How To Program in C
If you must program in C, here are a few references I’ve collected from the twitterverse. It should keep you busy for the next few… years. And even then this only covers the basics. You’ll need to do more research on concurrency, signals, testing and some other topics in security.
How to C in 2016
How to C in 2016 by Matt Stancliff is the article I wish I wrote when I was in my prime C programming days and wish I had when I was starting out.
How to C in 2016: https://t.co/zETGzqm4ut
— Matt Stancliff (@mattsta) January 7, 2016
Update: Matt as also written a guide on const
rules So You Think You Can const as well.
A Critique
A critique of “How to C in 2016” by Matt adds or corrects a lot of details. I believe most of which has been integrated in the original document.
2/2 A response to "How to C 2016" by Keith Thompson cc @mattsta https://t.co/r0kjgkMcWG #c99 #cpp
— Gaetan Juvin (@gtnjuvin) January 15, 2016
And another critique
Some notes C in 2016 by Robert Graham and David Maynor of Errata Security is more higher level criticism and worth reading.
Thoughts from @ErrataRob on How to C in 2016: https://t.co/V45ugSsyVP
— David Moore (@grajagandev) January 17, 2016
Modern Memory Safety: C/C++ Vulnerability Discovery, Exploitation, Hardening
From the README
This repo contains the slides for a training course originally developed in 2012. It has been delivered to many students since its creation. It's sold out at the Black Hat USA conference several years in a row. The content has gone through many iterations based on feedback from those classes. The original training focused mainly on browser vulnerability discovery and exploitation. This latest version still focuses on that but also covers more topics such as custom memory allocators, hardening concepts, and exploitation at a high level.
The full PDF covers both C and C++ (even more things to remember).
Note from Rich Felker
Rich Felker is the author of an excellent libc implementation musl.
In C, you always have to check return values for functions that can fail. This is not hard. Other langs have other mechanisms eg exceptions.
— Rich Felker (@RichFelker) March 3, 2016
Notes from CopperheadOS
CopperheadOS is a “A hardened open-source operating system based on Android”. They also drop tweets on how-to C.
For brownie points, use -fsanitize=unsigned-integer-overflow too and mark the rare cases where overflow is intended using no_sanitize.
— CopperheadOS (@CopperheadOS) March 17, 2016
Final Thoughts
Wow! You read all that? Here’s a final thought:
Behold the power of open source in a Speaker Series featuring @adrianco of @BatteryVentures https://t.co/tITNtdZghJ pic.twitter.com/8IcYEea7Zo
— Heavybit (@heavybit) March 3, 2016