Secure Programming Recipes

Secure Programming Recipes http://www.secureprogramming.com/?action=browse&feature=recipes Cookbook-style recipes for tackling programming problems securely. en-us 2010-09-03T13:28:33+00:00 Win32: Obtaining CRLs with CryptoAPI http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=24 Recipe 10.11 in the book "Secure Programming Cookbook for C and C++" showed an example of how to retrieve CRLs from a CA specified as a URL in the extension properties of an X.509 Ce... cRLDistributionPoints extension in the certificate, and the Win32 WinInet functions to download the CRL from an HTTP or HTTPS location. Other types of URLs are possible as well, including LDAP and FTP; however, the code presented in the book does not support anything other than HTTP and HTTPS.]]> Matt Messier Sascha Kiefer 2003-12-02T03:37:20+00:00 Another shuffling algorithm http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=23 Most shuffling algorithms people use aren't statistically fair. Fair ones tend to be subtle or complex. You want a shuffling algorithm that is fairly simple, unbiased, easy to demonstrate ... John Viega Bear Giles 2003-10-10T13:47:14+00:00 Using /dev/random from Python http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=20 You are using Python and would like to have a source of cryptographically secure psuedo-random numbers. John Viega John Viega 2003-09-24T05:44:54+00:00 Using Environment Variables Securely http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=16 You wish to harden the code in case an OS doesn't limit environment size. Matt Messier Matt Messier 2003-09-14T21:20:15+00:00 Sanitizing the Environment http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=15 You wish to harden the code in case an OS doesn't limit environment size. Matt Messier Matt Messier 2003-09-14T21:06:45+00:00 Avoiding malloc()/new-related integer overflows http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=14 Integer overflows can lead to allocating too little memory, which can often result in an exploitable buffer overflow. John Viega John Viega 2003-09-14T03:58:34+00:00 Using a CBC-like mode without padding in C and C++ (CTS mode) http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=13 You wish to use a block-based block cipher mode such as CBC (as opposed to a streaming mode), yet do not want to perform message padding. John Viega John Viega 2003-09-08T08:26:49+00:00 Another Input Validation Principle: Decode First http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=12 You have data coming into your application, and you would like to filter or reject data that may be malicious. The data may need to be decoded, truncated or so on. John Viega John Viega 2003-09-08T03:56:31+00:00 Truncating Data Carefully in C and C++ http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=11 When avoiding buffer overflows by truncating data, there is the possibility of introducing new problems. Additionally, one should watch out for situations where an attacker can truncate data ... John Viega John Viega 2003-09-08T03:28:45+00:00 Watching Out for API Differences (And Using *snprintf Properly in C) http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=10 A change in API semantics that doesn't break the call by changing the signature can lead to insecurities when a developer tries to call one version of the API but gets a different version. Th... John Viega John Viega 2003-09-07T22:21:45+00:00 Knowing Which Ciphers to Avoid http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=9 You're using a library providing symmetric encryption ciphers, and want to know if any of them are to be avoided. John Viega John Viega 2003-09-07T17:57:19+00:00 Detecting Whether the Current Process is Being ptrace()d (Linux Specific) http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=8 The linux tracing facility is the ptrace(2) system call. A program with sensitive internals may wish to change its behaviour if it is being traced. The problem is how to detect if a process ... ptrace(2) system call. A program with sensitive internals may wish to change its behaviour if it is being traced. The problem is how to detect if a process is being ptraced.]]> John Viega Dion Mendel 2003-09-07T13:16:03+00:00 Validating Email Addresses in JavaScript http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=7 Your program accepts an email address as input, and you need to verify that the supplied address is valid. Matt Messier Matt Messier 2003-09-05T12:57:07+00:00 Preventing Buffer Overflows http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=5 C and C++ do not perform array-bounds checking, which turns out to be a security-critical issue, particularly in handling strings. The risks increase even more dramatically when user-controlle... John Viega John Viega 2003-09-03T09:00:49+00:00 Understanding Basic Data Validation Techniques http://www.secureprogramming.com/?action=view&feature=recipes&recipeid=4 You have data coming into your application, and you would like to filter or reject data that might be malicious. John Viega John Viega 2003-09-03T08:30:17+00:00