2013-12-28

safer C coding

9: news.cyb/dev.c/avoiding remote code execution:
leafsr:
. some C library functions are often used incorrectly,
and that consequently result in
remote code execution vulnerabilities:
strcpy, sprintf, memcpy, CopyMemory,
RtlCopyMemory, strcat, alloca
and many more Win32 specific stuff.
. much of the legacy software that is
still critical to many enterprises
contains code that calls these vulnerable library functions.
Despite modern memory protections
like ASLR and DEP
the vulnerabilities these functions introduce
are still exploitable under the right conditions .
 . here's the safe C library
– that implements strcpy_s and friends
as an open source library (MIT license).

19: news.cyb/dev.c/SAFECode updates secure dev guide:
.  pubs from safecode.org .
scmagazine:
The Software Assurance Forum for
Excellence in Code (SAFECode),
a nonprofit seeking to advance software assurance,
released an updated guidance document .
The free report includes verification methods and tools
that can be used to confirm whether
development teams have followed prescribed practices.