C和C++安全编码 原书第2版 英文版PDF电子书下载

Chapter 1 Running with Scissors 1

1.1 Gauging the Threat 5

WhatIstheCost? 6

Who Is the Threat? 8

Software Security 11

1.2 Security Concepts 12

Security Policy 14

Security Flaws 14

Vulnerabilities 15

Exploits 16

Mitigations 17

1.3 C and C++ 17

A Brief History 19

What Is the Problem with C? 21

Legacy Code 24

Other Languages 25

1.4 Development Platforms 25

Operating Systems 26

Compilers 26

1.5 Summary 27

1.6 Further Reading 28

Chapter 2 Strings 29

2.1 Character Strings 29

StringDataType 30

UTF-8 32

Wide Strings 33

String Literals 34

Strings in C++ 36

Character Types 37

Sizing Strings 39

2.2 Common String Manipulation Errors 42

Improperly Bounded String Copies 42

Off-by-One Errors 47

Null-Termination Errors 48

String Truncation 49

String Errors without Functions 49

2.3 String Vulnerabilities and Exploits 50

Tainted Data 51

Security Flaw:IsPasswordOK 52

Buffer Overflows 53

Process Memory Organization 54

Stack Management 55

Stack Smashing 59

Code Injection 64

Arc Injection 69

Return-Oriented Programming 71

2.4 Mitigation Strategies for Strings 72

String Handling 73

C11 Annex K Bounds-Checking Interfaces 73

Dynamic Allocation Functions 76

C+++std::basic_string 80

Invalidating String Object References 81

Other Common Mistakes in basi c_stri ng Usage 83

2.5 String-Handling Functions 84

gets() 84

C99 84

C11 Annex K Bounds-Checking Interfaces:gets_s() 86

Dynamic Allocation Functions 87

strcpy() and strcat() 89

C99 89

strncpy() and strncat() 93

memcpy() and memmove() 100

strlen() 100

2.6 Runtime Protection Strategies 101

Detection and Recovery 101

Input Validation 102

Object Size Checking 102

Visual Studio Compiler-Generated Runtime Checks 106

Stack Canaries 108

Stack-Smashing Protector(ProPolice) 110

Operating System Strategies 111

Detection and Recovery 111

Nonexecutable Stacks 113

W^X 113

PaX 115

Future Directions 116

2.7 Notable Vulnerabilities 117

Remote Login 117

Kerberos 118

2.8 Summary 118

2.9 Further Reading 120

Chapter 3 Pointer Subterfuge 121

3.1 Data Locations 122

3.2 Function Pointers 123

3.3 Object Pointers 124

3.4 Modifying the Instruction Pointer 125

3.5 Global Offset Table 127

3.6 The.dtors Section 129

3.7 Virtual Pointers 131

3.8 The atexit() and on_exit() Functions 133

3.9 The longjmp() Function 134

3.10 Exception Handling 136

Structured Exception Handling 137

System Default Exception Handling 139

3.11 Mitigation Strategies 139

Stack Canaries 140

W^X 140

Encoding and Decoding Function Pointers 140

3.12 Summary 142

3.13 Further Reading 143

Chapter 4 Dynamic Memory Management 145

4.1 C Memory Management 146

C Standard Memory Management Functions 146

Alignment 147

alloca() and Variable-Length Arrays 149

4.2 Common C Memory Management Errors 151

Initialization Errors 151

Failing to Check Return Values 153

Dereferencing Null or Invalid Pointers 155

Referencing Freed Memory 156

Freeing Memory Multiple Times 157

Memory Leaks 158

Zero-Length Allocations 159

DR #400 161

4.3 C++ Dynamic Memory Management 162

Allocation Functions 164

Deallocation Functions 168

Garbage Collection 169

4.4 Common C+++ Memory Management Errors 172

Failing to Correctly Check for Allocation Failure 172

Improperly Paired Memory Management Functions 172

Freeing Memory Multiple Times 176

Deallocation Function Throws an Exception 179

4.5 Memory Managers 180

4.6 Doug Lea's Memory Allocator 182

Buffer Overflows on the Heap 185

4.7 Double-Free Vulnerabilities 191

Writing to Freed Memory 195

RtlHeap 196

Buffer Overflows(Redux) 204

4.8 Mitigation Strategies 212

Null Pointers 212

Consistent Memory Management Conventions 212

phkmalloc 213

Randomization 215

OpenBSD 215

The jemalloc Memory Manager 216

Static Analysis 217

Runtime Analysis Tools 218

4.9 Notable Vulnerabilities 222

CVS Buffer Overflow Vulnerability 222

Microsoft Data Access Components(MDAC) 223

CVS Server Double-Free 223

Vulnerabilities in MIT Kerberos 5 224

4.10 Summary 224

Chapter 5 Integer Security 225

5.1 Introduction to Integer Security 225

5.2 Integer Data Types 226

Unsigned Integer Types 227

Wraparound 229

Signed Integer Types 231

Signed Integer Ranges 235

Integer Overflow 237

Character Types 240

Data Models 241

Other Integer Types 241

5.3 Integer Conversions 246

Converting Integers 246

Integer Conversion Rank 246

Integer Promotions 247

Usual Arithmetic Conversions 249

Conversions from Unsigned Integer Types 250

Conversions from Signed Integer Types 253

Conversion Implications 256

5.4 Integer Operations 256

Assignment 258

Addition 260

Subtraction 267

Multiplication 269

Division and Remainder 274

Shifts 279

5.5 Integer Vulnerabilities 283

Vulnerabilities 283

Wraparound 283

Conversion and Truncation Errors 285

Nonexceptional Integer Logic Errors 287

5.6 Mitigation Strategies 288

Integer Type Selection 289

Abstract Data Types 291

Arbitrary-Precision Arithmetic 292

Range Checking 293

Precondition and Postcondition Testing 295

Secure Integer Libraries 297

Overflow Detection 299

Compiler-Generated Runtime Checks 300

Verifiably In-Range Operations 301

As-If Infinitely Ranged Integer Model 303

Testing and Analysis 304

5.7 Summary 307

Chapter 6 Formatted Output 309

6.1 Variadic Functions 310

6.2 Formatted Output Functions 313

Format Strings 314

GCC 318

Visual C+++ 318

6.3 Exploiting Formatted Output Functions 319

Buffer Overflow 320

Output Streams 321

Crashing a Program 321

Viewing Stack Content 322

Viewing Memory Content 324

Overwriting Memory 326

Internationalization 331

Wide-Character Format String Vulnerabilities 332

6.4 Stack Randomization 332

Defeating Stack Randomization 332

Writing Addresses in Two Words 334

Direct Argument Access 335

6.5 Mitigation Strategies 337

Exclude User Input from Format Strings 338

Dynamic Use of Static Content 338

Restricting Bytes Written 339

Cll Annex K Bounds-Checking Interfaces 340

iost ream versus stdio 341

Testing 342

Compiler Checks 342

Static Taint Analysis 343

Modifying the Variadic Function Implementation 344

Exec Shield 346

FormatGuard 346

Static Binary Analysis 347

6.6 Notable Vulnerabilities 348

Washington University FTP Daemon 348

CDE ToolTalk 348

Ettercap Version NG-0.7.2 349

6.7 Summary 349

6.8 Further Reading 351

Chapter 7 Concurrency 353

7.1 Multithreading 354

7.2 Parallelism 355

Data Parallelism 357

Task Parallelism 359

7.3 Performance Goals 359

Amdahl's Law 361

7.4 Common Errors 362

Race Conditions 362

Corrupted Values 364

Volatile Objects 365

7.5 Mitigation Strategies 368

Memory Model 368

Synchronization Primitives 371

Thread Role Analysis(Research) 380

Immutable Data Structures 383

Concurrent Code Properties 383

7.6 Mitigation Pitfalls 384

Deadlock 386

Prematurely Releasing a Lock 391

Contention 392

The ABA Problem 393

7.7 Notable Vulnerabilities 399

DoS Attacks in Multicore Dynamic Random-Access Memory(DRAM)Systems 399

Concurrency Vulnerabilities in System Call Wrappers 400

7.8 Summary 401

Chapter 8 File I/O 403

8.1 File I/O Basics 403

File Systems 404

Special Files 406

8.2 File I/O Interfaces 407

Data Streams 408

Opening and Closing Files 409

POSIX 410

File I/O in C+++ 412

8.3 Access Control 413

UNIX File Permissions 413

Process Privileges 415

Changing Privileges 417

Managing Privileges 422

Managing Permissions 428

8.4 File Identification 432

Directory Traversal 432

Equivalence Errors 435

Symbolic Links 437

Canonicalization 439

Hard Links 442

Device Files 445

File Attributes 448

8.5 Race Conditions 450

Time of Check,Time of Use(TOCTOU) 451

Create without Replace 453

Exclusive Access 456

Shared Directories 458

8.6 Mitigation Strategies 461

Closing the Race Window 462

Eliminating the Race Object 467

Controlling Access to the Race Object 469

Race Detection Tools 471

8.7 Summary 472

Chapter 9 Recommended Practices 473

9.1 The Security Development Lifecycle 474

TSP-Secure 477

Planning and Tracking 477

Quality Management 479

9.2 Security Training 480

9.3 Requirements 481

Secure Coding Standards 481

Security Quality Requirements Engineering 483

Use/Misuse Cases 485

9.4 Design 486

Secure Software Development Principles 488

Threat Modeling 493

Analyze Attack Surface 494

Vulnerabilities in Existing Code 495

Secure Wrappers 496

Input Validation 497

Trust Boundaries 498

Blacklisting 501

Whitelisting 502

Testing 503

9.5 Implementation 503

Compiler Security Features 503

As-If Infinitely Ranged(AIR)Integer Model 505

Safe-Secure C/C+++ 505

Static Analysis 506

Source Code Analysis Laboratory(SCALe) 510

Defense in Depth 511

9.6 Verification 512

Static Analysis 512

Penetration Testing 513

Fuzz Testing 513

Code Audits 515

Developer Guidelines and Checklists 516

Independent Security Review 516

Attack Surface Review 517

9.7 Summary 518

9.8 Further Reading 518

References 519

Acronyms 539

Index 545