Secure Coding in C and C++ 2nd Edition

Author: Robert C. Seacord
Publisher: Addison-Wesley
Pages: 600
ISBN: 978-0321822130
Audience: Experienced C/C++ Programmers
Rating: 4.5
Reviewer: Mike James

In C we need to keep the security of our code in mind all the time otherwise it can be compromised and form a route into the machine. This book aims to help you fix the problem before it starts.

Security is a bigger problem for lower level languages in that it is generally the programmer's responsibility to make sure that code is secure. C and C++ are particularly prone to programme-induced problems because both languages give you enough freedom to make really big mistakes. 

It is worth saying at this point that in this context "security" doesn't mean coding or encryption, but ways in which your code can contain vulnerabilities which can be exploited to take over the machine or to access data or resources that should be out of bounds. 

This book is an attempt to make C/C++ programmers more aware of just how vulnerable their code is. Most of the exploits are at the C level because its more direct approach to memory use. C++ is often put forward as the way of solving the problems because it packages the way memory is accessed in a way that makes it safer - as long as you stick to the rules. 




There are nine chapters in total and what they deal with is fairly obvious from their titles. 

Chapter 1. Running with Scissors - general look at security
Chapter 2. Strings
Chapter 3. Pointer Subterfuge
Chapter 4. Dynamic Memory Management
Chapter 5. Integer Security
Chapter 6. Formatted Output
Chapter 7. Concurrency
Chapter 8. File I/O
Chapter 9. Recommended Practices

Each chapter starts out by explaining the basic functioning of the language. For example in Chapter 2 you are first taught the basics of strings in C and this can be a bit boring if you already know the material. From this point the book moves on to consider how things can go wrong with string handling and how this can result in a memory overrun into the stack. Next the book provides general ideas about how a given vulnerability might be used by an attacker. For example a stack incursion can be used to inject code. The coverage is up-to-date enough to include reasonably recent ideas such as return oriented programming ROP. 

As the book goes on you will learn more and more about the inner workings of both C and the operating system. If you don't know what a stack or a heap is then you will by the end of Chapter 2. If you don't know how the C++ manages memory then you will by the end of Chapters 3 and 4.



Chapter 5 introduces the theory and practice of numerical representations an how using say a signed integer as an index can be used against you. Chapter 6 introduces you to the many possible flaws in formatting most of which should be well known. Chapter 7 deals with the less well known topic of how concurrency can be used against you . Most of the discussion however is just as applicable to writing good quality concurrent programs that don't suffer race hazards or deadlock. Chapter 8 looks at file systems, mostly Unix/Posix, and how to work with data in a secure way. The book closes with a look at best practices.

It is shocking that we need such attention to detail to ensure that our C, and to a lesser extent C++, programmers don't commit the sort of errors that have been in circulation for a very long time - but we do. It is also slightly sad that to find a book on the inner workings of things that deals with the material at a practical level we have to be dealing with security issues. It is also worth noting that the assembly language and systems examples are x86 oriented. 

This is a very good book and highly recommended as long as you mostly want to know about flaws that arise in C. It doesn't really cover the security implications of working in C++ without dropping down to write some pure C. 



Android Programming: The Big Nerd Ranch Guide (5e)

Authors: Bryan Sills, Brian Gardner, Brian Hardy and Kristin Marsicano
Publisher: Addison-Wesley
Pages: 688
ISBN: 978-0137645541
Print: 0137645546
Kindle: B09WLF84W7
Audience: Kotlin programmers
Rating: 4.5
Reviewer: Mike James  

The Big Nerd Ranch Guide to Android is bac [ ... ]

SQL Server Query Tuning and Optimization (Packt)

Author: Benjamin Nevarez
Publisher: Packt Publishing Pages: 446
ISBN: 9781803242620
Print: 1803242620
Kindle: B0B42SVBFY
Audience: Intermediate to advanced DBAs and developers
Rating: 4.7
Reviewer: Ian Stirk 

This book aims to give you the tools and knowledge to get peak performance from your que [ ... ]

More Reviews

Last Updated ( Saturday, 21 October 2017 )