security

Hardening C++ with Bjarne Stroustrup

An interview in Software Engineering Daily with Bjarne on the recent announcements by the NSA and the forthcoming CRA from the EU against the use of C++ based on security concerns.

Hardening C++ with Bjarne
Bjarne Stroustrup

From the interview:

Bjarne wishes for more support rather than calls to drop the use and teaching of C++ altogether. Especially in light of how much progress the C++ 17, 20 and 23 mean to the language but also how using the core guidelines and modern static analysis can reduce vulnerabilities considerably. 

PVS-Studio 7.12 New Features for Finding Safety and Security Threats

At the moment, PVS-Studio is developing not only as a static analyzer searching for code quality defects (quality control solution) but also as a solution for searching for security and safety defects.

PVS-Studio 7.12 New Features for Finding Safety and Security Threats

by Nikolay Mironov, Paul Eremeev

From the article:

Well, to waste no time, let's point out the additions right away. So, here is what's new, safe, and cool in PVS-Studio:

  • New diagnostic groups OWASP ASVS and The AUTOSAR C++14 Coding Guidelines have been added to the analyzer. Previously, the compliance of PVS-Studio diagnostic rules with these standards was available only on our website. Now we have more than 50 new diagnostic rules!
  • Now the analyzer shows information about the compliance of the warnings with the SEI CERT Coding Standard. This information formerly was available only on the PVS-Studio website.
  • The interface of our plugins for Visual Studio, JetBrains Rider, and IntelliJ IDEA has been improved to ease the work with analyzer messages that have safety and security standards identifiers.
  • New diagnostic groups (OWASP, AUTOSAR) in PlogConverter are supported.
  • New diagnostics (OWASP, AUTOSAR) are supported in SonarQube at the tag level. We classified our diagnostic rules by OWASP Top 10.

Fuzzing beast with libFuzzer

A short blog post about my experience in fuzzing beast during my boost review

Fuzzing beast with libFuzzer

by Jens Weller

From the article:

During the weekend I wanted to take a closer look at beast, a http library proposed for boost. I planned to write an http client class, as thats something I'll need in some project later anyways. I've been looking at beast on and off for a few month now, and started by reviewing the documentation and examples to get a feel for the library it self.

PVS-Studio: searching software weaknesses

As we check Apache HTTP Server, we see bugs crawling everywhere across the code. But wait! These are not just bugs, but security weaknesses!

PVS-Studio: searching software weaknesses

by Andrey Karpov, Phillip Khandeliants

From the article:

PVS-Studio has always been able to detect a large number of various security defects (potential vulnerabilities) in the program code. However, historically, we positioned PVS-Studio as a tool to search for errors. We see a trend in the software development to look for vulnerabilities in the code, although it is just the same. It seems to us that it is high time to do the rebranding of our static analyzer PVS-Studio. We will start with Common Weakness Enumeration (CWE). This article provides a table that shows matches of PVS-Studio diagnostic warnings of with the classifier. The table will be gradually updated and changed, but we can already use the table to write articles about security defects detected in projects. We suppose it would attract more attention of the software security specialists.

Safe Clearing of Private Data

We often need to store private data in programs, for example passwords, secret keys, and their derivatives, and we usually need to clear their traces in the memory after using them so that a potential intruder can't gain access to these data. In this article we will discuss why you can't clear private data using memset() function.

Safe Clearing of Private Data

by Roman Fomichev

From the article:

So, both gcc and clang decided to optimize our code. Since the memory is freed after calling the memset() function, the compilers treat this call as irrelevant and delete it.