Buffer Overruns: Other resources

The following excerpt is from Chapter 1 of "The 19 Deadly Sins of Software Security" written by Michael Howard, David LeBlanc and John Viega. Click for the complete book excerpt series or visit McGraw-Hill to purchase the book.

Other resources Writing Secure Code, Second Edition by Michael Howard and David C. LeBlanc (Microsoft Press, 2002), Chapter 5, "Public Enemy #1: Buffer Overruns" "Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows Server 2003" by David Litchfield "Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP" by David Litchfield "Blind Exploitation of Stack Overflow Vulnerabilities" by Peter Winter-Smith "Creating Arbitrary Shellcode In Unicode Expanded Strings: The 'Venetian' Exploit" by Chris Anley "Smashing The Stack For Fun And Profit" by Aleph1 (Elias Levy) "The Tao of Windows Buffer Overflow" by Dildog Microsoft Security Bulletin MS04-011/Security Update for Microsoft Windows (835732) Microsoft Application Compatibility Analyzer Using the Strsafe.h Functions More Secure Buffer Function Calls: AUTOMATICALLY! Repel Attacks on Your Code with the Visual Studio 2005 Safe C and C++ Libraries "strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation" by Todd C. Miller and Theo de Raadt GCC extension for protecting applications from stack-smashing attacks PaX OpenBSD Security Static Source Code Analysis Tools for C Summary Do carefully check your buffer accesses by using safe string and buffer handling functions. Do use compiler-based defenses such as /GS and ProPolice. Do use operating-system-level buffer overrun defenses such as DEP and PaX. Do understand what data the attacker controls, and manage that data safely in your code. Do not think that compiler and OS defenses are sufficient -- they are not; they are simply extra defenses. Do not create new code that uses unsafe functions. Consider updating your C/C++ compiler since the compiler authors add more defenses to the generated code. Consider removing unsafe functions from old code over time. Consider using C++ string and container classes rather than low-level C string functions. Click for the book excerpt series or visit McGraw-Hill to purchase the book.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Office management New Enterprise Desktop e-zine Microsoft wraps Office SP2 with better doc support Combining folder redirection with roaming profiles Microsoft Office Project Server 2007: New features and some that have been retired What's hot in Windows security? New Microsoft Office Security Guide Free HTML editor makes intranet updates a breeze Use email to alert you that malware has infected your system SecureZip improves encryption for file-based applications Office 2007: A look at its security features Secure settings for shared files Microsoft Internet Explorer management Four Internet Explorer 8 group policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 Phishing filter: Step 2 General security configuration: Step 1 Windows Vista and IE7: Step 5 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Protection against international domain names, URL handling: Step 3 IE8 brings focus to cross-browser compatibility and Web standards Cross-site Scripting 102: How to defend against cross-site scripting

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary