SEI CERT C Coding Standard

Space shortcuts

Page tree

Versions Compared

Old Version 335

changes.mady.by.user Robert Seacord

Saved on

compared with

New Version 336

changes.mady.by.user Carol J. Lallier

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

[Acton 2006] Acton, Mike. "Understanding Strict Aliasing,." CellPerformance, June 1, 2006.

Anchor
Apple 06
Apple 06

[Apple 2006] Apple, Inc. Secure Coding Guide, . May 2006.

Anchor
Austin Group 08
Austin Group 08

[Austin Group 2008] "Draft Standard for Information Technology—Portable Operating System Interface (POSIX®)—Draft Technical Standard: Base Specifications, Issue 7," IEEE Unapproved Draft Std P1003.1 D5.1. Prepared by the Austin Group. New York: Institute of Electrical & Electronics Engineers, Inc., May 2008.

Anchor
Banahan 03
Banahan 03

[Banahan 2003] Banahan, Mike. The C Book, . 2003.

Anchor
Barney 10
Barney 10

[Barney 2010] Barney, Blaise. "Mutex Variables,." POSIX Threads Programming, 2010.

Anchor
Becker 08
Becker 08

[Becker 2008] Becker, Pete. Working Draft, Standard for Programming Language C++. April 2008.

Anchor
Beebe 05
Beebe 05

[Beebe 2005] Beebe, Nelson H. F. Re: Remainder (%) operator Operator and GCC, 2005. AnchorBecker 08Becker 08 [Becker 2008] Becker, Pete. Working Draft, Standard for Programming Language C++, April 2008. 2005.

Anchor
Black 07
Black 07

[Black 2007] Black, Paul E. Black, Michael Kass, Michael, & Koo, Michael. Source Code Security Analysis Tool Functional Specification Version 1.0. Special Publication 500-268. Information Technology Laboratory (ITL), Software Diagnostics and Conformance Testing Division, May 2007. http://samate.nist.gov/docs/source_code_security_analysis_spec_SP500-268.pdf.

...

Anchor
CERT 06c
CERT 06c

[CERT 2006c] CERT/CC. Secure Coding web site website.

Anchor
Chen 02
Chen 02

[Chen 2002]  Chen, H., Wagner, D., & Dean, D. Setuid Demystified. USENIX Security Symposium, 2002.

Anchor
Corfield 93
Corfield 93

[Corfield 1993] Corfield, Sean A. "Making String Literals 'const',." November 1993.

Anchor
Coverity 07
Coverity 07

[Coverity 2007] Coverity Prevent User's Manual (3.3.0), . 2007.

Anchor
CVE
CVE

[CVE] Common Vulnerabilities and Exposures.

Anchor
CPPReference
CPPReference

[C++ Reference] Standard C Library, General C+, C+ Standard Template Library.

Anchor
Dewhurst 02
Dewhurst 02

[Dewhurst 2002] Dewhurst, Stephen C. C++ Gotchas: Avoiding Common Problems in Coding and Design. Boston: Addison-Wesley Professional, 2002.

...

Anchor
DHS 06
DHS 06

[DHS 2006] U.S. Department of Homeland Security. Build Security In. 2006.

Anchor
DISA 2008
DISA 2008

[DISA 2008] DISA. Application Security and Development Security Technical Implementation Guide, Version 2, Release 1, . July 2008.

Anchor
DOD 5220
DOD 5220

[DOD 5220] U.S. Department of Defense. DoD Standard 5220.22-M (Word document).

...

Anchor
Drepper 06
Drepper 06

[Drepper 2006] Drepper, Ulrich. Defensive Programming for Red Hat Enterprise Linux (and What To Do If Something Goes Wrong), . May 3, 2006.

Anchor
Dutta 03
Dutta 03

[Dutta 2003] Dutta, Shiv. Best practices Practices for programming Programming in C, . June 26, 2003.

Anchor
Eckel 07
Eckel 07

[Eckel 2007] Eckel, Bruce. Thinking in C++ Volume , Vol. 2, . January 25, 2007.

Anchor
ECTC 98
ECTC 98

[ECTC 1998] Embedded C++ Technical Committee. The Embedded C++ Programming Guide Lines, Version WP-GU-003. January 6, 1998.

Anchor
Eide and Regehr
Eide and Regehr

[Eide and Regehr] Eide, E., & Regehr, J. Volatiles are miscompiledAre Miscompiled, and what What to do Do about it, It. 2008.

Anchor
Finlay 03
Finlay 03

[Finlay 2003] Finlay, Ian A. CERT Advisory CA-2003-16, Buffer Overflow in Microsoft RPC. CERT/CC, July 2003.

...

Anchor
Flake 06
Flake 06

[Flake 2006] Flake, Halvar. "Attacks on uninitialized local variablesUninitialized Local Variables." Black Hat Federal, 2006.

Anchor
Fortify 06
Fortify 06

[Fortify 2006] Fortify Software Inc. Fortify Taxonomy: Software Security Errors, . 2006.

Anchor
FSF 05
FSF 05

[FSF 2005] Free Software Foundation. GCC online documentation, Online Documentation. 2005.

Anchor
Garfinkel 96
Garfinkel 96

[Garfinkel 1996] Garfinkel, Simson, & Spafford, Gene. Practical UNIX & Internet Security, 2nd Editioned. Sebastopol, CA: O'Reilly Media, April 1996 (ISBN 1-56592-148-8).

Anchor
GNU 10
GNU 10

[GNU 2010] GNU. Coding Standards, . GNU, 2010.

Anchor
GNU Pth
GNU Pth

[GNU Pth] Engelschall, Ralf S. GNU Portable Threads, 2006.

...

Anchor
Goodin 2009
Goodin 2009

[Goodin 2009] Dan Goodin. Clever attack exploits fully-patched Linux kernel The Register. Attack Exploits Fully-Patched Linux Kernel. The Register, July 2009.

Anchor
Gough 2005
Gough 2005

[Gough 2005] Gough, Brian J. An Introduction to GCC. Network Theory Ltd, Revised August 2005 (ISBN 0-9541617-9-3).

...

Anchor
Greenman 97
Greenman 97

[Greenman 1997] Greenman, David. Serious security bug Security Bug in wu-ftpd v2.4. BUGTRAQ Mailing List (bugtraq@securityfocus.com), January 2, 1997.

Anchor
Griffiths 06
Griffiths 06

[Griffiths 2006] Griffiths, Andrew. Clutching at strawsStraws: When you can shift the stack pointer, You Can Shift the Stack Pointer. 2006.

Anchor
Gutmann 96
Gutmann 96

[Gutmann 1996] Gutmann, Peter. Secure Deletion of Data from Magnetic and Solid-State Memory, . July 1996.

Anchor
Haddad 05
Haddad 05

[Haddad 2005] Haddad, Ibrahim. "Secure Coding in C and C++: An interview Interview with Robert Seacord, senior vulnerability analyst Senior Vulnerability Analyst at CERT." Linux World Magazine, November 2005.

...

Anchor
Hatton 03
Hatton 03

[Hatton 2003] Hatton, Les. EC-: A measurement based safer subset Measurement-Based Safer Subset of ISO C suitable for embedded system developmentSuitable for Embedded System Development. November 5, 2003.

Anchor
Henricson 92
Henricson 92

[Henricson 1992] Henricson, Mats, & Nyquist, Erik. Programming in C++, Rules and Recommendations. Ellemtel Telecommunication Systems Laboratories, 1992.

...

Anchor
IEC 60812 2006
IEC 60812 2006

[IEC 60812 2006] Analysis techniques Techniques for system reliability—Procedure for failure mode and effects analysis System Reliability—Procedure for Failure Mode and Effects Analysis (FMEA), 2nd ed. (IEC 60812). IEC, January 2006.

Anchor
IEC 61508 4
IEC 61508 4

[IEC 61508-4]  Functional safety Safety of electricalElectrical/electronic/programmable electronic safety-related systems—Part Electronic/Programmable Electronic Safety-Related Systems—Part 4: Definitions and abbreviations, 1998. AnchorIEEE Std 610.12 1990IEEE Std 610.12 1990 [IEEE Std 610.12 1990] IEEE Standard Glossary of Software Engineering Terminology, September 1990Abbreviations, 1998.

Anchor
IEEE 754 2006
IEEE 754 2006

[IEEE 754 2006] IEEE. Standard for Binary Floating-Point Arithmetic (IEEE 754-1985), 2006.

Anchor
IEEE Std 1003.1-2004
IEEE Std 1003.1-2004
Anchor

[IEEE Std 1003.1-2008IEEE Std 1003.1-2008 [IEEE Std 1003.1-2008, 2004] IEEE. The Open Group Base Specifications Issue 76, IEEE Std 1003.1, 2008 2004 Edition. See also ISO/IEC 9945-20082004 and #Open Group 200804.

Anchor
IEEE Std 1003.1
IEEE Std 1003.1
.
Anchor
IEEE Std 1003.1-20042008
IEEE Std 1003.1-20042008

[IEEE Std 1003.1, 2004-2008] IEEE. The Open Group Base Specifications Issue 67, IEEE Std 1003.1, 2004 2008 Edition. See also ISO/IEC 9945-20042008 and #Open Group 042008.

Anchor
IEEE 1003IEEE 1003
Anchor
ilja 06ilja 06
Std 610.12 1990
IEEE Std 610.12 1990

[IEEE Std 610.12 1990] IEEE Standard Glossary of Software Engineering Terminology. September 1990.

Anchor
IEEE 1003
IEEE 1003
Anchor
ilja 06
ilja 06

 [ilja 2006] ilja.  [ilja 2006] ilja. "readlink abuse." ilja's blog, . August 13, 2006.

Anchor
Intel 01
Intel 01

[Intel 2001] Intel Corp. _Floating-Point IEEE Filter for Microsoft* Windows* 2000 on the Intel® Itanium© Architecture_, . March 2001.

Anchor
Internet Society 00
Internet Society 00

[Internet Society 2000] The Internet Society. Internet Security Glossary (RFC 2828), . 2000.

Anchor
ISO/IEC 64610646-19912003
ISO/IEC 64610646-19912003

[ISO/IEC 64610646:19912003] ISO/IEC. Information technology: ISO 7-bit coded character set for information interchange Information Technology—Universal Multiple-Octet Coded Character Set (UCS) (ISO/IEC 646-199110646:2003). Geneva, Switzerland: International Organization for Standardization, 19912003.

Anchor
ISO/IEC 994510646-20082012
ISO/IEC 994510646-20082012

[ISO/IEC 9945IEC 10646:2008] 2012] Information technology—Universal Multiple-Octet Coded Character Set (UCS) (ISO/IEC 9945:2008 Information technology—Programming languages, their environments and system software interfaces—Portable Operating System Interface (POSIX®)10646:2012). Geneva, Switzerland: International Organization for Standardization, 2012.

Anchor
ISO/IEC 994514882-2003
ISO/IEC 994514882-2003

[ISO/IEC 994514882:2003] ISO/IEC 9945:2003 (including Technical Corrigendum 1), Information technology—Programming languages, their environments and system software interfaces—Portable Operating System Interface (POSIX®). AnchorISO/IEC 9899:1990ISO/IEC 9899:1990[ISO/IEC 9899:1990] ISO/IEC. Programming Languages—C (ISO/IEC 9899:1990. Programming Languages—C++, Second Edition (ISO/IEC 14882-2003). Geneva, Switzerland: International Organization for Standardization, 19902003.

Anchor
ISO/IEC 9899:199914882-2011
ISO/IEC 9899:1999
Anchor
ISO/IEC 9899:1999ISO/IEC 9899:1999
14882-2011

[ISO/IEC 989914882:19992011] ISO/IEC. Programming Information Technology—Programming Languages—C++, 2nd edThird Edition (ISO/IEC 9899:199914882-2011). Geneva, Switzerland: International Organization for Standardization, 19992011.

Anchor
ISO/IEC 9899-201103
ISO/IEC 9899-2011
Anchor
03

[ISO/IEC 9899:2011ISO/IEC 9899:2011 [ISO/IEC 9899:20112003] ISO/IEC. Programming Languages—C, 3rd ed (ISO/IEC 9899:2011) Rationale for International Standard—Programming Languages—C, Revision 5.10. Geneva, Switzerland: International Organization for Standardization, 2011April 2003.

Anchor
ISO/IEC 1064623360-1-20032006
ISO/IEC 1064623360-1-20032006

[ISO/IEC 1064623360-1:2003] Information technology—Universal Multiple-Octet Coded Character Set (UCS) (ISO/IEC 10646:2003)2006] Linux Standard Base (LSB) Core Specification 3.1—Part 1: Generic Specification. Geneva, Switzerland: International Organization for Standardization, 20032006.

Anchor
ISO/IEC 10646646-20121991
ISO/IEC 10646646-20121991

[ISO/IEC 10646IEC 646:2012] Information technology—Universal Multiple-Octet Coded Character Set (UCS) 1991] ISO/IEC. Information Technology: ISO 7-Bit Coded Character Set for Information Interchange (ISO/IEC 10646:2012646-1991). Geneva, Switzerland: International Organization for Standardization, 20121991.

Anchor
ISO/IEC 14882-20039899:1990
ISO/IEC 14882-20039899:1990

[ISO/IEC 148829899:20031990] ISO/IEC. Programming Languages—C ++, Second Edition(ISO/IEC 14882-20039899:1990). Geneva, Switzerland: International Organization for Standardization, 20031990.

Anchor
ISO/IEC 14882-20119899:1999
ISO/IEC 14882-2011
[
9899:1999
Anchor
ISO/IEC
14882
9899:
2011]
1999
ISO/IEC
. Information Technology—Programming Languages—C++, Third Edition
9899:1999

[ISO/IEC 9899:1999] ISO/IEC. Programming Languages—C, 2nd ed (ISO/IEC 14882-20119899:1999). Geneva, Switzerland: International Organization for Standardization, 20111999.

Anchor
ISO/IEC 233609899-1-20062011
ISO/IEC 23360-1-2006
[ISO/IEC 23360-1:2006] Linux Standard Base (LSB) core specification 3.1—Part 1: Generic specification
9899-2011
Anchor
ISO/IEC 039899:2011
ISO/IEC 039899:2011

[ISO/IEC 20039899:2011] ISO/IEC. Rationale for International Standard—Programming Languages—C, Revision 5.10 Programming Languages—C, 3rd ed (ISO/IEC 9899:2011). Geneva, Switzerland: International Organization for Standardization, April 20032011.

Anchor
ISO/IEC DTR 247329945-2003
ISO/IEC DTR 247329945-2003

[ISO/IEC DTR 247329945:2003] ISO/IEC JTC1 SC22 WG14 N1290. Extension for the programming language C to support decimal floating-point arithmetic, March 20089945:2003 (including Technical Corrigendum 1), Information Technology—Programming Languages, Their Environments and System Software Interfaces—Portable Operating System Interface (POSIX®). Geneva, Switzerland: International Organization for Standardization, 2003.

Anchor
ISO/IEC JTC1/SC22/WG119945-2008
ISO/IEC JTC1/SC22/WG119945-2008

[ISO/IEC JTC1/SC22/WG119945:2008] ISO/IEC . Binding Techniques (ISO/IEC JTC1/SC22/WG11), 20079945:2008 Information Technology—Programming Languages, Their Environments and System Software Interfaces—Portable Operating System Interface (POSIX®). Geneva, Switzerland: International Organization for Standardization, 2008.

Anchor
ISO/IEC PDTR 24731-2-2007DTR 24732
ISO/IEC PDTR 24731-2-2007DTR 24732

[ISO/IEC PDTR 24731-2] Extensions to the C Library—Part II: Dynamic Allocation Functions, August 2007. AnchorISO/IEC TR 24772-2010ISO/IEC TR 24772-2010 [ISO/IEC TR 24772:2010] ISO/IEC TR 24772:2010. Information Technology—Programming LanguagesGuidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use, October 2010DTR 24732] ISO/IEC JTC1 SC22 WG14 N1290. Extension for the Programming Language C to Support Decimal Floating-Point Arithmetic. Geneva, Switzerland: International Organization for Standardization, March 2008.

Anchor
ISO/IEC TR 24772-2013JTC1/SC22/WG11
ISO/IEC TR 24772-2013JTC1/SC22/WG11

[ISO/IEC TR 24772:2013JTC1/SC22/WG11] ISO/IEC TR 24772:2013. Information technology -- Programming languages -- Guidance to avoiding vulnerabilities in programming languages through language selection and use.  March 2013. Binding Techniques (ISO/IEC JTC1/SC22/WG11). Geneva, Switzerland: International Organization for Standardization, 2007.

Anchor
ISO/IEC TR 24731-1-2007
ISO/IEC TR 24731-1-2007

[ISO/IEC TR 24731-1:2007] ISO/IEC TR 24731. Extensions to the C Library—Part I: Bounds-checking interfacesChecking Interfaces. Geneva, Switzerland: International Organization for Standardization, April 2006.

Anchor
ISO/IEC TR PDTR 24731-2-20102007
ISO/IEC TR PDTR 24731-2-20102007

[ISO/IEC TR PDTR 24731-2:2010] ISO/IEC TR 24731. Extensions to the C Library—Part II: Dynamic Allocation Functions. Geneva Geneva, Switzerland: International Organization for Standardization, April 2010August 2007.

Anchor
ISO/IEC TS 17961TR 24731-2-2010
ISO/IEC TS 17961TR 24731-2-2010

[ISO/IEC TS 17961] ISO/IEC TS 17961 Draft. Information Technology—Programming Languages, Their Environments and System Software Interfaces—C Secure Coding Rules, 2012TR 24731-2:2010] ISO/IEC TR 24731. Extensions to the C Library—Part II: Dynamic Allocation Functions. Geneva, Switzerland: International Organization for Standardization, April 2010.

Anchor
ISO/IEC
WG14 N1173
TR 24772-2010
ISO/IEC
WG14 N1173
TR 24772-2010

[ISO/IEC TR 24772:2010] ISO/IEC TR 24772:2010. Information Technology—Programming LanguagesGuidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use, Geneva, Switzerland: International Organization for Standardization, October 2010.

Anchor
ISO/IEC TR 24772-2013
ISO/IEC TR 24772-2013

[ISO/IEC TR 24772:2013] ISO/IEC TR 24772:2013. Information Technology—Programming Languages—Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use.  Geneva, Switzerland: International Organization for Standardization, March 2013.

Anchor
ISO/IEC TS 17961
ISO/IEC TS 17961

[ISO/IEC TS 17961] ISO/IEC TS 17961 Draft. Information Technology—Programming Languages, Their Environments and System Software Interfaces—C Secure Coding Rules. 2012.

Anchor
ISO/IEC WG14 N1173
ISO/IEC WG14 N1173

[ISO/IEC WG14 N1173] Rationale for TR 24731 Extensions to the C Library—Part I: Bounds-Checking Interfaces. http: WG14 N1173] Rationale for TR 24731 Extensions to the C Library—Part I: Bounds-checking interfaces. http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1173.pdf.

Anchor
Jack 07
Jack 07

[Jack 2007] Jack, Barnaby. Vector Rewrite Attack, . May 2007.

Anchor
Jones 04
Jones 04

[Jones 2004] Jones, Nigel. Learn a new trick New Trick with the offsetof() macroMacro. Embedded Systems Programming, March 2004.

Anchor
Jones 08
Jones 08

[Jones 2008] Jones, Derek M. The New C Standard: An economic Economic and cultural commentaryCultural Commentary. Knowledge Software Ltd., 2008.

...

[Jones 2010] Jones, Larry. (2010). WG14 N1539 Committee Draft ISO/IEC 9899:201x. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1539.pdf.

Anchor
Keaton 09
Keaton 09

[Keaton 2009] Keaton, David Keaton, Plum, Thomas Plum, Seacord, Robert C. Seacord, Svoboda, David Svoboda, Volkovitsky, Alex Volkovitsky, & Wilson, Timothy Wilson. As-if Infinitely Ranged Integer Model. CMU/SEI-2009-TN-023. July , 2009.

Anchor
Keil 08
Keil 08

[Keil 2008] Keil, an ARM Company. "Floating Point Support." RealView Libraries and Floating Point Support Guide, 2008.

Anchor
Kennaway 00
Kennaway 00

[Kennaway 2000] Kennaway, Kris. Re: /tmp topic, . December 2000.

Anchor
Kernighan 88
Kernighan 88

[Kernighan 1988] Kernighan , Brian W., & Ritchie, Dennis M. The C Programming Language, 2nd ed. Englewood Cliffs, NJ: Prentice-Hall, 1988.

Anchor
Kettle 02
Kettle 02

[Kettlewell 2002] Kettlewell, Richard. C Language Gotchas, . February 2002.

Anchor
Kettle 03
Kettle 03

[Kettlewell 2003] Kettlewell, Richard. Inline Functions In in C, . March 2003.

Anchor
Kirch-Prinz 02
Kirch-Prinz 02

[Kirch-Prinz 2002] Kirch-Prinz, Ulla & Prinz, Peter. C Pocket Reference. Sebastopol, CA: O'Reilly, November 2002 (ISBN: 0-596-00436-2).

Anchor
Klarer 04
Klarer 04

[Klarer 2004] Klarer, R., Maddock, J., Dawes, B. & Hinnant, H. "Proposal to Add Static Assertions to the Core Language (Revision 3)." ISO C++ committee paper ISO/IEC JTC1/SC22/WG21/N1720, October 2004. Available at http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2004/n1720.html.

Anchor
Klein 02
Klein 02

[Klein 2002] Klein, Jack. Bullet Proof Integer Input Using strtol(), . 2002.

Anchor
Koenig 89
Koenig 89

[Koenig 1989] Koenig, Andrew. C Traps and Pitfalls. Addison-Wesley Professional, January 1, 1989.

Anchor
Kuhn 06
Kuhn 06

[Kuhn 2006] Kuhn, Markus. UTF-8 and Unicode FAQ for Unix/Linux, . 2006.

Anchor
Lai 06
Lai 06

[Lai 2006] Lai, Ray. "Reading Between between the Lines." OpenBSD Journal, October 2006.

...

[Linux 2008] Linux Programmer's Manual, . October 2008.

Anchor
Lions 96
Lions 96

[Lions 1996] Lions, J. L. ARIANE 5 Flight 501 Failure Report. Paris, France: European Space Agency (ESA) & National Center for Space Study (CNES) Inquiry Board, July 1996.

...

[Lipson 2000] Lipson, Howard & Fisher, David. "Survivability: A New Technical and Business Perspective on Security," 33–39. Proceedings of the 1999 New Security Paradigms Workshop. Caledon Hills, Ontario, Canada, Sept. 22–24, 1999. New York: Association for Computing Machinery, 2000.

...

Anchor
Lipson 2009
Lipson 2009

[Liu 2009] Likai Liu. Making NULL-pointer reference legal, Life of a Computer Science Student, . January, 2009.

Anchor
Lockheed Martin 05
Lockheed Martin 05

[Lockheed Martin 2005] Lockheed Martin. Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001 Rev C., December 2005.

Anchor
Loosemore 07
Loosemore 07

[Loosemore 2007] Loosemore, Sandra, Stallman, Richard M., McGrath, Roland, Oram, Andrew, & Drepper, Ulrich. The GNU C Library Reference Manual, Edition 0.11, . September 2007.

Anchor
McCluskey 01
McCluskey 01

[McCluskey 2001] Fexible array members Array Members and designators Designators in C9X. ;login:, July 2001, Volume 26, Number 4, p. 4 (July 2001): 29–32.

Anchor
Mell 07
Mell 07

[Mell 2007] P. Mell, Scarfone, K. Scarfone, & Romanosky, and S. Romanosky, "A Complete Guide to the Common Vulnerability Scoring System Version 2.0." , FIRST, June 2007.

Anchor
mercy 06
mercy 06

[mercy] mercy. Exploiting Uninitialized Data, . January 2006.

Anchor
Meyers 2004
Meyers 2004

[Meyers 2004] Randy Meyers. Limited size_t WG14 N1080. September , 2004.

Anchor
Microsoft 03
Microsoft 03

[Microsoft 2003] Microsoft Security Bulletin MS03-026, "Buffer Overrun In RPC Interface Could Allow Code Execution (823980),." September 2003.

Anchor
Microsoft 07
Microsoft 07

[Microsoft 2007] C Language Reference, 2007.

Anchor
Miller 99
Miller 99

[Miller 1999] Miller, Todd C. Miller and Theo , & de Raadt, Theo. strlcpy and strlcat - Consistentstrlcat—Consistent, Safe, String Copy and Concatenation. In Proceedings of the FREENIX Track, 1999 USENIX Annual Technical Conference, June 6–11, 1999, Monterey, California, USA. Berkeley, CA: USENIX Association, 1999.

Anchor
Miller 04
Miller 04

[Miller 2004] Miller, Mark C., Reus, James F., Matzke, Robb P., Koziol, Quincey A., & Cheng, Albert P. "Smart Libraries: Best SQE Practices for Libraries with an Emphasis on Scientific Computing." In Proceedings of the Nuclear Explosives Code Developer's Conference. Livermore, CA: Lawrence Livermore National Laboratory, December 2004.

Anchor
MISRA 04
MISRA 04

[MISRA 2004] MISRA Limited(Motor Industry Software Reliability Association). MISRA C: 2004 Guidelines for the Use of the C Language in Critical Systems. WarwickshireNuneaton, UK: MIRA Limited, October 2004 (ISBN 095241564X).

Anchor
MISRA 08
MISRA 08

[MISRA 2008] MIRA LimitedMISRA. MISRA C++: 2008 Guidelines for the Use of the C++ Language in Critical Systems. Nuneaton, UK: MIRA, 2008 (ISBN 978-906400-03-3 ([paperback)], ISBN 978-906400-04-0 ([PDF]), June 2008.

Anchor
MIT 04
MIT 04

[MIT 2004] MIT (Massachusetts Institute of Technology). "MIT krb5 Security Advisory 2004-002 (," 2004. http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt), 2004.

Anchor
MIT 05
MIT 05

[MIT 2005] MIT. "MIT krb5 Security Advisory 2005-003, 2005. http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-003-recvauth.txt.

Anchor
MITRE
MITRE

[MITRE] MITRE. Common Weakness Enumeration, Version 1.8, . February 2010.

Anchor
MITRE 07
MITRE 07

[MITRE 2007] MITRE. Common Weakness Enumeration, Draft 9, . April 2008.

Anchor
MKS
MKS

[MKS] MKS, Inc. MKS Reference Pages.

Anchor
MSDN
MSDN

[MSDN] Microsoft Developer Network.

Anchor
Murenin 07
Murenin 07

[Murenin 2007] Murenin, Constantine A. cnst: 10-yearYear-old pointer-arithmetic bug Old Pointer-Arithmetic Bug in make(1) is now gone, thanks Is Now Gone, Thanks to malloc.conf and some debuggingSome Debugging. LiveJournal, June 2007.

Anchor
NAI 98
NAI 98

[NAI 1998] Network Associates, Inc. Bugtraq: Network Associates Inc. Advisory (OpenBSD), . 1998.

Anchor
NASA-GB-1740.13
NASA-GB-1740.13

[NASA-GB-1740.13] NASA Glenn Research Center, Office of Safety Assurance Technologies. NASA Software Safety Guidebook (NASA-GB-1740.13).

Anchor
NIST 06
NIST 06

[NIST 2006] NIST. SAMATE Reference Dataset, . 2006.

Anchor
OpenBSD
OpenBSD

[OpenBSD] Berkley Software Design, Inc. Manual Pages, . June 2008.

Anchor
POSIX.1-2008
POSIX.1-2008
Anchor
IEEE Std 1003.1-2008
IEEE Std 1003.1-2008
Anchor
ISO/IEC 9945:2008
ISO/IEC 9945:2008
Anchor
Open Group 08
Open Group 08

...

Anchor
Open Group 97a
Open Group 97a

[Open Group 1997a] The Open Group. The Single UNIX® Specification, Version 2, . 1997.

Anchor
Open Group 97b
Open Group 97b

[Open Group 1997b] The Open Group. Go Solo 2—The Authorized Guide to Version 2 of the Single UNIX Specification, . May 1997.

Anchor
POSIX.1-2004
POSIX.1-2004
Anchor
IEEE Std 1003.1-2004
IEEE Std 1003.1-2004
Anchor
ISO/IEC 9945:2003
ISO/IEC 9945:2003
Anchor
Open Group 04
Open Group 04

...

Anchor
OpenMP
OpenMP

[OpenMP] http://openmp.org/wp/.

Anchor
OWASP Double Free
OWASP Double Free

[OWASP Double Free] Open Web Application Security Project, "Double Free."

...

Anchor
Plakosh 05
Plakosh 05

[Plakosh 2005] Plakosh, Dan. Consistent Memory Management Conventions, . 2005.

Anchor
Plum 85
Plum 85

[Plum 1985] Plum, Thomas. Reliable Data Structures in C. Kamuela, HI: Plum Hall, Inc., 1985 (ISBN 0-911537-04-X).

...

Anchor
Plum 08
Plum 08

[Plum 2008] Plum, Thomas. Static Assertions. June , 2008. http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1330.pdf

Anchor
Plum 12
Plum 12

[Plum 2012] Plum, Thomas. C Finally Gets a New Standard. Dr. Dobb's, 2012.

Anchor
Redwine 06
Redwine 06

[Redwine 2006] Redwine, Samuel T., Jr., ed. Secure Software Assurance: A Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software Version 1.1. U.S. Department of Homeland Security, September 2006. See Software Assurance Common Body of Knowledge on Build Security In.

...

Anchor
RUS-CERT
RUS-CERT

[RUS-CERT] RUS-CERT Advisory 2002-08:02, "Flaw in calloc and similar routines," 2002. AnchorSaltzer 74Saltzer 74 [Saltzer 1974] Saltzer, J. H. Protection and the Control of Information Sharing in Multics. Communications of the ACM 17, 7 (July 1974): 388–402. AnchorSaltzer 75Saltzer 75 [Saltzer 1975] Saltzer, J. H., & Schroeder, M. D. "The Protection of Information in Computer Systems." Proceedings of the IEEE 63, 9 (September 1975): 1278–1308Similar Routines." 2002.

Anchor
Saks 99
Saks 99

[Saks 1999] Saks, Dan. "const T vs.T const." Embedded Systems Programming, February 1999, pp. 13–16.

...

Anchor
Saks 07b
Saks 07b

[Saks 2007b] Saks, Dan. Bail, return, jump, or . . . throw?. Embedded Systems Design, March 2007.

Anchor
Saks 08
Saks 08

[Saks 2008] Saks, Dan. Bail, return, jump, or . . . throw?. Embedded Systems Design, March 2007. AnchorSaks 08Saks 08 [Saks 2008] Saks, Dan, & Dewhurst, Stephen C. "Sooner Rather Than Later: Static Programming Techniques for C++" (presentation, March 2008), & Dewhurst, Stephen C. "Sooner Rather Than Later: Static Programming Techniques for C++" (presentation). March 2008.

Anchor
Saltzer 74
Saltzer 74

[Saltzer 1974] Saltzer, J. H. Protection and the Control of Information Sharing in Multics. Communications of the ACM 17, 7 (July 1974): 388–402.

Anchor
Saltzer 75
Saltzer 75

[Saltzer 1975] Saltzer, J. H., & Schroeder, M. D. "The Protection of Information in Computer Systems." Proceedings of the IEEE 63, 9 (September 1975): 1278–1308.

Anchor
Schwarz 05
Schwarz 05

[Schwarz 2005] Schwarz, B., Wagner, Hao Chen, Morrison, D., West, G., Lin, J., & Tu, J. Wei. "Model checking an entire Linux distribution for security violations." Proceedings of the 21st Annual Computer Security Applications Conference, December 2005 (ISSN 1063-9527; ISBN 0-7695-2461-3).

Anchor
Seacord 03
Seacord 03

[Seacord 2003] Seacord, Robert C., Plakosh, Daniel, & Lewis, Grace A. Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices. Boston: Addison-Wesley, February 2003.

Anchor
Seacord 05
Seacord 05
Anchor
Seacord 05a
Seacord 05a
Anchor
Seacord 2005a
Seacord 2005a

[Seacord 2005a] Seacord, Robert C. Secure Coding in C and C++. Boston: Addison-Wesley, 2005. See http://www.cert.org/books/secure-coding for news and errata.

Anchor
Seacord 05b
Seacord 05b

[Seacord 2005b] Seacord, Robert C. "Managed String Library for C, C/C++." Users Journal, 23, 10 (October 2005): 30–34.

Anchor
Seacord 05c
Seacord 05c

[Seacord 2005c] Seacord, Robert C. Variadic Functions: How they contribute to security vulnerabilities and how to fix themThey Contribute to Security Vulnerabilities and How to Fix Them. Linux World Magazine, November 2005.

Anchor
Secunia
Secunia

[Secunia] Secunia Advisory SA10635, "HP-UX calloc Buffer Size Miscalculation Vulnerability,." 2004.

Anchor
SecurityFocus 07
SecurityFocus 07

[SecurityFocus 2007] SecurityFocus. "Linux Kernel Floating Point Exception Handler Local Denial of Service Vulnerability,." 2001.

Anchor
SecuriTeam 07
SecuriTeam 07

[SecuriTeam 2007] SecuriTeam. "Microsoft Visual C++ 8.0 Standard Library Time Functions Invalid Assertion DoS (Problem 3000),." February 13, 2007.

Anchor
Sloss 04
Sloss 04

[Sloss 2004] Sloss, Andrew, Symes, Dominic, & Wright, Chris. ARM System Developer's Guide. San Francisco:Elsevier/Morgan Kauffman, 2004 (ISBN-10: 1558608745; ISBN-13: 978-1558608740).

...

Anchor
StackOvflw 09
StackOvflw 09

[StackOvflw 2009] "Should I return TRUE / FALSE values from a C function?" StackOverflow.com User Questions. , March 15, 2010.

Anchor
Steele 77
Steele 77

[Steele 1977] Steele, G. L. "Arithmetic shifting considered harmful." SIGPLAN Not. 12, 11 (November 1977), 61-69: 61–69.

Anchor
Stevens 05
Stevens 05

[Stevens 2005] Stevens, W. Richard. Advanced Programming in the UNIX Environment. Boston: Addison-Wesley, 1995 (ISBN 032152594-9).

...

Anchor
Summit 05
Summit 05

[Summit 2005] Summit, Steve. comp.lang.c Frequently Asked Questions, . 2005.

Anchor
Sun
Sun

[Sun] Sun Security Bulletin #00122, . 1993.

Anchor
Sun 05
Sun 05

[Sun 2005] C User's Guide. 819-3688-10. Sun Microsystems, 2005.

Anchor
Sutter 04
Sutter 04

[Sutter 2004] Sutter, Herb, & Alexandrescu, Andrei. C++ Coding Standards: 101 Rules, Guidelines, and Best Practices. Boston: Addison-Wesley Professional, 2004 (ISBN 0321113586).

Anchor
Tsafrir 08
Tsafrir 08

[Tsafrir 2008] Tsafrir, Dan, Da Silva, Dilma, & Wagner, David. The Murky Issue of Changing Process Identity: Revising "Setuid Demystified." USENIX, June 2008, pages 55-66pp. 55–66

Anchor
Unicode 06
Unicode 06

[Unicode 2006] The Unicode Consortium. The Unicode Standard, Version 5.0, 5th ed. Boston: Addison-Wesley Professional, 2006 (ISBN: 0321480910).

Anchor
Unicode 12
Unicode 12

...

Anchor
van de Voort 07
van de Voort 07

[van de Voort 2007] van de Voort, Marco. Development Tutorial (a.k.a Build FAQ), . January 29, 2007.

Anchor
Vanegue 2010
Vanegue 2010

[Vanegue 2010] Vanegue, Julien. Automated vulnerability analysis Vulnerability Analysis of zero-sized head allocationsZero-Sized Head Allocations. Hackito Ergo Sum (HES'10) Conference, Paris, April 10, 2010.

Anchor
van Sprundel06
van Sprundel06

[van Sprundel 2006] van Sprundel, Ilja. Unusualbugs, . 2006.

Anchor
Viega 01
Viega 01

[Viega 2001] Viega, John. Protecting Sensitive Data in Memory, . February 2001.

Anchor
Viega 03
Viega 03

[Viega 2003] Viega, John, & Messier, Matt. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003 (ISBN 0-596-00394-3).

...

Anchor
VU#159523
VU#159523

[VU#159523] Giobbi, Ryan. Vulnerability Note VU#159523, Adobe Flash Player integer overflow vulnerability, Integer Overflow Vulnerability. April 2008.

Anchor
VU#162289
VU#162289

[VU#162289] Dougherty, Chad. Vulnerability Note VU#162289, gcc silently discards some wraparound checks, GCC Silently Discards Some Wraparound Checks. April 2008.

Anchor
VU196240
VU196240

[VU#196240] Taschner, Chris & Manion, Art. Vulnerability Note VU#196240, Sourcefire Snort DCE/RPC preprocessor does not properly reassemble fragmented packets, Preprocessor Does Not Properly Reassemble Fragmented Packets. 2007.

Anchor
VU286468
VU286468

[VU#286468] Burch, Hal. Vulnerability Note VU#286468, Ettercap contains a format string error Contains a Format String Error in the "curses_msg()" function, Function. 2007.

Anchor
VU439395
VU439395

[VU#439395] Lipson, Howard. Vulnerability Note VU#439395, Apache web server performs case sensitive filtering Web Server Performs Case Sensitive Filtering on Mac OS X HFS+ case insensitive filesystem,Case Insensitive Filesystem. 2001.

Anchor
VU551436
VU551436

[VU#551436] Giobbi, Ryan. Vulnerability Note VU#551436, Mozilla Firefox SVG viewer vulnerable to buffer overflow,Viewer Vulnerable to Buffer Overflow. 2007.

Anchor
VU568148
VU568148

[VU#568148] Finlay, Ian A. & Morda, Damon G. Vulnerability Note VU#568148, Microsoft Windows RPC vulnerable to buffer overflow, Vulnerable to Buffer Overflow. 2003.

Anchor
VU623332
VU623332

[VU#623332] Mead, Robert. Vulnerability Note VU#623332, MIT Kerberos 5 contains double free vulnerability Contains Double-Free Vulnerability in "krb5_recvauth()" function,Function. 2005.

Anchor
VU649732
VU649732

[VU#649732] Gennari, Jeff. Vulnerability Note VU#649732, Samba AFS ACL Mapping VFS Plug-In Format String Vulnerability,. 2007.

Anchor
VU654390
VU654390

[VU#654390] Rafail, Jason A. Vulnerability Note VU#654390, ISC DHCP contains Contains C Includes that define That Define vsnprintf() to vsprintf() creating potential buffer overflow conditions, Creating Potential Buffer Overflow Conditions. June 2004.

Anchor
VU743092
VU743092

[VU#743092] Rafail, Jason A. & Havrilla, Jeffrey S. Vulnerability Note VU#743092, realpath(3) function contains offFunction Contains Off-by-one buffer overflow,One Buffer Overflow. July 2003.

Anchor
VU834865
VU834865

[VU#834865] Gennari, Jeff. Vulnerability Note VU#834865, Sendmail signal Signal I/O race condition, Race Condition. March 2008.

Anchor
VU837857
VU837857

[VU#837857] Dougherty, Chad. Vulnerability Note VU#837857, SX.Org server fails to properly test for effective user ID, Server Fails to Properly Test for Effective User ID. August 2006.

Anchor
VU881872
VU881872

[VU#881872] Manion, Art & Taschner, Chris. Vulnerability Note VU#881872, Sun Solaris telnet authentication bypass vulnerability,Telnet Authentication Bypass Vulnerability. 2007.

Anchor
Walfridsson 03
Walfridsson 03

[Walfridsson 2003] Walfridsson, Krister. Aliasing, Pointer Casts and GCC 3.3, . August 2003.

Anchor
Wang 12
Wang 12

[Wang 2012] Wang, Xi. More Randomness or Less, . June 2012.

Anchor
Warren 02
Warren 02

[Warren 2002] Warren, Henry S. Hacker's Delight. Boston: Addison Wesley, 2002 (ISBN 0201914654).

Anchor
WG14/N1396
WG14/N1396

[WG14/N1396] Thomas, J., Tydeman, F. "Wide function return values." , September 2009.

Anchor
Wheeler 03
Wheeler 03

[Wheeler 2003] Wheeler, David. Secure Programming for Linux and Unix HOWTO, v3.010, . March 2003.

Anchor
Wheeler 04
Wheeler 04

[Wheeler 2004] Wheeler, David. Secure programmerProgrammer: Call components safelyComponents Safely. December 2004.

Anchor
Wojtczuk 08
Wojtczuk 08

[Wojtczuk 2008] Wojtczuk, Rafal. "Analyzing the Linux Kernel vmsplice Exploit." McAfee Avert Labs Blog, February 13, 2008.

Anchor
xorl 2009
xorl 2009

[xorl 2009] xorl. xorl %eax, %eax. 2009.

Anchor
Yergeau 98
Yergeau 98

[Yergeau 1998] Yergeau, F. RFC 2279 - UTF-8, a transformation format of ISO 10646, . January 1998.

Anchor
Zalewski 01
Zalewski 01

[Zalewski 2001] Zalewski, Michal. Delivering Signals for Fun and Profit: Understanding, exploiting Exploiting and preventing signal-handling related vulnerabilitiesPreventing Signal-Handling Related Vulnerabilities. Bindview Corporation, May 2001.

...