recent technical reports from the CERT Secure Coding Initiative

[Robert Seacord <rcs () cert org>]

The Secure Coding Initiative at CERT has published several TRs recently.  Sorry I've been slow in sending out updates 
to the list.

Please let me know if you have any questions about any of these reports or are interested in collaborating with CERT to 
advance these projects.

Thanks,
rCs

________________________________

Java Concurrency Guidelines

Fred Long, Dhruv Mohindra, Robert Seacord, & David Svoboda
CMU/SEI-2010-TR-015



An essential element of secure coding in the Java programming language is well-documented and enforceable coding 
standards. Coding standards encourage programmers to follow a uniform set of guidelines determined by the requirements 
of the project and organization, rather than by the programmer's familiarity or preference. Once established, these 
standards can be used as a metric to evaluate source code (using manual or automated processes).

The CERT Oracle Secure Coding Standard for Java provides guidelines for secure coding in the Java programming language. 
The goal of these guidelines is to eliminate insecure coding practices and undefined behaviors that can lead to 
exploitable vulnerabilities. Applying this standard will lead to higher quality systems that are robust and more 
resistant to attack.

This report documents the portion of those Java guidelines that are related to concurrency.

________________________________

keywords: Java, concurrency, software security, coding standard, coding guidelines

cover date: May 2010

distribution: unlimited

editor: Pennie Walters (pw () sei cmu edu<mailto:pw () sei cmu edu>)
www.sei.cmu.edu/library/abstracts/reports/10tr015.cfm<http://www.sei.cmu.edu/library/abstracts/reports/10tr015.cfm>
________________________________

As-If Infinitely Ranged Integer Model, Second Edition
Roger Dannenberg, Will Dormann, David Keaton, Thomas Plum, Robert C. Seacord, David Svoboda, Alex Volkovitsky, & 
Timothy Wilson

CMU/SEI-2010-TN-008



Integers represent a growing and underestimated source of vulnerabilities in C and C++ programs. This report presents 
the as-if infinitely ranged (AIR) integer model that provides a largely automated mechanism for eliminating integer 
overflow and truncation and other integral exceptional conditions. The AIR integer model either produces a value 
equivalent to that obtained using infinitely ranged integers or results in a runtime-constraint violation. Instrumented 
fuzz testing of libraries that have been compiled using a prototype AIR integer compiler has been effective in 
discovering vulnerabilities in software with low false positive and false negative rates.  Furthermore, the runtime 
overhead of the AIR integer model is low enough for typical applications to enable it in deployed systems for 
additional runtime protection.

________________________________

keywords: security, standardization, languages, verification, reliability, fuzz testing, software security, integral 
security, secure coding

cover date: April 2010

distribution: unlimited

editor: Pennie Walters (pw () sei cmu edu<mailto:pw () sei cmu edu>)
http://www.sei.cmu.edu/library/abstracts/reports/10tn008.cfm
________________________________

Specifications for Managed Strings, Second Edition
Hal Burch, Fred Long, Raunak Rungta, Robert C. Seacord, & David Svoboda

CMU/SEI-2010-TR-018



This report describes a managed string library for the C programming language. Many software vulnerabilities in C 
programs result from the misuse of manipulation functions for standard C strings. Programming errors common to 
string-manipulation logic include buffer overflow, truncation errors, string termination errors, and improper data 
sanitization. The managed string library provides mechanisms to eliminate or mitigate these problems and improve system 
security. The CERT Program, which is part of the Carnegie Mellon Software Engineering Institute, provides a 
proof-of-concept implementation of the managed string library on its Secure Coding web pages.

________________________________

keywords: string library, software security, C programming, runtime-constraint handling

cover date: May 2010

distribution: unlimited

editor: Paul Ruggiero (pruggiero () sei cmu edu<mailto:pruggiero () sei cmu edu>)
www.sei.cmu.edu/library/abstracts/reports/10tr018.cfm<http://www.sei.cmu.edu/library/abstracts/reports/10tr018.cfm>

Thanks,
rCs

----
Robert C. Seacord
Secure Coding Team Lead
CERT / Software Engineering Institute
Work: +1 412.268.7608
FAX:    +1 412.268.6989

_______________________________________________
Secure Coding mailing list (SC-L) SC-L () securecoding org
List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l
List charter available at - http://www.securecoding.org/list/charter.php
SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com)
as a free, non-commercial service to the software security community.
Follow KRvW Associates on Twitter at: http://twitter.com/KRvW_Associates
_______________________________________________