Secure Programming Cookbook for C and C++,9780596003944

Secure Programming Cookbook for C and C++

by
ISBN13: 9780596003944
ISBN10: 0596003943
Format: Paperback
Pub. Date: 2003-07-01
Publisher(s): Oreilly & Associates Inc
  • Free Shipping Icon

    This Item Qualifies for Free Shipping!*

    *Excludes marketplace orders.

List Price: $78.74

Rent Textbook

Select for Price
Add to Cart
There was a problem. Please try again later.

Digital

Rent Digital Options
Online:1825 Days access
Downloadable:Lifetime Access
$71.99
$71.99
Add to Cart

New Textbook

We're Sorry
Sold Out

Used Textbook

We're Sorry
Sold Out

Buy from our Marketplace starting at $5.50

How Marketplace Works:

  • This item is offered by an independent seller and not shipped from our warehouse
  • Item details like edition and cover design may differ from our description; see seller's comments before ordering.
  • Sellers much confirm and ship within two business days; otherwise, the order will be cancelled and refunded.
  • Marketplace purchases cannot be returned to eCampus.com. Contact the seller directly for inquiries; if no response within two days, contact customer service.
  • Additional shipping costs apply to Marketplace purchases. Review shipping costs at checkout.

Summary

Password sniffing, spoofing, buffer overflows, and denial of service: these are only a few of the attacks on today's computer systems and networks. At the root of this epidemic is poorly written, poorly tested, and insecure code that puts everyone at risk. Clearly, today's developers need help figuring out how to write code that attackers won't be able to exploit. But writing such code is surprisingly difficult. Secure Programming Cookbook for C and C++ is an important new resource for developers serious about writing secure code. It contains a wealth of solutions to problems faced by those who care about the security of their applications. It covers a wide range of topics, including safe initialization, access control, input validation, symmetric and public key cryptography, cryptographic hashes and MACs, authentication and key exchange, PKI, random numbers, and anti-tampering. The rich set of code samples provided in the book's more than 200 recipes will help programmers secure the C and C++ programs they write for both Unixreg; (including Linuxreg;) and Windowsreg; environments. Readers will learn: How to avoid common programming errors, such as buffer overflows, race conditions, and format string problems How to properly SSL-enable applications How to create secure channels for client-server communication without SSL How to integrate Public Key Infrastructure (PKI) into applications Best practices for using cryptography properly Techniques and strategies for properly validating input to programs How to launch programs securely How to use file access mechanisms properly Techniques for protecting applications from reverse engineering The book's web site supplements the book by providing a place to post new recipes, including those written in additional languages like Perl, Java, and Python. Monthly prizes will reward the best recipes submitted by readers. Secure Programming Cookbook for C and C++ is destined to become an essential part of any developer's library, a code companion developers will turn to again and again as they seek to protect their systems from attackers and reduce the risks they face in today's dangerous world.

Author Biography

John Viega, Founder and Chief Scientist of Secure Software (www.securesoftware.com), is a well-known security expert, and coauthor of Building Secure Software (Addison-Wesley) and Network Security with OpenSSL (O'Reilly). John is responsible for numerous software security tools, and is the original author of Mailman, the GNU mailing list manager. He holds a B.A. and M.S. in Computer Science from the University of Virginia. Mr. Viega is also an Adjunct Professor of Computer Science at Virginia Tech (Blacksburg, VA) and a Senior Policy Researcher at the Cyberspace Policy Institute, and he serves on the Technical Advisory Board for the Open Web Applications Security Project. He also founded a Washington, D.C. area security interest group that conducts monthly lectures presented by leading experts in the field. He is the author or coauthor of nearly 80 technical publications, including numerous refereed research papers and trade articles.

Matt Messier, Director of Engineering at Secure Software, is a security authority who has been programming for nearly two decades. Besides coauthoring Network Security with OpenSSL, Matt coauthored the Safe C String Library, RATS, and EGADS, an Entropy Gathering and Distribution System used for securely seeding pseudo-random number generators. Prior to joining Secure Software, Matt worked for IBM and Lotus, on source and assembly level debugging techniques, and operating system concepts.

Table of Contents

Forewordp. xiii
Prefacep. xvii
Safe Initializationp. 1
Sanitizing the Environmentp. 1
Restricting Privileges on Windowsp. 7
Dropping Privileges in setuid Programsp. 16
Limiting Risk with Privilege Separationp. 20
Managing File Descriptors Safelyp. 23
Creating a Child Process Securelyp. 26
Executing External Programs Securelyp. 28
Executing External Programs Securelyp. 33
Disabling Memory Dumps in the Event of a Crashp. 35
Access Controlp. 38
Understanding the Unix Access Control Modelp. 38
Understanding the Windows Access Control Modelp. 41
Determining Whether a User Has Access to a File on Unixp. 43
Determining Whether a Directory Is Securep. 45
Erasing Files Securelyp. 47
Accessing File Information Securelyp. 53
Restricting Access Permissions for New Files on Unixp. 55
Locking Filesp. 57
Synchronizing Resource Access Across Processes on Unixp. 60
Synchronizing Resource Access Across Processes on Windowsp. 63
Creating Files for Temporary Usep. 65
Restricting Filesystem Access on Unixp. 68
Restricting Filesystem and Network Access on FreeBSDp. 69
Input Validationp. 71
Understanding Basic Data Validation Techniquesp. 71
Preventing Attacks on Formatting Functionsp. 75
Preventing Buffer Overflowsp. 78
Using the SafeStr Libraryp. 85
Preventing Integer Coercion and Wrap-Around Problemsp. 88
Using Environment Variables Securelyp. 92
Validating Filenames and Pathsp. 97
Evaluating URL Encodingsp. 99
Validating Email Addressesp. 101
Preventing Cross-Site Scriptingp. 103
Preventing SQL Injection Attacksp. 107
Detecting Illegal UTF-8 Charactersp. 110
Preventing File Descriptor Overflows When Using select()p. 112
Symmetric Cryptography Fundamentalsp. 116
Representing Keys for Use in Cryptographic Algorithmsp. 117
Generating Random Symmetric Keysp. 119
Representing Binary Keys (or Other Raw Data) as Hexadecimalp. 120
Turning ASCII Hex Keys (or Other ASCII Hex Data) into Binaryp. 121
Performing Base64 Encodingp. 123
Performing Base64 Decodingp. 125
Representing Keys (or Other Binary Data) as English Textp. 128
Converting Text Keys to Binary Keysp. 130
Using Salts, Nonces, and Initialization Vectorsp. 133
Deriving Symmetric Keys from a Passwordp. 136
Algorithmically Generating Symmetric Keys from One Base Secretp. 141
Encrypting in a Single Reduced Character Setp. 146
Managing Key Material Securelyp. 149
Timing Cryptographic Primitivesp. 150
Symmetric Encryptionp. 155
Deciding Whether to Use Multiple Encryption Algorithmsp. 155
Figuring Out Which Encryption Algorithm Is Bestp. 156
Selecting an Appropriate Key Lengthp. 160
Selecting a Cipher Modep. 162
Using a Raw Block Cipherp. 171
Using a Generic CBC Mode Implementationp. 175
Using a Generic CFB Mode Implementationp. 186
Using a Generic OFB Mode Implementationp. 192
Using a Generic CTR Mode Implementationp. 197
Using CWC Modep. 202
Manually Adding and Checking Cipher Paddingp. 205
Precomputing Keystream in OFB, CTR, CCM, or CWC Modes (or with Stream Ciphers)p. 207
Parallelizing Encryption and Decryption in Modes That Allow It (Without Breaking Compatibility)p. 208
Parallelizing Encryption and Decryption in Arbitrary Modes (Breaking Compatibility)p. 212
Performing File or Disk Encryptionp. 213
Using a High-Level, Error-Resistant Encryption and Decryption APIp. 217
Performing Block Cipher Setup (for CBC, CFB, OFB, and ECB Modes) in OpenSSLp. 221
Using Variable Key-Length Ciphers in OpenSSLp. 226
Disabling Cipher Padding in OpenSSL in CBC Modep. 227
Performing Additional Cipher Setup in OpenSSLp. 228
Querying Cipher Configuration Properties in OpenSSLp. 229
Performing Low-Level Encryption and Decryption with OpenSSLp. 230
Setting Up and Using RC4p. 233
Using One-Time Padsp. 236
Using Symmetric Encryption with Microsoft's CryptoAPIp. 237
Creating a CryptoAPI Key Object from Raw Key Datap. 244
Extracting Raw Key Data from a CryptoAPI Key Objectp. 246
Hashes and Message Authenticationp. 249
Understanding the Basics of Hashes and MACsp. 249
Deciding Whether to Support Multiple Message Digests or MACsp. 253
Choosing a Cryptographic Hash Algorithmp. 254
Choosing a Message Authentication Codep. 258
Incrementally Hasing Datap. 262
Hashing a Single Stringp. 267
Using a Cryptographic Hashp. 269
Using a Nonce to Protect Against Birthday Attacksp. 270
Checking Message Integrityp. 274
Using HMACp. 276
Using OMAC (a Simple Block Cipher-Based MAC)p. 280
Using HMAC or OMAC with a Noncep. 285
Using a MAC That's Reasonably Fast in Software and Hardwarep. 286
Using a MAC That's Optimized for Software Speedp. 287
Constructing a Hash Function from a Block Cipherp. 291
Using a Block Cipher to Build a Full-Strength Hash Functionp. 294
Using Smaller MAC Tagsp. 298
Making Encryption and Message Integrity Work Togetherp. 298
Making Your Own MACp. 300
Encrypting with a Hash Functionp. 301
Securely Authenticating a MAC (Thwarting Capture Replay Attacks)p. 303
Parallelizing MACsp. 304
Public Key Cryptographyp. 307
Determining When to Use Public Key Cryptographyp. 309
Selecting a Public Key Algorithmp. 311
Selecting Public Key Sizesp. 312
Manipulating Big Numbersp. 315
Generating a Prime Number (Testing for Primality)p. 323
Generating an RSA Key Pairp. 327
Disentangling the Public and Private Keys in OpenSSLp. 329
Converting Binary Strings to Integers for Use with RSAp. 330
Converting Integers into Binary Strings for Use with RSAp. 331
Performing Raw Encryption with an RSA Public Keyp. 332
Performing Raw Decryption Using an RSA Private Keyp. 336
Signing Data Using an RSA Private Keyp. 338
Verifying Signed Data Using an RSA Public Keyp. 340
Securely Signing and Encrypting with RSAp. 343
Using the Digital Signature Algorithm (DSA)p. 347
Representing Public Keys and Certificates in Binary (DER Encoding)p. 352
Representing Keys and Certificates in Plaintext (PEM Encoding)p. 355
Authentication and Key Exchangep. 362
Choosing an Authentication Methodp. 362
Getting User and Group Information on Unixp. 372
Getting User and Group Information on Windowsp. 375
Restricting Access Based on Hostname or IP Addressp. 379
Generating Random Passwords and Passphrasesp. 387
Testing the Strength of Passwordsp. 391
Prompting for a Passwordp. 392
Throttling Failed Authentication Attemptsp. 398
Performing Password-Based Authentication with crypt()p. 400
Performing Password-Based Authentication with MD5-MCFp. 402
Performing Password-Based Authentication with PBKDF2p. 408
Authenticating with PAMp. 411
Authenticating with Kerberosp. 414
Authenticating with HTTP Cookiesp. 419
Performing Password-Based Authentication and Key Exchangep. 422
Performing Authenticated Key Exchange Using RSAp. 429
Using Basic Diffie-Hellman Key Agreementp. 432
Using Diffie-Hellman and DSA Togetherp. 436
Minimizing the Window of Vulnerability When Authenticating Without a PKIp. 438
Providing Forward Secrecy in a Symmetric Systemp. 444
Ensuring Forward Secrecy in a Public Key Systemp. 445
Confirming Requests via Emailp. 447
Networkingp. 454
Creating an SSL Clientp. 455
Creating an SSL Serverp. 457
Using Session Caching to Make SSL Servers More Efficientp. 460
Securing Web Communication on Windows Using the WinInet APIp. 463
Enabling SSL without Modifying Source Codep. 468
Using Kerberos Encryptionp. 470
Performing Interprocess Communication Using Socketsp. 475
Performing Authentication with Unix Domain Socketsp. 482
Performing Session ID Managementp. 486
Securing Database Connectionsp. 487
Using a Virtual Private Network to Secure Network Connectionsp. 490
Building an Authenticated Secure Channel Without SSLp. 491
Public Key Infrastructurep. 502
Understanding Public Key Infrastructure (PKI)p. 502
Obtaining a Certificatep. 513
Using Root Certificatesp. 519
Understanding X.509 Certificate Verification Methodologyp. 522
Performing X.509 Certificate Verification with OpenSSLp. 525
Performing X.509 Certificate Verification with CryptoAPIp. 530
Verifying an SSL Peer's Certificatep. 535
Adding Hostname Checking to Certificate Verificationp. 539
Using a Whitelist to Verify Certificatesp. 544
Obtaining Certificate Revocation Lists with OpenSSLp. 547
Obtaining CRLs with CryptoAPIp. 556
Checking Revocation Status via OCSP with OpenSSLp. 562
Random Numbersp. 568
Determining What Kind of Random Numbers to Usep. 568
Using a Generic API for Randomness and Entropyp. 573
Using the Standard Unix Randomness Infrastructurep. 575
Using the Standard Windows Randomness Infrastructurep. 580
Using an Application-Level Generatorp. 581
Reseeding a Pseudo-Random Number Generatorp. 591
Using an Entropy Gathering Daemon--Compatible Solutionp. 594
Getting Entropy or Pseudo-Randomness Using EGADSp. 599
Using the OpenSSL Random Number APIp. 603
Getting Random Integersp. 605
Getting a Random Integer in a Rangep. 606
Getting a Random Floating-Point Value with Uniform Distributionp. 608
Getting Floating-Point Values with Nonuniform Distributionsp. 609
Getting a Random Printable ASCII Stringp. 611
Shuffling Fairlyp. 612
Compressing Data with Entropy into a Fixed-Size Seedp. 613
Getting Entropy at Startupp. 614
Statistically Testing Random Numbersp. 615
Performing Entropy Estimation and Managementp. 621
Gathering Entropy from the Keyboardp. 630
Gathering Entropy from Mouse Events on Windowsp. 638
Gathering Entropy from Thread Timingsp. 643
Gathering Entropy from System Statep. 644
Anti-Tamperingp. 647
Understanding the Problem of Software Protectionp. 648
Detecting Modificationp. 653
Obfuscating Codep. 658
Performing Bit and Byte Obfuscationp. 664
Performing Constant Transforms on Variablesp. 667
Merging Scalar Variablesp. 667
Splitting Variablesp. 669
Disguising Boolean Valuesp. 670
Using Function Pointersp. 671
Restructuring Arraysp. 672
Hiding Stringsp. 678
Detecting Debuggersp. 681
Detecting Unix Debuggersp. 682
Detecting Windows Debuggersp. 685
Detecting SoftICEp. 685
Countering Disassemblyp. 688
Using Self-Modifying Codep. 693
Other Topicsp. 700
Performing Error Handlingp. 700
Erasing Data from Memory Securelyp. 704
Preventing Memory from Being Paged to Diskp. 707
Using Variable Arguments Properlyp. 709
Performing Proper Signal Handlingp. 712
Protecting against Shatter Attacks on Windowsp. 716
Guarding Against Spawning Too Many Threadsp. 718
Guarding Against Creating Too Many Network Socketsp. 724
Guarding Against Resource Starvation Attacks on Unixp. 727
Guarding Against Resource Starvation Attacks on Windowsp. 730
Following Best Practices for Audit Loggingp. 734
Indexp. 739
Table of Contents provided by Ingram. All Rights Reserved.

An electronic version of this book is available through VitalSource.

This book is viewable on PC, Mac, iPhone, iPad, iPod Touch, and most smartphones.

By purchasing, you will be able to view this book online, as well as download it, for the chosen number of days.

Digital License

You are licensing a digital product for a set duration. Durations are set forth in the product description, with "Lifetime" typically meaning five (5) years of online access and permanent download to a supported device. All licenses are non-transferable.

More details can be found here.

A downloadable version of this book is available through the eCampus Reader or compatible Adobe readers.

Applications are available on iOS, Android, PC, Mac, and Windows Mobile platforms.

Please view the compatibility matrix prior to purchase.