Secure Coding in C/C++ Cheat Sheet

SECURE CODING IN C/C++

Your Cheat Sheet
Be proactive
Waiting for something bad to
happen before taking action is
a costly and dangerous
approach. Instead, aim to be
proactive by understanding
the most common
vulnerabilities and their
countermeasures. Taking this
course is an excellent rst step
towards achieving this goal.

Review your code

Errors are inevitable, but
they're also avoidable with a
Greetings
keen second pair of eyes. and welcome to your essential resource for secure coding in C
Frequent code reviews by and C++. The frightening possibility of a system crash at 30,000
team members well-versed in feet serves as a wake-up call—when you're coding in powerful
secure coding can be a strong
languages like C and C++, security should never be an
line of defense against
afterthought; it's paramount.
vulnerabilities.
With this guide, you'll have a concise yet comprehensive resource
Sharpen the saw right at your ngertips.
The world of security is ever-
evolving, so your learning
should be too. Stay in the loop Thank you
with the latest security updates
for investing your time to learn about secure coding in C/C++. I’m
and trends to keep your
honored you chose my course to be part of your educational
coding skills relevant.
journey. Feel free to share this guide and the course link with
others interested in upping their coding game.

1
fi
fi
Secure Coding in C/C++ Cheat Sheet

Principles of Secure C and C++ Programming

Minimizing Attack Surface Area

Reducing the attack surface area is vital in enhancing the security of software. Attack
surface area means the points in your code where an attacker may exploit vulnerabilities.
By minimizing this area, we can lower the chances of successful attacks. In other words, the
smaller the target, the harder it is to hit.

Input validation and sanitization, secure memory management, code reviews and testing and secure coding
practices can help you reduce the attack surface area of your code.

Least Privilege
The Principle of Least Privilege is a key concept in secure programming. It suggests only
granting the minimum necessary privileges required to do a speci c task. By limiting access
rights and privileges, the potential harm that can be caused by an attacker or compromised
component is greatly reduced.

Examples include limiting code permissions, controlling system calls, and restricting access
rights to the necessary minimum.

Fail-safe Defaults
The Principle of Fail-Safe Defaults suggests that access to resources and sensitive
operations must be denied by default. Access should only be granted explicitly with
permission.
To understand why this strategy is effective, consider the opposite scenario where access is
granted by default but turned off if certain conditions are met. In such a case, there is a higher
likelihood of overlooking critical conditions or failing to revoke access promptly, which can lead to potential
security breaches.

Defense in Depth
To secure your C and C++ applications, relying on a single security mechanism isn't enough.
A comprehensive approach is to use multiple layers of defense, known as "Defense in
Depth." By designing your system this way, attackers will have to overcome several security
measures, making it harder to compromise the system.

2
fi
 Secure Coding in C/C++ Cheat Sheet

Common Security Pitfalls in C and C++ Programming

⚠
1 Buffer Over ows ⚠
2 Risky Type Conversions

One of the most common Despite using a static type system,

security aws in C/C++ programs
are buffer over ows. A buffer
over ow occurs when a program
writes more data to a buffer than
it was designed to hold. Buffer
over ows can happen on the
stack, heap, or in a memory-mapped le.
C and C++ permit risky
operations, such as implicit
conversions and casting between
incompatible types.
🦄 Exploitability

🦄 Exploitability Misuse of these features can result in unde ned

Stack-based buffer over ows can be exploited to
overwrite the return address on the stack, enabling
an attacker to redirect the program ow to execute
their own malicious code.
Heap over ows occur in dynamically allocated
memory on the heap. Executing custom code is not
usually possible with a heap over ow, but an
attacker could still exploit this vulnerability by
overwriting the data used by the application.
💥 Stack over ow example
// Triggering a stack-based buffer overflow
char buffer[5];
strcpy(buffer, "overflow");
behavior, potentially crashing the app or causing
other unwanted side effects.
💥 Implicit type conversion example
In the following case, an implicit conversion
happens from a double type to an integer type,
leading to the loss of precision:
double x = 3.14;
int y = x;
✌ Solution
Be explicit in your code and avoid implicit
conversions to ensure type compatibility and
prevent unintended consequences.

✌ Solution 1 In this speci c case, by using the static_cast

operator, our code explicitly states that we perform
Use the safer strncpy() function to avoid buffer
a narrowing conversion on purpose.
over ows. Don’t forget to add the null terminator
because strncpy() won’t add it in case of over ow. // Explicit conversion from double to int
double a = 3.14;
strncpy(buffer, "overflow", sizeof(buffer) - 1); int b = static_cast<int>(a);
// add terminating 0
buffer[sizeof(buffer) - 1] = 0;

✌ Solution 2
Alternatively, you can use snprintf() to avoid buffer
over ows. This function will also add the null
terminator automatically.

// adds the terminating zero

// even in case of overflows
snprintf(buffer, sizeof(buffer), "%s",

3
fl
fl
fl
fl
fl
fl
fi
fl
fl
fl
fl
fl
fl
fi
fi
fl
 Secure Coding in C/C++ Cheat Sheet

Common Security Pitfalls in C and C++ Programming

⚠
3 Uncontrolled Format Strings ⚠
4 Improper Error Handling

When a program uses an
unchecked format string as an
argument to the printf() command
or similar functions, it can lead to
the problem known as uncontrolled
format string, a common issue that
can compromise security.
Failing to handle errors properly can leave your code
vulnerable to security risks and impact program
reliability. Ignoring errors, failing to check the return
values of functions that can fail, or exposing internal
system details or valuable information in
error messages are common
mistakes in error management.

🦄 Exploitability
An attacker could use format strings as arguments
for printf() to reveal sensitive information stored in
memory or execute arbitrary code.
💥 Uncontrolled format string example
The user_input string may include format speci ers
like %s or %d, printf() will try to use additional
arguments that aren't there, resulting in unde ned
behavior.
And using the %x and %s format speci ers will
cause printf() to print out values from the stack,
revealing sensitive information.
The %n speci er commands printf() to write the
number of characters successfully written so far to
an address pointed to by the corresponding
argument. As there's no corresponding argument,
printf() will write to whatever location is at the top of
the stack, leading to a potential security
vulnerability.
// user_input may contain format specifiers
printf(user_input);
✌ Solution
Using printf("%s", user_input) prevents any format
speci ers in user_input from being interpreted by
printf().
🦄 Exploitability
Subpar error handling might
jeopardize the stability of your
application, and revealing con dential data could
offer hints to would-be attackers. Resource leaks
could drain system capabilities and open the door to
possible denial-of-service risks.
💥 Ignored error example
In the following code, the return value of fopen() is
not checked. If the le fails to open, the subsequent
call to fscanf() will read data from an uninitialized or
incorrect le stream, leading to unde ned behavior:
char buffer[MAX_BUFFER_SIZE];
FILE *file = fopen("data.txt", "r");
fscanf(file, "%s", buffer);
cout << "First word: " << buffer << endl;
fclose(file);
✌ Solution
The improved code handles the failed le opening
scenario and logs the error:
char buffer[256];
FILE *file = fopen("data.txt", "r");
if (!file)
{
printf("Failed to open the file.\n");
return;
}

fscanf(file, "%s", buffer);

// format specifiers cout << "First word: " << buffer << endl;
printf("%s", user_input);
fclose(file);

4
fi
fi
fi
fi
fi
fi
fi
fi
fi
fi
Secure Coding in C/C++ Cheat Sheet

Common Security Pitfalls in C and C++ Programming

⚠
5 Race Conditions
A race condition occurs when two
or more threads compete to
access or modify shared data
simultaneously. This can cause
sporadic bugs and severe security
vulnerabilities. Paying close
attention to concurrency and
handling it with care is crucial to avoid such risks.
✌ Solution
Introduce a mutex and use std::lock_guard to lock
and unlock the mutex during the critical section. This
way we ensure that only one thread can access and
modify the counter variable at a time, preventing
data corruption caused by a race condition.
#include <iostream>
#include <thread>
#include <mutex>
using namespace std;

🦄 Exploitability int counter = 0;

mutex counterMutex;
Race conditions can cause data corruption,
void increment_counter()
potentially leading to incorrect program behavior {
and security vulnerabilities such as unauthorized lock_guard<mutex> lock(counterMutex);
++counter;
access to protected resources. }

int main()
💥 Race condition example {
thread t1(increment_counter);
In this example, both threads access and modify the thread t2(increment_counter);
counter variable simultaneously without proper t1.join();
synchronization. As a result, the integrity of the t2.join();
counter variable is compromised, potentially cout << "Counter value: " << counter << endl;
leading to incorrect program behavior and other
return 0;
issues. }

#include <iostream>
#include <thread>
using namespace std;

int counter = 0;

void increment_counter()
{
++counter;
}

int main()
{
thread t1(increment_counter);
thread t2(increment_counter);

t1.join();
t2.join();

cout << "Counter value: " << counter << endl;

return 0;
}

5
 Secure Coding in C/C++ Cheat Sheet

Common Security Pitfalls in C and C++ Programming

⚠
6 C/C++ Memory Management Mistakes
Unlike other languages, C and
C++ do not have automatic
garbage collection. Instead,
developers must manage
memory manually—a powerful
but also risky feature. Thus, it’s
the responsibility of the
programmer to. Failure to do so can result in
vulnerabilities such as memory leaks, buffer
over ows, and dangling pointers.
🦄 Exploitability
💥 Referencing freed memory
In this code snippet, we rst allocate memory to store
an integer and save the address of this memory block
in the variable value. Later, we free the allocated
memory using the free() function.
Later, we attempt to write the value 5 to the same
memory location that has already been freed. This
can cause unpredictable behavior and data
corruption, as the memory block may now be used
for other purposes by the system.
int *value = malloc(sizeof(int)); // use new int()
in C++

The side-effects of sloppy memory management free(value); // use operator delete in C++
// ... Perform some operations
can cause a wide range of problems with various // forget that value was freed and try to use it
degrees of severity, including: *value = 5;

• reduced system performance ✌ Solution

• denial-of-service attacks due to resource
exhaustion
• data corruption
• security vulnerabilities
💥 Null pointer dereference
A null pointer is a pointer that does not point to any
valid memory address. Dereferencing such a
pointer can lead to unde ned behavior and
crashes.
int *ptr = NULL; // use nullptr in C++
// ... Perform some operations
*ptr = 10; // this will cause a runtime error
✌ Solution
The simplest way to avoid dereferencing null
pointers is to check whether the pointer is null
before accessing its memory:
int *ptr = NULL; // use nullptr in C++
// ... Perform some operations
if(value != NULL) // use nullptr in C++
{
*value = 5;
}
Implementing defensive coding practices, such as
setting pointers to NULL can help reduce the risk of
accessing freed memory.
Accessing a NULL pointer will instantly trigger a
runtime error, which is far easier to debug and x
than unpredictable behavior resulting from
dereferencing a dangling pointer. This approach
turns a subtle bug into a blatant one, making it less
likely to go unnoticed and thereby improving your
application's overall security posture.
int *value = malloc(sizeof(int));
free(value); // use operator delete in C++
// Set value to NULL to make sure we don't use it
by mistake
value = NULL; // use nullptr in C++
// ... Perform some operations
*value = 5; // this will cause a runtime error
Accessing a NULL pointer will instantly trigger a
runtime error, which is far easier to debug and x
than unpredictable behavior resulting from
dereferencing a dangling pointer.

6
fl
fi
fi
fi
fi
Secure Coding in C/C++ Cheat Sheet

Wrapping Up

Consider these examples as just a snapshot of what you've already encountered in the course on Secure
Coding in C/C++.

If you found these insights valuable and want to revisit any topics or perhaps share them with your
network, the course is always there for you to go through again.

Feel free to share this guide and the course link with others interested in upping their coding game.

Thanks again for being a part of this learning journey with me. Take care and happy coding! 😊

Best regards,
Karoly Nyisztor