常见的软件安全漏洞。如果您几乎没有安全编码的经验,那么使用他们的服务来确保源代码的安全性和健壮性将是一个好主意。此外,请查看他们的工具,该工具可以查找可能影响您项目的依赖关系和公开披露的漏洞。
数据治理:数据安全100个基本概念全解
fuyipingwml1976124的博客
01-15 2889
根据DAMA的定义,数据安全指定义、规划、开发、执行安全策略和规程,以提供对数据和信息资产的适当验证、授权、访问和审计。数据安全的目标有三个:启用对企业数据资产的适当访问,并防止不适当的访问理解并遵守所有有关隐私、保护和保密的法规和政策确保所有利益相关方的隐私和保密需求得到执行和审计在《数据治理:一文讲透数据安全》一文中,我对如何实施数据安全进行了相对宏观的介绍。本文将从微观入手,对104个数据安...
平台间函数差异与系统移植:snprintf/_snprintf
fibbery学习笔记
11-13 4183
  snprintf函数并不是标准c/c++中规定的函数,但是在许多编译器中,厂商提供了其实现的版本。在gcc中,该函数名称就snprintf,而在VC中称为_snprintf。  由于不是标准函数,没有一个统一的标准来规定该函数的行为,所以导致了各厂商间的实现版本可能会有差异。今天也的的确确看到了差异,因为这个小小的差异是我的程序无法正常的处理数据。  这个小小的差异发生在count参数。在VC
SecureCoding in C and C++(二)
最新发布
小心信科理化声
08-12 953
本篇文章从其他的角度来观察C++语言的一些小细节,甚至关于编译!
NSCoding和NSSecureCoding
weixin_34247299的博客
05-25 1391
NSCodingNSCoding is a protcol that you can implement on your data classes to support encoding and decoding your data into a data buffer, which can then be persisted to disk.如果想把自定义的对象持久化(存到硬盘),或者用于网络传...
man 3 printf
LongZh_CN的专栏
07-08 1721
PRINTF(3) Linux Programmer's Manual PRINTF(3) NAME        printf, fprintf, sprintf, snprintf, vprintf, vfprintf, vsprintf, vsnprintf - formatted output conversion SYNOPSIS
c语言读取字符串的函数时出错,fscanf_s 函数读取出错 C语言
weixin_28595749的博客
05-17 2926
满意答案sdjkgas2017.04.07采纳率:44%等级:12已帮助:8106人fscanf位于头文件中,函数原型为int fscanf(FILE*stream, constchar*format, [argument...]); 其功能为根据数据格式(format)从输入流(stream)中写入数据(argument);与fgets的差别在于:fscanf遇到空格和换行时结束,注意空...
man 3 printf fprintf sprintf
LongZh_CN的专栏
07-08 1270
NAME printf, fprintf, sprintf, snprintf, vprintf, vfprintf, vsprintf, vsnprintf - formatted output conversion   SYNOPSIS #include stdio.h> int printf(const char *format, ...);  int fprintf(FILE *
python 安装arithmetic_coding
12-03
要在Python中安装arithmetic_coding模块,首先需要使用pip或者conda等包管理工具来安装arithmetic_coding库。在命令行或终端中输入以下命令即可安装: 使用pip安装: ``` pip install arithmetic_coding ``` 使用...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值