C Security Coding Standard: the development of a safe, reliable, stable system of 98 rules (Original book 2nd edition)--Interactive Publishing network

Source: Internet
Author: User
Tags coding standards

This article is a computer class of high-quality pre-sale recommendation >>>>C Safety Coding Standard: the development of safe, reliable, stable system of 98 rules (Original book 2nd edition)


Partial catalogs

Translator Sequence
Preface
Contributors ' profile
1th Preprocessor (PRE) 1
1.1 pre30-c. Do not create a universal character name from a connection 1
1.2 pre31-c. Avoid side effects of unsafe macro Parameters 3
1.3 pre32-c. Do not use preprocessor directives in macro calls of class functions 7
Chapter 2nd Declaration and Initialization (DCL) 9
2.1 dcl30-c. Declares an object with the correct storage duration
2.2 dcl31-c. Declaring identifiers before use
2.3 dcl36-c. Do not declare identifiers with conflicting link categories
2.4 dcl37-c. Do not declare or define a retention identifier
2.5 dcl38-c. Using the correct syntax to declare flexible array members
2.6 dcl39-c. Avoid leaking information in a structure fill
2.7 dcl40-c. Do not create incompatible declarations of the same function or object
2.8 dcl41-c. Do not declare a variable before the first conditional label of the switch statement
3rd Chapter expression (EXP) Notoginseng
3.1 exp30-c. Do not rely on the order of evaluation to avoid side effects
3.2 exp32-c. Do not access volatile objects through non-volatile references
3.3 exp33-c. Do not read uninitialized memory

3.4 exp34-c. Do not dereference a null pointer 52
3.5 exp35-c. Do not modify objects that have temporary lifetimes 56
3.6 exp36-c. Do not convert the pointer to a more tightly aligned pointer type 59
3.7 exp37-c. Calling a function with the correct number and type of arguments 62
3.8 Exp39-c. Do not access a variable with a pointer to an incompatible type 67
3.9 exp40-c. Do not modify constant object 72
3.10 Exp42-c. Do not compare fill data 73
3.11 Exp43-c. Avoid undefined behavior when using restrict-qualified pointers 75
3.12 Exp44-c. Do not pass an operand with a side effect to sizeof, _alignof, or _generic 82
3.13 Exp45-c. Do not perform assignment in a SELECT statement 85


Translator sequence

It may be difficult to get to the height of the C language by enumerating the various programming languages. With good portability and cross-platform support, as well as high-efficiency low-level processing, C has become the cornerstone of modern, most popular operating system platforms, and has become one of the most popular languages in education, research and software development.
C language Flexible type conversion and close to the bottom machine implementation, target code efficiency, the characteristics of the system software developers have been the most favorite, but this is a double-edged sword. With the increasing complexity of software systems, some small flaws in the code are more and more exposed, which leads to serious security problems, and UNIX, Windows and other mainstream operating system of the various components in C language, hackers are bored to look for these loopholes, This poses a serious threat to the security of computer systems worldwide.
in this situation, it is imperative for the IT industry to develop a rigorous security coding standard that avoids the exploitation of security vulnerabilities. Many large development groups have developed their own security coding standards, the International Organization for Standardization has also revised the C language standards, the implementation of C language more stringent requirements, thus providing a basis for secure coding.
This coding standard is the industry's most extensive compilation of programming guidelines, which clasp the C language standards of each edition, and provides a breakdown of the undefined behavior, unspecified behavior, and the rules and recommendations for secure coding that can lead to the use of security vulnerabilities. Each rule and recommendation is illustrated with realistic compatibility and incompatible code examples. This book is the 2nd edition of the standard document, with support for the latest C11 standards, and is an indispensable reference book for all technical staff interested in C-language software development.
The book is extremely rich, as the authors say, even in the international standard of C, there are many ambiguities, the book examples and explanatory text, is to uncover layers of fog, to help readers understand a lot of not so obvious but can cause serious problems of inappropriate programming methods. In the process of translation we also have a deep understanding of the standard provisions quoted in the book, there are indeed many specious things, perhaps only after chewing the book of code snippets, can be gradually clarified. We strive to reproduce the original book to be elaborated on the basic principles, hope to be able to really help the reader, but because of the level of limitations, mistakes are unavoidable, expect the vast number of readers to criticize.
The translation work of the book is mainly completed by Yao June, Xu Feng, Chen Zhiyong, zhiling, Fang Yi, White Dragon, Lin Yao-chen, Chen Xia, Ningyi, Wu Yue and so on translation work also made a contribution, in this heartfelt thanks to the mechanical industry publishing company Sekitoshi editor and other editorial staff made the hard work.


Part Preface

This book provides rules for C language coding. The goal of these rules is to develop a secure, reliable, and robust system, for example, to eliminate undefined behavior that could lead to unexpected program behavior and exploit vulnerabilities. Following the coding rules defined by this standard is a necessary (but not sufficient) condition for ensuring the safety, reliability, and robustness of the software system developed by C language. Safe and robust design is also necessary, and security-critical systems often present stricter requirements than coding standards, such as requiring that all memory be statically allocated. However, applying this coding standard will result in high-quality systems that are reliable, robust, and resilient to attack.
Each rule consists of a title, a description, and an incompatible/compatible code example. The title is a concise description of the rules, but sometimes not accurate enough. The specification requirements of the rules are presented. The incompatible code example is a code example that violates the rule. The matching solution shows the equivalent code, which does not violate the rule or any other rules in the coding standard.
coding standards that have good documentation and can be implemented are essential elements of C language coding. Coding standards encourage programmers to follow a uniform set of rules that are determined by the needs of the project and the organization, rather than simply using the familiar approach of the programmer. Once determined, these criteria can be used as indicators for evaluating source code (using manual or automated processes).
cert Coding rules are widely adopted in the industry. At the Cisco annual SECCON meeting in October 2011, Cisco Systems announced the adoption of the CERT C Security coding standard as the benchmark programming standard in its product development. Recently, Oracle has integrated all CERT security coding standards into existing security coding standards. Note that this is the latest step in long-term collaboration: CERT and Oracle previously collaborated on the CERT Oracle Secure Coding Standard for Java (addison-wesley,2011).



Copyright NOTICE: This article for Bo Master original article, without Bo Master permission not reproduced.

C Secure Coding Standard: 98 rules for developing a secure, reliable and robust System (2nd edition of the original book)--Interactive publishing network

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.