问题
I am looking for a comprehensive record of secure coding practices in C. Since i haven't found such a list existing here already we might as well make this into a community wiki, for further reference. I am looking for solutions to security issues like stack and heap based buffer overflows and underflows, integer overflows and underflows, format string attacks, null pointer dereferencing, heap/memory inspection attacks, etc..
NB: Besides coding practices, secure libraries that defend against these kind of attacks are worth mentioning too.
LE: As seen in this question Secure C++ coding practices but for C only.
回答1:
The CERT C "de facto" standard is fairly well-known and addresses these issues at some extent:
SEI CERT C Coding Standard
There should be several static analyzers on the market that supports CERT C.
回答2:
Same answer Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Input Validation & More
From the description:
Readers will learn:
How to avoid common programming errors, such as buffer overflows, race conditions, and format string problems
How to properly SSL-enable applications
How to create secure channels for client-server communication without SSL
How to integrate Public Key Infrastructure (PKI) into applications Best practices for using cryptography properly Techniques and strategies for properly validating input to programs
How to launch programs securely
How to use file access mechanisms properly
- Techniques for protecting applications from reverse engineering
来源:https://stackoverflow.com/questions/4780873/secure-c-coding-practices