How To Program in C
If you must program in C, here are a few references I’ve collected from the twitterverse. It should keep you busy for the next few… years. And even then this only covers the basics. You’ll need to do more research on concurrency, signals, testing and some other topics in security.
How to C in 2016
How to C in 2016: https://t.co/zETGzqm4ut— Matt Stancliff (@mattsta) January 7, 2016
Update: Matt as also written a guide on
const rules So You Think You Can const as well.
A critique of “How to C in 2016” by Matt adds or corrects a lot of details. I believe most of which has been integrated in the original document.
And another critique
Modern Memory Safety: C/C++ Vulnerability Discovery, Exploitation, Hardening
From the README
This repo contains the slides for a training course originally developed in 2012. It has been delivered to many students since its creation. It's sold out at the Black Hat USA conference several years in a row. The content has gone through many iterations based on feedback from those classes. The original training focused mainly on browser vulnerability discovery and exploitation. This latest version still focuses on that but also covers more topics such as custom memory allocators, hardening concepts, and exploitation at a high level.
The full PDF covers both C and C++ (even more things to remember).
Note from Rich Felker
In C, you always have to check return values for functions that can fail. This is not hard. Other langs have other mechanisms eg exceptions.— Rich Felker (@RichFelker) March 3, 2016
Notes from CopperheadOS
CopperheadOS is a “A hardened open-source operating system based on Android”. They also drop tweets on how-to C.
For brownie points, use -fsanitize=unsigned-integer-overflow too and mark the rare cases where overflow is intended using no_sanitize.— CopperheadOS (@CopperheadOS) March 17, 2016
Wow! You read all that? Here’s a final thought: