The Secure Coding Initiative at CERT has published several TRs recently. Sorry I've been slow in sending out updates to the list.
Please let me know if you have any questions about any of these reports or are interested in collaborating with CERT to advance these projects. Thanks, rCs ________________________________ Java Concurrency Guidelines Fred Long, Dhruv Mohindra, Robert Seacord, & David Svoboda CMU/SEI-2010-TR-015 An essential element of secure coding in the Java programming language is well-documented and enforceable coding standards. Coding standards encourage programmers to follow a uniform set of guidelines determined by the requirements of the project and organization, rather than by the programmer's familiarity or preference. Once established, these standards can be used as a metric to evaluate source code (using manual or automated processes). The CERT Oracle Secure Coding Standard for Java provides guidelines for secure coding in the Java programming language. The goal of these guidelines is to eliminate insecure coding practices and undefined behaviors that can lead to exploitable vulnerabilities. Applying this standard will lead to higher quality systems that are robust and more resistant to attack. This report documents the portion of those Java guidelines that are related to concurrency. ________________________________ keywords: Java, concurrency, software security, coding standard, coding guidelines cover date: May 2010 distribution: unlimited editor: Pennie Walters (p...@sei.cmu.edu<mailto:p...@sei.cmu.edu>) www.sei.cmu.edu/library/abstracts/reports/10tr015.cfm<http://www.sei.cmu.edu/library/abstracts/reports/10tr015.cfm> ________________________________ As-If Infinitely Ranged Integer Model, Second Edition Roger Dannenberg, Will Dormann, David Keaton, Thomas Plum, Robert C. Seacord, David Svoboda, Alex Volkovitsky, & Timothy Wilson CMU/SEI-2010-TN-008 Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. This report presents the as-if infinitely ranged (AIR) integer model that provides a largely automated mechanism for eliminating integer overflow and truncation and other integral exceptional conditions. The AIR integer model either produces a value equivalent to that obtained using infinitely ranged integers or results in a runtime-constraint violation. Instrumented fuzz testing of libraries that have been compiled using a prototype AIR integer compiler has been effective in discovering vulnerabilities in software with low false positive and false negative rates. Furthermore, the runtime overhead of the AIR integer model is low enough for typical applications to enable it in deployed systems for additional runtime protection. ________________________________ keywords: security, standardization, languages, verification, reliability, fuzz testing, software security, integral security, secure coding cover date: April 2010 distribution: unlimited editor: Pennie Walters (p...@sei.cmu.edu<mailto:p...@sei.cmu.edu>) http://www.sei.cmu.edu/library/abstracts/reports/10tn008.cfm ________________________________ Specifications for Managed Strings, Second Edition Hal Burch, Fred Long, Raunak Rungta, Robert C. Seacord, & David Svoboda CMU/SEI-2010-TR-018 This report describes a managed string library for the C programming language. Many software vulnerabilities in C programs result from the misuse of manipulation functions for standard C strings. Programming errors common to string-manipulation logic include buffer overflow, truncation errors, string termination errors, and improper data sanitization. The managed string library provides mechanisms to eliminate or mitigate these problems and improve system security. The CERT Program, which is part of the Carnegie Mellon Software Engineering Institute, provides a proof-of-concept implementation of the managed string library on its Secure Coding web pages. ________________________________ keywords: string library, software security, C programming, runtime-constraint handling cover date: May 2010 distribution: unlimited editor: Paul Ruggiero (pruggi...@sei.cmu.edu<mailto:pruggi...@sei.cmu.edu>) www.sei.cmu.edu/library/abstracts/reports/10tr018.cfm<http://www.sei.cmu.edu/library/abstracts/reports/10tr018.cfm> Thanks, rCs ---- Robert C. Seacord Secure Coding Team Lead CERT / Software Engineering Institute Work: +1 412.268.7608 FAX: +1 412.268.6989
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates _______________________________________________
