[Acton 2006] Acton, Mike. "
Understanding Strict Aliasing."
CellPerformance, June 1, 2006.
[Aho 1986] Aho, Alfred V.; Sethi, Ravi; Ullman, Jeffrey D. "Compilers: Principles, Techniques, and Tools" (2nd ed.), 1986.
[Apiki
2006] Apiki, Steve. "
Lock-Free Programming on AMD Multi-Core System."
AMD Developer Central, 2006.
...
[Asgher
2000] Asgher, Sarmad.
"Practical Lock-Free Buffers."
Dr. Dobbs Go-Parallel, August 26, 2000.
Anchor |
---|
Austin Group 08 | Austin Group 08 |
[Austin Group 2008] "Draft Standard for Information Technology—Portable Operating System Interface (POSIX®)—Draft Technical Standard: Base Specifications, Issue 7," IEEE Unapproved Draft Std P1003.1 D5.1. Prepared by the Austin Group. New York: Institute of Electrical & Electronics Engineers, Inc., May 2008.[Bailey 2014] Bailey, Don A. Raising Lazarus—The 20 Year Old Bug that Went to Mars . 2014.[Banahan 2003] Banahan, Mike.
The C Book . 2003.
...
[Black 2007] Black, Paul E.
, ; Kass, Michael
, ; & Koo, Michael.
Source Code Security Analysis Tool Functional Specification Version 1.0. Special Publication 500-268. Information Technology Laboratory (ITL), Software Diagnostics and Conformance Testing Division, May 2007
. http://samate.nist.gov/docs/source_code_security_analysis_spec_SP500-268.pdf. Anchor |
---|
| Brainbell.com |
---|
| Brainbell.com |
---|
|
[Brainbell.com] Brainbell.com.
Advice and Warnings for C Tutorials .
[Bryant 2003] Bryant, Randal E.
, & O'Halloran, David.
Computer Systems: A Programmer's Perspective. Upper Saddle River, NJ: Prentice Hall, 2003 (ISBN 0-13-034074-X).
[Burch 2006] Burch, Hal
, ; Long, Fred
, ; & Seacord, Robert C.
Specifications for Managed Strings (CMU/SEI-2006-TR-006). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.
[Butenhof 1997] Butenhof, David R.
Programming with POSIX® Threads . Boston: Addison-Wesley Professional, 1997 (ISBN 0-201-63392-2).
Anchor |
---|
Callaghan 95 | Callaghan 95 | |
[C99 Rationale 2003] Rationale for International Standard—Programming Languages—C, Revision 5.10 (C99 Rationale), April 2003.[Callaghan 1995] Callaghan, B; [Callaghan 1995] Callaghan, B., Pawlowski, B.
, ; & Staubach, P.
IETF RFC 1813 NFS Version 3 Protocol Specification, June 1995.
[Cassidy 2014] Cassidy, Sean. existential type crisis : Diagnosis of the Heartbleed Bug [blog post]. April 2014.[CERT 2006a] CERT/CC.
CERT/CC Statistics 1988–2006.
...
[Chen 2002] Chen, H.
, ; Wagner, D.
, ; & Dean, D.
Setuid Demystified. USENIX Security Symposium, 2002.
...
[DHS 2006] U.S. Department of Homeland Security.
Build Security In. 2006.
[DISA
20082015] DISA.
Application Security and Development Security Technical Implementation Guide, Version 23, Release 1. July 200810. Accessed April 2015.
Anchor |
---|
| DISA 2016 |
---|
| DISA 2016 | DOD 5220 | DOD 5220 |
---|
|
[
DOD 5220DISA 2016]
DISA. Application Security and Development Security Technical Implementation Guide, Version 4, Release 1. Accessed January 2017.[DISA 2018] DISA. Application Security and Development Security Technical Implementation Guide, Version 4, Release 8. Accessed January 2019.[DOD 5220] U. U.S. Department of Defense.
DoD Standard 5220.22-M (Word document).
[Dowd 2006] Dowd, M.
, ; McDonald, J.
, ; & Schuh, J.
The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities. Boston: Addison-Wesley, 2006.
See http://taossa.com for updates and errata.[Drepper 2006] Drepper, Ulrich.
Defensive Programming for Red Hat Enterprise Linux (and What To Do If Something Goes Wrong). May 3, 2006.
Anchor |
---|
| Duff 88 |
---|
| Duff 88 | Dutta 03 | Dutta 03 |
---|
|
[
Duff 1988] Duff, Tom. Tom Duff on Duff's Device. August 29, 1988.[Dutta 2003] Dutta 2003] Dutta, Shiv.
Best Practices for Programming in C. June 26, 2003.
...
Anchor |
---|
| Eide and Regehr |
---|
| Eide and Regehr |
---|
|
[Eide and Regehr] Eide, E., & Regehr, J.
Volatiles Are Miscompiled, and What to Do about It. 2008.
[Feather 1997] Feather, Clive, D. W. Solving the struct Hack Problem. JTC1/SC22/WG14 N791. (1997).[Finlay 2003] Finlay, Ian A. CERT Advisory CA-2003-16,
Buffer Overflow in Microsoft RPC. CERT/CC, July 2003.
[Fisher 1999] Fisher,
David, David & Lipson, Howard. "Emergent Algorithms—A New Method for Enhancing Survivability in Unbounded Systems."
Proceedings of the 32nd Annual Hawaii International Conference on System Sciences (HICSS-32). Maui, HI, January 5–8, 1999.
...
[Fortify 2006] Fortify Software Inc.
Fortify Taxonomy: Software Security Errors. 2006.
Anchor |
---|
| Fomichev 16 |
---|
| Fomichev 16 | FSF 05 | FSF 05 |
---|
|
[
Fomichev 2016] Fomichev, Roman. "Safe Clearing of Private Data". PVS-Studio Team, 2016.[FSF 2005] Free Software Foundation. GCC Online Documentation. 2005.FSF 2005] Free Software Foundation. GCC Online Documentation. 2005.[Garfinkel 1996] Garfinkel,
Simson, Simson & Spafford, Gene.
Practical UNIX & Internet Security, 2nd ed. Sebastopol, CA: O'Reilly Media, April 1996 (ISBN 1-56592-148-8).
[GCC Bugs] GCC Team. GCC Bugs. Free Software Foundation, Inc.[GNU 2010] GNU.
Coding Standards. GNU, 2010.
...
[Goodin 2009]
Goodin, Dan
Goodin.
Clever Attack Exploits Fully-Patched Linux Kernel.
The Register, July 2009.
[Gough 2005] Gough, Brian J.
An Introduction to GCC. Network Theory Ltd
., Revised August 2005 (ISBN 0-9541617-9-3).
[Graff 2003] Graff, Mark G.
, & Van Wyk, Kenneth R.
Secure Coding: Principles and Practices. Cambridge, MA: O'Reilly, 2003 (ISBN 0596002424).
...
[Griffiths 2006] Griffiths, Andrew.
Clutching at Straws: When You Can Shift the Stack Pointer. 2006.
[Gutmann 1996] Gutmann, Peter.
Secure Deletion of Data from Magnetic and Solid-State Memory. July 1996.
[Haddad 2005] Haddad, Ibrahim.
"Secure Coding in C and C++: An Interview with Robert Seacord, Senior Vulnerability Analyst at CERT." Linux World Magazine, November 2005.
...
[Henricson 1992] Henricson, Mats
, & Nyquist, Erik.
Programming in C++, Rules and Recommendations. Ellemtel Telecommunication Systems Laboratories, 1992.
...
[Howard 2002] Howard, Michael
, & LeBlanc, David C.
Writing Secure Code , 2nd ed. Redmond, WA: Microsoft Press, 2002.
[HP 2003]
Hewlett-Packard Company. Tru64 UNIX: Protecting Your System against File Name Spoofing Attacks. Houston, TX: Hewlett-Packard Company, January 2003.
Anchor |
---|
| IEC 60812 2006 |
---|
| IEC 60812 2006 |
---|
|
[IEC 60812 2006]
IEC (International Electrotechnical Commission). Analysis Techniques for System Reliability—Procedure for Failure Mode and Effects Analysis (FMEA), 2nd ed. (IEC 60812).
Geneva, Switzerland: IEC,
January 2006.
[IEC 61508-4]
IEC. Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems—Part 4: Definitions and Abbreviations. Geneva, Switzerland: IEC, 1998.
Anchor |
---|
| IEEE 754 2006 |
---|
| IEEE 754 2006 |
---|
|
[IEEE 754 2006] IEEE
. (Institute of Electrical and Electronics Engineers). Standard for Binary Floating-Point Arithmetic (IEEE 754-1985)
. New York: IEEE, 2006.
Anchor |
---|
| IEEE Std 610.12 1990 |
---|
| IEEE Std 610.12 1990 |
---|
|
[IEEE Std 610.12 1990] IEEE. IEEE Standard Glossary of Software Engineering Terminology . (1990). Anchor |
---|
| IEEE Std 1003.1-2004 |
---|
| IEEE Std 1003.1-2004 |
---|
|
[IEEE Std 1003.1
, :2004] IEEE
and The Open Group.
The Open Group Base Specifications Issue 6, (IEEE Std 1003.1
), 2004 Edition.
(See also
ISO/IEC 9945-2004 and
#Open Open Group 04.
) Anchor |
---|
| IEEE Std 1003.1 |
---|
| IEEE Std 1003.1 |
---|
|
Anchor |
---|
| IEEE Std 1003.1-2008 |
---|
| IEEE Std 1003.1-2008 |
---|
|
[IEEE Std 1003.1
-:2008] IEEE
and The Open Group.
The Open Group Base Specifications Issue 7, (IEEE Std 1003.1
), 2008 Edition. See also
ISO/IEC 9945-2008 and
#Open Open Group 2008.
Anchor |
---|
| IEEE Std 6101003.12 19901 |
---|
| IEEE Std 610.12 1990 |
---|
|
[ 610.12 1990] IEEE Standard Glossary of Software Engineering Terminology. September 1990. Anchor |
---|
IEEE 1003 | IEEE 1003 | Anchor |
---|
1003.1-2024 | | IEEE Std 1003.1-2024 |
---|
|
[IEEE Std 1003.1:2024] IEEE and The Open Group. The Open Group Base Specifications Issue 8 (IEEE Std 1003.1), 2024 Edition. Anchor |
---|
| IEEE Std 1003.1-2013 |
---|
| IEEE Std 1003.1-2013 |
---|
|
[IEEE Std 1003.1:2013] IEEE and The Open Group. Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 (IEEE Std 1003.1, 2013 Edition). E-book: http://ieeexplore.ieee.org/servlet/opac?punumber=6506089. Anchor |
---|
| IEEE Std 1003.1-2024 |
---|
| IEEE Std 1003.1-2024 |
---|
|
[IEEE Std 1003.1:2024] IEEE and The Open Group. Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 8 (IEEE Std 1003.1, 2024 Edition). E-book: https://ieeexplore.ieee.org/document/10555529.
Anchor |
---|
| IETF RFC 6520 |
---|
| IETF RFC 6520 |
---|
|
[IETF: RFC 6520] Internet Engineering Task Force (IETF). Request for Comments 6520: Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension. February 2012. [ilja 2006] ilja. "readlink abuse." ilja's blog. August 13, 2006.[Intel 2001] Intel Corp. _Floating-Point IEEE Filter for Microsoft Windows 2000 on the Intel® Itanium© Architecture. March 2001. Anchor |
---|
| Internet Society 00 |
---|
| Internet Society 00 |
---|
|
[Internet Society 2000] The Internet Society. Internet Security Glossary (RFC 2828). 2000. Anchor |
---|
| ISO/IEC 10646-2003 |
---|
| ISO/IEC 10646-2003 |
---|
|
Anchor |
---|
| ISO-IEC 10646-2003 |
---|
| ISO-IEC 10646-2003 |
---|
|
[ISO/IEC 10646:2003] ISO/IEC (International Organization for Standardization/International Electrotechnical Commission). Information Technology—Universal Multiple-Octet Coded Character Set (UCS) (ISO/IEC 10646:2003). Geneva, Switzerland: International Organization for Standardization, 2003. Anchor |
---|
| ISO/IEC 10646-2012 |
---|
| ISO/IEC 10646-2012 |
---|
|
Anchor |
---|
| ISO-IEC 10646-2012 |
---|
| ISO-IEC 10646-2012 |
---|
|
[ISO/IEC 10646:2012] ISO/IEC. Information technology—Universal Multiple-Octet Coded Character Set (UCS) (ISO/IEC 10646:2012). Geneva, Switzerland: ISO, 2012.
Anchor |
---|
| ISO/IEC 11889-1-2009 |
---|
| ISO/IEC 11889-1-2009 |
---|
|
Anchor |
---|
| ISO-IEC 11889-1-2009 |
---|
| ISO-IEC 11889-1-2009 |
---|
|
[ISO/IEC 11889-1:2009] ISO/IEC. Information Technology—Trusted Platform Module—Part 1: Overview (ISO/IEC 11889-1:2009). Geneva, Switzerland: ISO, 2009
ilja 06 | ilja 06 | [ilja 2006] ilja. "readlink abuse." ilja's blog. August 13, 2006. Anchor |
---|
Intel 01 | Intel 01 | [Intel 2001] Intel Corp. _Floating-Point IEEE Filter for Microsoft* Windows* 2000 on the Intel® Itanium© Architecture_. March 2001. Anchor |
---|
Internet Society 00 | Internet Society 00 | [Internet Society 2000] The Internet Society. Internet Security Glossary (RFC 2828). 2000.
Anchor |
---|
| ISO/IEC 1064614882-2003 |
---|
| ISO/IEC 1064614882-2003 |
---|
|
Anchor |
---|
| ISO-IEC 1064614882-2003 |
---|
| ISO-IEC 1064614882-2003 |
---|
|
[ISO/IEC
1064614882:2003]
Information Technology—Universal Multiple-Octet Coded Character Set (UCS) ISO/IEC. Programming Languages—C++, Second Edition (ISO/IEC
10646:14882-2003). Geneva, Switzerland:
International Organization for StandardizationISO, 2003.
Anchor |
---|
| ISO/IEC 1064614882-20122011 |
---|
| ISO/IEC 1064614882-20122011 |
---|
|
Anchor |
---|
| ISO-IEC 1064614882-20122011 |
---|
| ISO-IEC 1064614882-20122011 |
---|
|
[ISO/IEC 10646IEC 14882:2012] Information technology—Universal Multiple-Octet Coded Character Set (UCS) (ISO/IEC 10646:20122011] ISO/IEC. Information Technology—Programming Languages—C++, Third Edition (ISO/IEC 14882-2011). Geneva, Switzerland: International Organization for Standardization, 2012ISO, 2011.
Anchor |
---|
| ISO/IEC 1488223360-1-20032006 |
---|
| ISO/IEC 1488223360-1-20032006 |
---|
|
Anchor |
---|
| ISO-IEC 1488223360-1-20032006 |
---|
| ISO-IEC 1488223360-1-20032006 |
---|
|
[ISO/IEC
1488223360-1:
20032006]
ISO ISO/IEC.
Programming Languages—C++, Second Edition (ISO/IEC 14882-2003). Linux Standard Base (LSB) Core Specification 3.1—Part 1: Generic Specification . Geneva, Switzerland:
International Organization for Standardization, 2003ISO, 2006.
Anchor |
---|
| ISO/IEC 14882646-20111991 |
---|
| ISO/IEC 14882646-20111991 |
---|
|
Anchor |
---|
| ISO-IEC 14882646-20111991 |
---|
| ISO-IEC 14882646-20111991 |
---|
|
[ISO/IEC
14882646:
20111991] ISO/IEC.
Information Technology—Programming Languages—C++, Third Edition Technology: ISO 7-Bit Coded Character Set for Information Interchange (ISO/IEC
14882646-
20111991). Geneva, Switzerland:
International Organization for Standardization, 2011ISO, 1991.
Anchor |
---|
| ISO/IEC 039899:1990 |
---|
| ISO/IEC 039899:1990 |
---|
|
Anchor |
---|
| ISO-IEC 9899-20031990 |
---|
| ISO-IEC 9899-20031990 |
---|
|
[ISO/IEC
20039899:1990] ISO/IEC.
Rationale for International Standard—Programming Languages—C, Revision 5.10 (C99 Rationale Programming Languages—C (ISO/IEC 9899:1990). Geneva, Switzerland:
International Organization for Standardization, April 2003ISO, 1990.
Anchor |
---|
| ISO/IEC 23360-1-20069899:1999 |
---|
| ISO/IEC 23360-1-20069899:1999 |
---|
|
Anchor |
---|
| ISO-IEC 233609899-1-20061999 |
---|
| ISO-IEC 233609899-1-20061999 |
---|
|
[ISO/IEC
23360-19899:
2006] Linux Standard Base (LSB) Core Specification 3.1—Part 1: Generic Specification. 1999] ISO/IEC. Programming Languages—C, 2nd ed (ISO/IEC 9899:1999). Geneva, Switzerland:
International Organization for Standardization, 2006ISO, 1999.
Anchor |
---|
| ISO/IEC 6469899-19912011 |
---|
| ISO/IEC 6469899-19912011 |
---|
|
Anchor |
---|
| ISO-IEC 6469899-19912011 |
---|
| ISO-IEC 6469899-19912011 |
---|
|
[ISO/IEC
6469899:
19912011] ISO/IEC.
Information Technology: ISO 7-Bit Coded Character Set for Information Interchange Programming Languages—C, 3rd ed (ISO/IEC
646-19919899:2011). Geneva, Switzerland:
International Organization for Standardization, 1991ISO, 2011.
Anchor |
---|
| ISO/IEC 9899:1990-2017 |
---|
| ISO/IEC 9899:1990-2017 |
---|
|
Anchor |
---|
| ISO-IEC 9899-19902017 |
---|
| ISO-IEC 9899-19902017 |
---|
|
[ISO/IEC 9899:19902017] ISO/IEC. Programming Languages—C, 4th ed (ISO/IEC 9899:19902017). Geneva, Switzerland: International Organization for Standardization, 1990ISO, 2017.
Anchor |
---|
| ISO/IEC 9899:1999-2024 |
---|
| ISO/IEC 9899:1999-2024 |
---|
|
Anchor |
---|
| ISO-IEC 9899-19992024 |
---|
| ISO-IEC 9899-19992024 |
---|
|
[ISO/IEC 9899:19992024] ISO/IEC. Programming Languages—C, 2nd 5th ed (ISO/IEC 9899:19992024). Geneva, Switzerland: International Organization for Standardization, 1999ISO, 2024.
Anchor |
---|
| ISO/IEC 98999945-20112003 |
---|
| ISO/IEC 98999945-20112003 |
---|
|
Anchor |
---|
| ISO-IEC 98999945-20112003 |
---|
| ISO-IEC 98999945-20112003 |
---|
|
[ISO/IEC
98999945:
20112003]
ISO ISO/IEC.
Programming Languages—C, 3rd ed Information Technology—Programming Languages, Their Environments and System Software Interfaces—Portable Operating System Interface (POSIX®) [including Technical Corrigendum 1] (ISO/IEC
98999945:
20112003). Geneva, Switzerland:
International Organization for Standardization, 2011ISO, 2003.
Anchor |
---|
| ISO/IEC 9945-2003/IEEE 24765:2010 |
---|
| ISO/IEC 9945-2003/IEEE 24765:2010 |
---|
|
Anchor |
---|
| ISO-/IEC 9945/IEEE 24765-20032010 |
---|
| ISO-/IEC 9945/IEEE 24765-20032010 |
---|
|
[ISO/IEC
9945/IEEE 24765:
20032010]
ISO/IEC 9945:2003 (including Technical Corrigendum 1), Information Technology—Programming Languages, Their Environments and System Software Interfaces—Portable Operating System Interface (POSIX®/IEEE. Systems and Software Engineering—Vocabulary (ISO/IEC/IEEE 24765:2010). Geneva, Switzerland:
International Organization for Standardization, 2003ISO, 2010.
Anchor |
---|
| ISO/IEC/IEEE 9945-2008 |
---|
| ISO/IEC/IEEE 9945-2008 |
---|
|
Anchor |
---|
| ISO-IEC-IEEE 9945-2008 |
---|
| ISO-IEC-IEEE 9945-2008 |
---|
|
[ISO/IEC
/IEEE 9945:2008]
ISO/IEC 9945:2008 /IEEE. Information Technology—Programming Languages, Their Environments and System Software Interfaces—Portable Operating System Interface (POSIX ® ).
(ISO/IEC/IEEE 9945:2008) Geneva, Switzerland:
International Organization for StandardizationISO, 2008.
Anchor |
---|
| ISO/IEC DTR 24732 |
---|
| ISO/IEC DTR 24732 |
---|
|
Anchor |
---|
| ISO-IEC DTR 24732 |
---|
| ISO-IEC DTR 24732 |
---|
|
[ISO/IEC DTR 24732] ISO/IEC JTC1 SC22 WG14 N1290.
Extension for the Programming Language C to Support Decimal Floating-Point Arithmetic . Geneva, Switzerland:
International Organization for StandardizationISO, March 2008
.. Anchor |
---|
| ISO/IEC JTC1/SC22/WG11 |
---|
| ISO/IEC JTC1/SC22/WG11 |
---|
|
Anchor |
---|
| ISO-IEC JTC1-SC22-WG11 |
---|
| ISO-IEC JTC1-SC22-WG11 |
---|
|
[ Anchor |
ISO/IEC JTC1/SC22/WG11] ISO/IEC. Binding Techniques (ISO/IEC JTC1/SC22/WG11). Geneva, Switzerland: ISO, 2007. Anchor |
---|
| ISO-IEC JTC1-SC22-WG11WG14 |
---|
| ISO-IEC JTC1-SC22-WG11WG14 |
---|
|
[ISO/IEC JTC1/SC22/
WG11WG14] ISO/IEC.
Binding Techniques Solving the Struct Hack Problem (ISO/IEC JTC1/SC22/
WG11WG14 N791). Geneva, Switzerland:
International Organization for Standardization, 2007ISO, 1997.
Anchor |
---|
| ISO/IEC TR 24731-1-2007 |
---|
| ISO/IEC TR 24731-1-2007 |
---|
|
Anchor |
---|
| ISO-IEC TR 24731-1-2007 |
---|
| ISO-IEC TR 24731-1-2007 |
---|
|
[ISO/IEC TR 24731-1:2007] ISO/IEC TR 24731.
Extensions to the C Library—Part I: Bounds-Checking Interfaces. Geneva, Switzerland:
International Organization for StandardizationISO, April 2006.
Anchor |
---|
| ISO/IEC PDTR 24731-2-2007 |
---|
| ISO/IEC PDTR 24731-2-2007 |
---|
|
Anchor |
---|
| ISO-IEC PDTR 24731-2-2007 |
---|
| ISO-IEC PDTR 24731-2-2007 |
---|
|
[ISO/IEC PDTR 24731-2]
Extensions to the C Library—Part II: Dynamic Allocation Functions. Geneva, Switzerland:
International Organization for StandardizationISO, August 2007.
Anchor |
---|
| ISO/IEC TR 24731-2-2010 |
---|
| ISO/IEC TR 24731-2-2010 |
---|
|
Anchor |
---|
| ISO-IEC TR 24731-2-2010 |
---|
| ISO-IEC TR 24731-2-2010 |
---|
|
[ISO/IEC TR 24731-2:2010] ISO/IEC TR 24731.
Extensions to the C Library—Part II: Dynamic Allocation Functions . Geneva, Switzerland:
International Organization for StandardizationISO, April 2010.
Anchor |
---|
| ISO/IEC TR 24772-2010 |
---|
| ISO/IEC TR 24772-2010 |
---|
|
Anchor |
---|
| ISO-IEC TR 24772-2010 |
---|
| ISO-IEC TR 24772-2010 |
---|
|
[ISO/IEC TR 24772:2010] ISO/IEC TR 24772:2010.
Information Technology— Programming Languages—
Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use, . Geneva, Switzerland:
International Organization for StandardizationISO, October 2010.
Anchor |
---|
| ISO/IEC TR 24772-2013 |
---|
| ISO/IEC TR 24772-2013 |
---|
|
Anchor |
---|
| ISO-IEC TR 24772-2013 |
---|
| ISO-IEC TR 24772-2013 |
---|
|
[ISO/IEC TR 24772:2013] ISO/IEC TR 24772:2013.
Information Technology—Programming Languages—Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use.
Geneva, Switzerland:
International Organization for StandardizationISO, March 2013.
Anchor |
---|
| ISO/IEC TS 17961 |
---|
| ISO/IEC TS 17961 |
---|
|
Anchor |
---|
| ISO-IEC TS 17961 |
---|
| ISO-IEC TS 17961 |
---|
|
Anchor |
---|
| ISO/IEC TS 17961-2013 |
---|
| ISO/IEC TS 17961-2013 |
---|
|
[ISO/IEC TS 17961]
ISO/IEC TS 17961 Draft. Information Technology—Programming Languages, Their Environments and System Software Interfaces—C Secure Coding Rules. Geneva, Switzerland: ISO, 2012. Anchor |
---|
| ISO/IEC WG14 N1173 |
---|
| ISO/IEC WG14 N1173 |
---|
|
Anchor |
---|
| ISO-IEC WG14 N1173 |
---|
| ISO-IEC WG14 N1173 |
---|
|
[ISO/IEC WG14 N1173] ISO/IEC. Rationale for TR 24731 Extensions to the C Library—Part I: Bounds-Checking Interfaces. http://www.open-std.org/JTC1/SC22/WG14/www/docs/n1173.pdf.
[Jack 2007] Jack, Barnaby.
Vector Rewrite Attack . May 2007.
...
[Jones 2010] Jones, Larry. (2010).
WG14 N1539 Committee Draft ISO/IEC 9899:201x . http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1539.pdf[Juric n.d.] Juric, Zeljko, et al. (n.d.). TIGCC Documentation, Latest Development Version (TIGCC/TIGCCLIB CVS): C Language Keywords.
[Keaton 2009] Keaton, David
, ; Plum, Thomas
, ; Seacord, Robert C.
, ; Svoboda, David
, ; Volkovitsky, Alex
, ; & Wilson, Timothy.
As-if Infinitely Ranged Integer Model. CMU/SEI-2009-TN-023. July 2009.
...
[Kernighan 1988] Kernighan, Brian W.
, & Ritchie, Dennis M.
The C Programming Language, 2nd ed. Englewood Cliffs, NJ: Prentice-Hall, 1988.
...
[Klarer 2004] Klarer, R.
, ; Maddock, J.
, ; Dawes, B.
; & Hinnant, H. "
Proposal to Add Static Assertions to the Core Language (Revision 3)." ISO C++ committee paper ISO/IEC JTC1/SC22/WG21/N1720, October 2004.
http://www.open-std.org/jtc1/sc22/wg21/docs/papers/2004/n1720.html.[Klein 2002] Klein, Jack.
Bullet Proof Integer Input Using strtol() . 2002.
...
[Lai 2006] Lai, Ray. "
Reading between Between the Lines."
OpenBSD Journal, October 2006.
[Lea 2000] Lea, Doug. Concurrent Programming in Java, 2nd ed., Addison-Wesley Professional, Boston, 2000.[Lewis 2006] Lewis, Richard. "
Security Considerations when Handling Sensitive Data." Posted on the Application Security by Richard Lewis blog October 2006.
...
[Lipson 2006] Lipson, Howard.
Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks (CMU/SEI-2006-TN-027). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.
Anchor |
---|
| Lipson Liu 2009Lipson |
---|
| Liu 2009 |
---|
|
[Liu 2009] Likai Liu.
Making NULL-pointer reference legal, Life of a Computer Science Student. January, 2009.
Anchor |
---|
| Lockheed Martin 05 |
---|
| Lockheed Martin 05 |
---|
|
[Lockheed Martin 2005] Lockheed Martin.
Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001 Rev C., December 2005.
[Loosemore 2007] Loosemore, Sandra
, ; Stallman, Richard M.
, ; McGrath, Roland
, ; Oram, Andrew
, ; & Drepper, Ulrich.
The GNU C Library Reference Manual, Edition 0.11. September 2007.
[McCluskey 2001]
Fexible McCluskey, Glen. Flexible Array Members and Designators in C9X .
;login:, 26, 4 (July 2001): 29–32.
[Mell 2007]
P. Mell,
Peter; Scarfone,
K., & Romanosky, SKaren; & Romanesky, Sasha. "A Complete Guide to the Common Vulnerability Scoring System Version 2.0."
FIRST, June 2007.
[
mercyMercy 2006]
mercyMercy.
Exploiting Uninitialized Data . January 2006.
[Meyers 2004]
Meyers, Randy
Meyers.
Limited size_t WG14 N1080. September 2004.
[Michael 2004] Michael, M.M. "Hazard Pointers: Safe Memory Reclamation for Lock-Free Objects."
IEEE Transactions on Parallel and Distributed Systems, 15, 8 (2004).
...
[Microsoft 2007]
Microsoft. C Language Reference, 2007.
...
[Miller 1999] Miller, Todd C.
, & de Raadt, Theo. strlcpy and strlcat—Consistent, Safe, String Copy and Concatenation. In
Proceedings of the FREENIX Track, 1999 USENIX Annual Technical Conference, June 6–11, 1999, Monterey, California, USA.
Berkeley, CA: USENIX Association, 1999.
[Miller 2004] Miller, Mark C.
, ; Reus, James F.
, ; Matzke, Robb P.
, ; Koziol, Quincey A.
, ; & Cheng, Albert P. "
Smart Libraries: Best SQE Practices for Libraries with an Emphasis on Scientific Computing." In
Proceedings of the Nuclear Explosives Code Developer's Conference. Livermore, CA: Lawrence Livermore National Laboratory, December 2004.
...
[MISRA C:2012] MISRA
(Motor Industry Software Reliability Association).
MISRA C3: Guidelines for the Use of the C Language in Critical Systems 2012. Nuneaton, UK: MIRA, 2012. ISBN
978-1-906400-10-1.
[MIT 2004] MIT (Massachusetts Institute of Technology). "
MIT krb5 Security Advisory 2004-002," 2004.
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt.[
MIT 2005] MIT. "MIT krb5 Security Advisory 2005-003. http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2005-003-recvauth.txt2005] MIT. "MIT krb5 Security Advisory 2005-003.[MITRE] MITRE.
Common Weakness Enumeration, Version 1.8. February 2010.
...
Anchor |
---|
| IEEE Std 1003.1-2004 |
---|
| IEEE Std 1003.1-2004 |
---|
|
Anchor |
---|
| ISO/IEC 9945:2003 |
---|
| ISO/IEC 9945:2003 |
---|
|
Anchor |
---|
| ISO-IEC 9945-2003 |
---|
| ISO-IEC 9945-2003 |
---|
|
Anchor |
---|
| Open Group 04 |
---|
| Open Group 04 |
---|
|
[Open Group 2004] The Open Group.
The Open Group Base Specifications Issue 6, IEEE Std 1003.1, 2004 Edition . 2004.
(See also
IEEE Std 1003.1-2004.
) Anchor |
---|
| IEEE Std 1003.1-2008 |
---|
| IEEE Std 1003.1-2008 |
---|
|
Anchor |
---|
| ISO/IEC 9945:2008 |
---|
| ISO/IEC 9945:2008 |
---|
|
Anchor |
---|
| ISO-IEC 9945-2003 |
---|
| ISO-IEC 9945-2003 |
---|
|
Anchor |
---|
| Open Group 08 |
---|
| Open Group 08 |
---|
|
[Open Group 2008] The Open Group.
The Open Group Base Specifications Issue 7, IEEE Std 1003.1, 2008 Edition . 2008.
(See also
IEEE Std 1003.1-2008.
)[OpenMP]
The OpenMP API® Specification for Parallel Programming.
...
[Pethia 2003] Pethia, Richard D. "
Viruses and Worms: What Can We Do About Them?" September 10, 2003.
[Pfaff 2004] Pfaff, Ken Thompson. "
Casting (time_t)(-1)."
Google Groups comps.lang.c, March 2, 2004.
[Pike 1993] Pike, Rob & Thompson, Ken. "
Hello World."
Proceedings of the USENIX Winter 1993 Technical Conference, San Diego, CA, January 25–29, 1993, pp3 43–50.
...
[Plum 1989] Plum, Thomas
, & Saks, Dan.
C Programming Guidelines, 2nd ed. Kamuela, HI: Plum Hall, 1989 (ISBN 0911537074).
...
[Plum 2008] Plum, Thomas. "
Static Assertions." June 2008.
http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1330.pdf[Plum 2012] Plum, Thomas.
C Finally Gets a New Standard.
Dr. Dobb's, 2012.
[Redwine 2006] Redwine, Samuel T., Jr., ed.
Secure Software Assurance: A Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software Version 1.1. U.S. Department of Homeland Security, September 2006.
(See
Software Assurance Common Body of Knowledge on
Build Security In.
)[Roelker 2004] Roelker, Daniel. "
HTTP IDS Evasions Revisited." September 2004.
...
[Saks 2000] Saks, Dan. "
Numeric Literals ." Embedded Systems Programming, September 2000.[Saks 2001a] Saks, Dan. "
Symbolic Constants ." Embedded Systems Design, November 2001.[Saks 2001b] Saks, Dan. "
Enumeration Constants vs. Constant Objects."
Embedded Systems Design, November 2001.
...
[Saks 2007a] Saks,
Dan. "Sequence Points.Dan. "Sequence Points." Embedded Systems Design, July 1, 2002.[Saks 2007b] Saks, Dan. "Bail, Return, Jump, or . . . Throw?"
Embedded Systems Design,
July 1, 2002March 2007.
[Saks
2007b2007c] Saks, Dan. "
Bail, return, jump, or . . . throw?Standard C's Pointer Difference Type."
Embedded Systems Design,
March October 2007.
[Saks 2008] Saks, Dan
, & Dewhurst, Stephen C. "Sooner Rather Than Later: Static Programming Techniques for C++" (presentation). March 2008.
[Saltzer 1974] Saltzer, J. H. "
Protection and the Control of Information Sharing in Multics."
Communications of the ACM 17, 7 (July 1974): 388–402.
[Saltzer 1975] Saltzer, J. H.
, & Schroeder, M. D. "
The Protection of Information in Computer Systems."
Proceedings of the IEEE 63, 9 (September 1975): 1278–1308.
[Schwarz 2005] Schwarz, B.
, ; Wagner, Hao Chen
, ; Morrison, D.
, ; West, G.
, ; Lin, J.
, ; & Tu, J. Wei. "
Model Checking an Entire Linux Distribution for Security Violations."
Proceedings of the 21st Annual Computer Security Applications Conference, December 2005 (ISSN 1063-9527; ISBN 0-7695-2461-3).
[Seacord 2003] Seacord, Robert C.
, ; Plakosh, Daniel
, ; & Lewis, Grace A.
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices . Boston: Addison-Wesley, 2003.
Anchor |
---|
| Seacord 2005a |
---|
| Seacord 2005a |
---|
|
[Seacord 2005a] Seacord, Robert C.
Secure Coding in C and C++. Boston: Addison-Wesley, 2005.
(See
http://www.cert.org/books/secure-coding for news and errata.
)[Seacord 2005b] Seacord, Robert C. "Managed String Library for C, C/C++."
Users Journal,
23, 10 (October 2005): 30–34.
[Seacord 2005c] Seacord, Robert C. "
Variadic Functions: How They Contribute to Security Vulnerabilities and How to Fix Them."
Linux World Magazine, November 2005.
Anchor |
---|
| Seacord 2013a |
---|
| Seacord 2013a |
---|
|
[Seacord 2013a] Seacord, Robert C. “C Secure Coding Rules: Past, Present, and Future.” InformIT, June 26, 2013.[Seacord
20132013b] Seacord, Robert C.
Secure Coding in C and C++. Boston: Addison-Wesley, 2013.
(See
http://www.cert.org/books/secure-coding for news and errata.
)[Secunia] Secunia Advisory SA10635, "
HP-UX calloc Buffer Size Miscalculation Vulnerability." 2004.
...
[Sloss 2004] Sloss, Andrew
, ; Symes, Dominic
, ; & Wright, Chris.
ARM System Developer's Guide . San Francisco: Elsevier/Morgan Kauffman, 2004 (ISBN-10: 1558608745; ISBN-13: 978-1558608740).
...
Anchor |
---|
| StackOvflw 09 |
---|
| StackOvflw 09 |
---|
|
[StackOvflw 2009]
StackOverflow.com. "Should I return TRUE / FALSE values from a C function?" StackOverflow.com User Questions, March 15, 2010.
...
[Summit 2005] Summit, Steve.
comp.lang.c Frequently Asked Questions . 2005.
[Sun
1993]
Sun Microsystems. Sun Security Bulletin #00122. 1993.
[Sun 2005]
Sun Microsystems. C User's Guide. 819-3688-10. Sun Microsystems, 2005.
[Sutter 2004] Sutter, Herb
, & Alexandrescu, Andrei.
C++ Coding Standards: 101 Rules, Guidelines, and Best Practices. Boston: Addison-Wesley Professional, 2004 (ISBN 0321113586).
[Tsafrir 2008] Tsafrir, Dan
, ; Da Silva, Dilma
, ; & Wagner, David.
The Murky Issue of Changing Process Identity: Revising "Setuid Demystified." USENIX, June 2008, pp. 55–66
...
[Unicode 2012] The Unicode Consortium.
The Unicode Standard, Version 6.2 .
[UNIX 1992] UNIX System Laboratories. System V Interface Definition, 3rd ed. Wokingham, MA: Addison-Wesley, 1992. Anchor |
---|
| van de Voort 07 |
---|
| van de Voort 07 |
---|
|
[van de Voort 2007] van de Voort, Marco.
Development Tutorial (a.k.a Build FAQ). January 29, 2007.
...
Anchor |
---|
| van Sprundel06 |
---|
| van Sprundel06 |
---|
|
[van Sprundel 2006] van Sprundel, Ilja.
Unusualbugs. 2006.
[Viega 2001] Viega, John.
Protecting Sensitive Data in Memory. February 2001.
[Viega 2003] Viega, John
, & Messier, Matt.
Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More. Sebastopol, CA: O'Reilly, 2003 (ISBN 0-596-00394-3).
...
[VU#654390] Rafail, Jason A. Vulnerability Note
VU#654390,
ISC DHCP Contains C Includes That Define vsnprintf() to vsprintf() Creating Potential Buffer Overflow Conditions. June 2004.() to vsprintf() Creating Potential Buffer Overflow Conditions. June 2004.[VU#720951] Dorman, Will. Vulnerability Note VU#720951, OpenSSL TLS Heartbeat Extension Read Overflow Discloses Sensitive Information. April 2014[VU#743092] Rafail, Jason A. & Havrilla, Jeffrey S. Vulnerability Note
VU#743092,
realpath(3) Function Contains Off-by-One Buffer Overflow. July 2003.
...
[VU#881872] Manion, Art & Taschner, Chris. Vulnerability Note VU#881872, Sun Solaris Telnet Authentication Bypass Vulnerability. 2007.
[VU#925211] Dougherty, Chad. Vulnerability Note VU#925211, “Debian and Ubuntu OpenSSL Packages Contain a Predictable Random Number Generator.” June 2008. Anchor |
---|
| Walfridsson 03 |
---|
| Walfridsson 03 |
---|
|
[Walfridsson 2003] Walfridsson, Krister. Aliasing, Pointer Casts and GCC 3.3. August 2003.
[Walls 2006] Walls, Douglas. How to Use the Qualifier in C. Sun ONE Tools Group, Sun Microsystems. March 2006.
[Wang 2012] Wang, Xi.
More Randomness or Less . June 2012.
...
[WG14/N1396] Thomas, J.
, Tydeman& Tydeman, F. "
Wide function return values." September 2009.
...
[Zalewski 2001] Zalewski, Michal.
Delivering Signals for Fun and Profit: Understanding, Exploiting and Preventing Signal-Handling Related Vulnerabilities . Bindview Corporation, May 2001.
...
Image Modified