Buffer Overruns: Other resources

The following excerpt is from Chapter 1 of "The 19 Deadly Sins of Software Security" written by Michael Howard, David LeBlanc and John Viega. Click for the complete book excerpt series or visit McGraw-Hill to purchase the book.

Other resources Writing Secure Code, Second Edition by Michael Howard and David C. LeBlanc (Microsoft Press, 2002), Chapter 5, "Public Enemy #1: Buffer Overruns" "Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows Server 2003" by David Litchfield "Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP" by David Litchfield "Blind Exploitation of Stack Overflow Vulnerabilities" by Peter Winter-Smith "Creating Arbitrary Shellcode In Unicode Expanded Strings: The 'Venetian' Exploit" by Chris Anley "Smashing The Stack For Fun And Profit" by Aleph1 (Elias Levy) "The Tao of Windows Buffer Overflow" by Dildog Microsoft Security Bulletin MS04-011/Security Update for Microsoft Windows (835732) Microsoft Application Compatibility Analyzer Using the Strsafe.h Functions More Secure Buffer Function Calls: AUTOMATICALLY! Repel Attacks on Your Code with the Visual Studio 2005 Safe C and C++ Libraries "strlcpy and strlcat -- Consistent, Safe, String Copy and Concatenation" by Todd C. Miller and Theo de Raadt GCC extension for protecting applications from stack-smashing attacks PaX OpenBSD Security Static Source Code Analysis Tools for C Summary Do carefully check your buffer accesses by using safe string and buffer handling functions. Do use compiler-based defenses such as /GS and ProPolice. Do use operating-system-level buffer overrun defenses such as DEP and PaX. Do understand what data the attacker controls, and manage that data safely in your code. Do not think that compiler and OS defenses are sufficient -- they are not; they are simply extra defenses. Do not create new code that uses unsafe functions. Consider updating your C/C++ compiler since the compiler authors add more defenses to the generated code. Consider removing unsafe functions from old code over time. Consider using C++ string and container classes rather than low-level C string functions. Click for the book excerpt series or visit McGraw-Hill to purchase the book.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Office Suite Should you switch to the Office 2007 file format? Microsoft Office 2010: At a glance Microsoft Office 2010 ready for testing New Enterprise Desktop e-zine Microsoft wraps Office SP2 with better doc support Combining folder redirection with roaming profiles Microsoft releases infrastructure updates for server products Microsoft Office Project Server 2007: New features and some that have been retired What's hot in Windows security? New Microsoft Office Security Guide Free HTML editor makes intranet updates a breeze Microsoft Internet Explorer (IE) Admins can wear many hats using Netcat Patching third-party browsers adds more work in Windows shops Four Internet Explorer 8 Group Policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 General security configuration: Step 1 Protection against international domain names, URL handling: Step 3 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Windows Vista and IE7: Step 5 Phishing filter: Step 2

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary system tray  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary