Anti-Tampering
General / Miscellaneous
Input Validation
 |
Exerpts from Secure Programming Cookbook for C and C++
by John Viega and Matt Messier: |
-
Supplement to Recipe 1.1 beginning on page 6.
Problem: You wish to harden the code in case an OS doesn't limit environment size.
-
Excerpt from Recipe 3.1 beginning on page 71.
Problem: You have data coming into your application, and you would like to filter or reject data that might be malicious.
-
Supplement to Recipe 3.1 beginning on page 71.
Problem: You have data coming into your application, and you would like to filter or reject data that may be malicious. The data may need to be decoded, truncated or so on.
-
Excerpt from Recipe 3.3 beginning on page 78.
Problem: C and C++ do not perform array-bounds checking, which turns out to be a security-critical issue, particularly in handling strings. The risks increase even more dramatically when user-controlled data is on the program stack (i.e., is a local variable).
-
Supplement to Recipe 3.6 beginning on page 92.
Problem: You wish to harden the code in case an OS doesn't limit environment size.
-
Excerpt from Recipe 3.8 beginning on page 99.
Problem: You need to decode a Uniform Resource Locator (URL).
-
Excerpt from Recipe 3.9 beginning on page 101.
Problem: Your program accepts an email address as input, and you need to verify that the supplied address is valid.
-
Problem: Integer overflows can lead to allocating too little memory, which can often result in an exploitable buffer overflow.
-
Problem: When avoiding buffer overflows by truncating data, there is the possibility of introducing new problems. Additionally, one should watch out for situations where an attacker can truncate data in a way the program doesn't expect.
-
Problem: Your program accepts an email address as input, and you need to verify that the supplied address is valid.
-
Problem: Your program accepts an email address as input, and you need to verify that the supplied address is valid.
Public Key Infrastructure
|
Exerpts from Secure Programming Cookbook for C and C++
by John Viega and Matt Messier: |
-
Supplement to Recipe 10.11 beginning on page 556.
Problem: Recipe 10.11 in the book "Secure Programming Cookbook for C and C++" showed an example of how to retrieve CRLs from a CA specified as a URL in the extension properties of an X.509 Certificate. The code presented in book used its own "search" function to find a cRLDistributionPoints extension in the certificate, and the Win32 WinInet functions to download the CRL from an HTTP or HTTPS location. Other types of URLs are possible as well, including LDAP and FTP; however, the code presented in the book does not support anything other than HTTP and HTTPS.
Random Numbers
-
Problem: Most shuffling algorithms people use aren't statistically fair. Fair ones tend to be subtle or complex. You want a shuffling algorithm that is fairly simple, unbiased, easy to demonstrate correct and programmatically verifiable.
-
Problem: You are using Python and would like to have a source of cryptographically secure psuedo-random numbers.
Symmetric Cryptography
|
Exerpts from Secure Programming Cookbook for C and C++
by John Viega and Matt Messier: |
-
Supplement to Recipe 5.2 beginning on page 156.
Problem: You're using a library providing symmetric encryption ciphers, and want to know if any of them are to be avoided.
-
Problem: You wish to use a block-based block cipher mode such as CBC (as opposed to a streaming mode), yet do not want to perform message padding.
|
![[Python Powered]](images/PythonPoweredSmall.gif)