AA. Bibliography
[Acton 2006] Acton, Mike. " Understanding Strict Aliasing ." CellPerformance , June 1, 2006.
[ Aho 1986] Aho, Alfred V.; Sethi, Ravi; Ullman, Jeffrey D. " Compilers: Principles, Techniques, and Tools" (2nd ed.), 1986.
[Apiki 2006] Apiki, Steve. " Lock-Free Programming on AMD Multi-Core System ." AMD Developer Central , 2006.
[Apple 2006] Apple, Inc. Secure Coding Guide . May 2006.
[Asgher 2000] Asgher, Sarmad. "Practical Lock-Free Buffers ." Dr. Dobbs Go-Parallel , August 26, 2000.
[Bailey 2014] Bailey, Don A. Raising Lazarus—The 20 Year Old Bug that Went to Mars . 2014.
[Banahan 2003] Banahan, Mike. The C Book . 2003.
[Barney 2010] Barney, Blaise. " Mutex Variables ." POSIX Threads Programming, 2010.
[Becker 2008] Becker, Pete. Working Draft, Standard for Programming Language C++ . April 2008.
[Beebe 2005] Beebe, Nelson H. F. Re: Remainder (%) Operator and GCC . 2005.
[Black 2007] Black, Paul E.; Kass, Michael; & Koo, Michael. Source Code Security Analysis Tool Functional Specification Version 1.0. Special Publication 500-268 . Information Technology Laboratory (ITL), Software Diagnostics and Conformance Testing Division, May 2007.
[Brainbell.com] Brainbell.com. Advice and Warnings for C Tutorials .
[Bryant 2003] Bryant, Randal E. & O'Halloran, David. Computer Systems: A Programmer's Perspective . Upper Saddle River, NJ: Prentice Hall, 2003 (ISBN 0-13-034074-X).
[Burch 2006] Burch, Hal; Long, Fred; & Seacord, Robert C. Specifications for Managed Strings (CMU/SEI-2006-TR-006). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.
[Butenhof 1997] Butenhof, David R. Programming with POSIX ® Threads . Boston: Addison-Wesley Professional, 1997 (ISBN 0-201-63392-2).
[C99 Rationale 2003] Rationale for International Standard—Programming Languages—C, Revision 5.10 (C99 Rationale), April 2003.
[Callaghan 1995] Callaghan, B; Pawlowski, B.; & Staubach, P. IETF RFC 1813 NFS Version 3 Protocol Specification , June 1995.
[Cassidy 2014] Cassidy, Sean. existential type crisis : Diagnosis of the Heartbleed Bug [blog post]. April 2014.
[CERT 2006a] CERT/CC. CERT/CC Statistics 1988–2006 .
[CERT 2006b] CERT/CC. US-CERT's Technical Cyber Security Alerts .
[CERT 2006c] CERT/CC. Secure Coding website.
[Chen 2002] Chen, H.; Wagner, D.; & Dean, D. Setuid Demystified . USENIX Security Symposium, 2002.
[Chess 2007] Chess, Brian, & West, Jacob. Secure Programming with Static Analysis . Boston: Addison-Wesley 2007.
[Corfield 1993] Corfield, Sean A. " Making String Literals 'const' ." November 1993.
[Coverity 2007] Coverity Prevent User's Manual (3.3.0) . 2007.
[CVE] Common Vulnerabilities and Exposures .
[C++ Reference] Standard C Library, General C+ , C + Standard Template Library .
[Dewhurst 2002] Dewhurst, Stephen C. C++ Gotchas: Avoiding Common Problems in Coding and Design . Boston: Addison-Wesley Professional, 2002.
[Dewhurst 2005] Dewhurst, Stephen C. C++ Common Knowledge: Essential Intermediate Programming . Boston: Addison-Wesley Professional, 2005.
[DHS 2006] U.S. Department of Homeland Security. Build Security In . 2006.
[DISA 2015] DISA. Application Security and Development Security Technical Implementation Guide, Version 3, Release 10 . Accessed April 2015.
[DISA 2016] DISA. Application Security and Development Security Technical Implementation Guide, Version 4, Release 1 . Accessed January 2017.
[DISA 2018] DISA. Application Security and Development Security Technical Implementation Guide, Version 4, Release 8 . Accessed January 2019.
[DOD 5220] U.S. Department of Defense. DoD Standard 5220.22-M (Word document).
[Dowd 2006] Dowd, M.; McDonald, J.; & Schuh, J. The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities . Boston: Addison-Wesley, 2006.
[Drepper 2006] Drepper, Ulrich. Defensive Programming for Red Hat Enterprise Linux (and What To Do If Something Goes Wrong) . May 3, 2006.
[Duff 1988] Duff, Tom. Tom Duff on Duff's Device . August 29, 1988.
[Dutta 2003] Dutta, Shiv. Best Practices for Programming in C . June 26, 2003.
[Eckel 2007] Eckel, Bruce. Thinking in C++, Vol. 2 . January 25, 2007.
[ECTC 1998] Embedded C++ Technical Committee. The Embedded C++ Programming Guide Lines , Version WP-GU-003. January 6, 1998.
[Eide and Regehr] Eide, E., & Regehr, J. Volatiles Are Miscompiled, and What to Do about It . 2008.
[Feather 1997] Feather, Clive, D. W. Solving the struct Hack Problem . JTC1/SC22/WG14 N791. (1997).
[Finlay 2003] Finlay, Ian A. CERT Advisory CA-2003-16, Buffer Overflow in Microsoft RPC . CERT/CC, July 2003.
[Fisher 1999] Fisher, David & Lipson, Howard. "Emergent Algorithms—A New Method for Enhancing Survivability in Unbounded Systems." Proceedings of the 32nd Annual Hawaii International Conference on System Sciences (HICSS-32) . Maui, HI, January 5–8, 1999.
[Flake 2006] Flake, Halvar. " Attacks on Uninitialized Local Variables ." Black Hat Federal, 2006.
[Fortify 2006] Fortify Software Inc. Fortify Taxonomy: Software Security Errors . 2006.
[Fomichev 2016] Fomichev, Roman. " Safe Clearing of Private Data ". PVS-Studio Team, 2016.
[FSF 2005] Free Software Foundation. GCC Online Documentation . 2005.
[Garfinkel 1996] Garfinkel, Simson & Spafford, Gene. Practical UNIX & Internet Security , 2nd ed. Sebastopol, CA: O'Reilly Media, April 1996 (ISBN 1-56592-148-8).
[GCC Bugs] GCC Team. GCC Bugs . Free Software Foundation, Inc.
[GNU 2010] GNU. Coding Standards . GNU, 2010.
[GNU Pth] Engelschall, Ralf S. GNU Portable Threads , 2006.
[Goldberg 1991] Goldberg, David. What Every Computer Scientist Should Know about Floating-Point Arithmetic . Sun Microsystems, March 1991.
[Goodin 2009] Goodin, Dan. Clever Attack Exploits Fully-Patched Linux Kernel . The Register , July 2009.
[Gough 2005] Gough, Brian J. An Introduction to GCC . Network Theory Ltd., Revised August 2005 (ISBN 0-9541617-9-3).
[Graff 2003] Graff, Mark G. & Van Wyk, Kenneth R. Secure Coding: Principles and Practices . Cambridge, MA: O'Reilly, 2003 (ISBN 0596002424).
[Greenman 1997] Greenman, David. Serious Security Bug in wu-ftpd v2.4 . BUGTRAQ Mailing List (bugtraq@securityfocus.com), January 2, 1997.
[Griffiths 2006] Griffiths, Andrew. Clutching at Straws: When You Can Shift the Stack Pointer . 2006.
[Gutmann 1996] Gutmann, Peter. Secure Deletion of Data from Magnetic and Solid-State Memory . July 1996.
[Haddad 2005] Haddad, Ibrahim. "Secure Coding in C and C++: An Interview with Robert Seacord, Senior Vulnerability Analyst at CERT." Linux World Magazine , November 2005.
[Hatton 1995] Hatton, Les. Safer C: Developing Software for High-Integrity and Safety-Critical Systems . New York: McGraw-Hill, 1995 (ISBN 0-07-707640-0).
[Hatton 2003] Hatton, Les. EC-: A Measurement-Based Safer Subset of ISO C Suitable for Embedded System Development . November 5, 2003.
[Henricson 1992] Henricson, Mats & Nyquist, Erik. Programming in C++, Rules and Recommendations . Ellemtel Telecommunication Systems Laboratories, 1992.
[Horton 1990] Horton, Mark R. Portable C Software . Upper Saddle River, NJ: Prentice-Hall, 1990 (ISBN:0-13-868050-7).
[Howard 2002] Howard, Michael & LeBlanc, David C. Writing Secure Code 2nd ed. Redmond, WA: Microsoft Press, 2002.
[HP 2003] Hewlett-Packard Company. Tru64 UNIX: Protecting Your System against File Name Spoofing Attacks . Houston, TX: Hewlett-Packard Company, January 2003.
[IEC 60812 2006] IEC (International Electrotechnical Commission). Analysis Techniques for System Reliability—Procedure for Failure Mode and Effects Analysis (FMEA) , 2nd ed. (IEC 60812). Geneva, Switzerland: IEC, 2006.
[IEC 61508-4] IEC. Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems—Part 4: Definitions and Abbreviations . Geneva, Switzerland: IEC, 1998.
[IEEE 754 2006] IEEE (Institute of Electrical and Electronics Engineers). Standard for Binary Floating-Point Arithmetic (IEEE 754-1985). New York: IEEE, 2006.
[IEEE Std 610.12 1990] IEEE. IEEE Standard Glossary of Software Engineering Terminology . (1990).
[IEEE Std 1003.1:2004] IEEE and The Open Group. The Open Group Base Specifications Issue 6 (IEEE Std 1003.1), 2004 Edition. (See also ISO/IEC 9945-2004 and Open Group 04 .)
[IEEE Std 1003.1:2008] IEEE and The Open Group. The Open Group Base Specifications Issue 7 (IEEE Std 1003.1), 2008 Edition. See also ISO/IEC 9945-2008 and Open Group 2008 .
[IEEE Std 1003.1:2024] IEEE and The Open Group. The Open Group Base Specifications Issue 8 (IEEE Std 1003.1), 2024 Edition.
[IEEE Std 1003.1:2013] IEEE and The Open Group. Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 7 (IEEE Std 1003.1, 2013 Edition). E-book: http://ieeexplore.ieee.org/servlet/opac?punumber=6506089 .
[IEEE Std 1003.1:2024] IEEE and The Open Group. Standard for Information Technology—Portable Operating System Interface (POSIX®), Base Specifications, Issue 8 (IEEE Std 1003.1, 2024 Edition). E-book: https://ieeexplore.ieee.org/document/10555529 .
[IETF: RFC 6520] Internet Engineering Task Force (IETF). Request for Comments 6520 : Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) Heartbeat Extension. February 2012.
[ilja 2006] ilja. " readlink abuse ." ilja's blog . August 13, 2006.
[Intel 2001] Intel Corp. _Floating-Point IEEE Filter for Microsoft Windows 2000 on the Intel ® Itanium © Architecture . March 2001.
[Internet Society 2000] The Internet Society. Internet Security Glossary (RFC 2828) . 2000.
[ISO/IEC 10646:2003] ISO/IEC (International Organization for Standardization/International Electrotechnical Commission). Information Technology—Universal Multiple-Octet Coded Character Set (UCS) (ISO/IEC 10646:2003). Geneva, Switzerland: International Organization for Standardization, 2003.
[ISO/IEC 10646:2012] ISO/IEC. Information technology—Universal Multiple-Octet Coded Character Set (UCS) (ISO/IEC 10646:2012) . Geneva, Switzerland: ISO, 2012.
[ISO/IEC 11889-1:2009] ISO/IEC. Information Technology—Trusted Platform Module—Part 1: Overview (ISO/IEC 11889-1:2009). Geneva, Switzerland: ISO, 2009.
[ISO/IEC 14882:2003] ISO/IEC. Programming Languages—C++, Second Edition (ISO/IEC 14882-2003). Geneva, Switzerland: ISO, 2003.
[ISO/IEC 14882:2011] ISO/IEC. Information Technology—Programming Languages—C++, Third Edition (ISO/IEC 14882-2011). Geneva, Switzerland: ISO, 2011.
[ISO/IEC 23360-1:2006] ISO/IEC. Linux Standard Base (LSB) Core Specification 3.1—Part 1: Generic Specification . Geneva, Switzerland: ISO, 2006.
[ISO/IEC 646:1991] ISO/IEC. Information Technology: ISO 7-Bit Coded Character Set for Information Interchange (ISO/IEC 646-1991). Geneva, Switzerland: ISO, 1991.
[ISO/IEC 9899:1990] ISO/IEC. Programming Languages—C (ISO/IEC 9899:1990). Geneva, Switzerland: ISO, 1990.
[ISO/IEC 9899:1999] ISO/IEC. Programming Languages—C, 2nd ed (ISO/IEC 9899:1999). Geneva, Switzerland: ISO, 1999.
[ISO/IEC 9899:2011] ISO/IEC. Programming Languages—C, 3rd ed (ISO/IEC 9899:2011). Geneva, Switzerland: ISO, 2011.
[ISO/IEC 9899:2017] ISO/IEC. Programming Languages—C, 4th ed (ISO/IEC 9899:2017). Geneva, Switzerland: ISO, 2017.
[ISO/IEC 9899:2024] ISO/IEC. Programming Languages—C, 5th ed (ISO/IEC 9899:2024). Geneva, Switzerland: ISO, 2024.
[ISO/IEC 9945:2003] ISO/IEC. Information Technology—Programming Languages, Their Environments and System Software Interfaces—Portable Operating System Interface (POSIX ® ) [including Technical Corrigendum 1] (ISO/IEC 9945:2003). Geneva, Switzerland: ISO, 2003.
[ISO/IEC/IEEE 24765:2010] ISO/IEC/IEEE. Systems and Software Engineering—Vocabulary (ISO/IEC/IEEE 24765:2010). Geneva, Switzerland: ISO, 2010.
[ISO/IEC/IEEE 9945:2008] ISO/IEC/IEEE. Information Technology—Programming Languages, Their Environments and System Software Interfaces—Portable Operating System Interface (POSIX ® ) . (ISO/IEC/IEEE 9945:2008) Geneva, Switzerland: ISO, 2008.
[ISO/IEC DTR 24732] ISO/IEC JTC1 SC22 WG14 N1290. Extension for the Programming Language C to Support Decimal Floating-Point Arithmetic . Geneva, Switzerland: ISO, March 2008.
[ISO/IEC JTC1/SC22/WG11] ISO/IEC. Binding Techniques (ISO/IEC JTC1/SC22/WG11). Geneva, Switzerland: ISO, 2007.
[ISO/IEC JTC1/SC22/WG14] ISO/IEC. Solving the Struct Hack Problem (ISO/IEC JTC1/SC22/WG14 N791). Geneva, Switzerland: ISO, 1997.
[ISO/IEC TR 24731-1:2007] ISO/IEC TR 24731. Extensions to the C Library—Part I: Bounds-Checking Interfaces . Geneva, Switzerland: ISO, April 2006.
[ISO/IEC PDTR 24731-2] Extensions to the C Library—Part II: Dynamic Allocation Functions . Geneva, Switzerland: ISO, August 2007.
[ISO/IEC TR 24731-2:2010] ISO/IEC TR 24731. Extensions to the C Library—Part II: Dynamic Allocation Functions . Geneva, Switzerland: ISO, April 2010.
[ISO/IEC TR 24772:2010] ISO/IEC TR 24772:2010. Information Technology— Programming Languages — Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use. Geneva, Switzerland: ISO, October 2010.
[ISO/IEC TR 24772:2013] ISO/IEC TR 24772:2013. Information Technology—Programming Languages—Guidance to Avoiding Vulnerabilities in Programming Languages through Language Selection and Use . Geneva, Switzerland: ISO, March 2013.
[ISO/IEC TS 17961] ISO/IEC TS 17961. Information Technology—Programming Languages, Their Environments and System Software Interfaces—C Secure Coding Rules. Geneva, Switzerland: ISO, 2012.
[ISO/IEC WG14 N1173] ISO/IEC. Rationale for TR 24731 Extensions to the C Library—Part I: Bounds-Checking Interfaces .
[Jack 2007] Jack, Barnaby. Vector rewrite attack: Exploitable NULL pointer vulnerabilities
on ARM and XScale architectures. In CanSecWest 2007, Vancouver,
BC, Canada, April 2007.
[Jones 2004] Jones, Nigel. Learn a New Trick with the offsetof() Macro. Embedded Systems Programming , March 2004.
[Jones 2008] Jones, Derek M. The New C Standard: An Economic and Cultural Commentary . Knowledge Software Ltd., 2008.
[Jones 2010] Jones, Larry. (2010). WG14 N1539 Committee Draft ISO/IEC 9899:201x .
[Juric n.d.] Juric, Zeljko, et al. (n.d.). TIGCC Documentation, Latest Development Version (TIGCC/TIGCCLIB CVS): C Language Keywords .
[Keaton 2009] Keaton, David; Plum, Thomas; Seacord, Robert C.; Svoboda, David; Volkovitsky, Alex; & Wilson, Timothy. As-if Infinitely Ranged Integer Model . CMU/SEI-2009-TN-023. July 2009.
[Keil 2008] Keil, an ARM Company. " Floating Point Support ." RealView Libraries and Floating Point Support Guide , 2008.
[Kennaway 2000] Kennaway, Kris. Re: /tmp topic . December 2000.
[Kernighan 1988] Kernighan, Brian W. & Ritchie, Dennis M. The C Programming Language , 2nd ed. Englewood Cliffs, NJ: Prentice-Hall, 1988.
[Kettlewell 2002] Kettlewell, Richard. C Language Gotchas . February 2002.
[Kettlewell 2003] Kettlewell, Richard. Inline Functions in C . March 2003.
[Kirch-Prinz 2002] Kirch-Prinz, Ulla & Prinz, Peter. C Pocket Reference . Sebastopol, CA: O'Reilly, November 2002 (ISBN: 0-596-00436-2).
[Klarer 2004] Klarer, R.; Maddock, J.; Dawes, B.; & Hinnant, H. " Proposal to Add Static Assertions to the Core Language (Revision 3). " ISO C++ committee paper ISO/IEC JTC1/SC22/WG21/N1720, October 2004.
[Klein 2002] Klein, Jack. Bullet Proof Integer Input Using strtol() . 2002.
[Koenig 1989] Koenig, Andrew. C Traps and Pitfalls . Addison-Wesley Professional, 1989.
[Kuhn 2006] Kuhn, Markus. UTF-8 and Unicode FAQ for Unix/Linux . 2006.
[Lai 2006] Lai, Ray. " Reading Between the Lines ." OpenBSD Journal , October 2006.
[Lea 2000] Lea, Doug. Concurrent Programming in Java , 2nd ed., Addison-Wesley Professional, Boston, 2000.
[Lewis 2006] Lewis, Richard. " Security Considerations when Handling Sensitive Data ." Posted on the Application Security by Richard Lewis blog October 2006.
[Linux 2008] Linux Programmer's Manual . October 2008.
[Lions 1996] Lions, J. L. ARIANE 5 Flight 501 Failure Report . Paris, France: European Space Agency (ESA) & National Center for Space Study (CNES) Inquiry Board, July 1996.
[Lipson 2000] Lipson, Howard & Fisher, David. "Survivability: A New Technical and Business Perspective on Security," 33–39. Proceedings of the 1999 New Security Paradigms Workshop. Caledon Hills, Ontario, Canada, Sept. 22–24, 1999 . New York: Association for Computing Machinery, 2000.
[Lipson 2006] Lipson, Howard. Evolutionary Systems Design: Recognizing Changes in Security and Survivability Risks (CMU/SEI-2006-TN-027). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2006.
[Liu 2009] Likai Liu. Making NULL-pointer reference legal , Life of a Computer Science Student. January, 2009.
[Lockheed Martin 2005] Lockheed Martin. Joint Strike Fighter Air Vehicle C++ Coding Standards for the System Development and Demonstration Program. Document Number 2RDU00001 Rev C., December 2005.
[Loosemore 2007] Loosemore, Sandra; Stallman, Richard M.; McGrath, Roland; Oram, Andrew; & Drepper, Ulrich. The GNU C Library Reference Manual , Edition 0.11. September 2007.
[McCluskey 2001] McCluskey, Glen. Flexible Array Members and Designators in C9X . ;login:, 26, 4 (July 2001): 29–32.
[Mell 2007] Mell, Peter; Scarfone, Karen; & Romanesky, Sasha. "A Complete Guide to the Common Vulnerability Scoring System Version 2.0." FIRST , June 2007.
[Mercy 2006] Mercy. Exploiting Uninitialized Data . January 2006.
[Myers 2001] Meyers, Randy. The New C: X Macros . Dr. Dobbs. May 01, 2001
[Meyers 2004] Meyers, Randy. Limited size_t WG14 N1080. September 2004.
[Michael 2004] Michael, M.M. "Hazard Pointers: Safe Memory Reclamation for Lock-Free Objects." IEEE Transactions on Parallel and Distributed Systems, 15 , 8 (2004).
[Microsoft 2003] Microsoft Security Bulletin MS03-026, " Buffer Overrun In RPC Interface Could Allow Code Execution (823980) ." September 2003.
[Microsoft 2007] Microsoft. C Language Reference , 2007.
[Miller 2007] Miller, Damien. " Security Measures in OpenSSH ," white paper. OpenSSH Project, 2007.
[Miller 1999] Miller, Todd C. & de Raadt, Theo. strlcpy and strlcat—Consistent, Safe, String Copy and Concatenation. In Proceedings of the FREENIX Track, 1999 USENIX Annual Technical Conference, June 6–11, 1999, Monterey, California, USA . Berkeley, CA: USENIX Association , 1999.
[Miller 2004] Miller, Mark C.; Reus, James F.; Matzke, Robb P.; Koziol, Quincey A.; & Cheng, Albert P. " Smart Libraries: Best SQE Practices for Libraries with an Emphasis on Scientific Computing ." In Proceedings of the Nuclear Explosives Code Developer's Conference . Livermore, CA: Lawrence Livermore National Laboratory, December 2004.
[MISRA 2004] MISRA (Motor Industry Software Reliability Association). MISRA C : 2004 Guidelines for the Use of the C Language in Critical Systems . Nuneaton, UK: MIRA, 2004 (ISBN 095241564X).
[MISRA 2008] MISRA. MISRA C++ : 2008 Guidelines for the Use of the C++ Language in Critical Systems . Nuneaton, UK: MIRA, 2008 (ISBN 978-906400-03-3 [paperback], ISBN 978-906400-04-0 [PDF]), 2008.
[MISRA C:2012] MISRA. MISRA C3 : Guidelines for the Use of the C Language in Critical Systems 2012 . Nuneaton, UK: MIRA, 2012. ISBN 978-1-906400-10-1 .
[MIT 2004] MIT (Massachusetts Institute of Technology). " MIT krb5 Security Advisory 2004-002 ," 2004.
[MIT 2005] MIT. " MIT krb5 Security Advisory 2005-003.
[MITRE] MITRE. Common Weakness Enumeration, Version 1.8. February 2010.
[MITRE 2007] MITRE. Common Weakness Enumeration, Draft 9 . April 2008.
[MKS] MKS, Inc. MKS Reference Pages .
[MSDN] Microsoft Developer Network .
[Murenin 2007] Murenin, Constantine A. cnst: 10-Year-Old Pointer-Arithmetic Bug in make(1) Is Now Gone, Thanks to malloc.conf and Some Debugging . LiveJournal , June 2007.
[NASA-GB-1740.13] NASA Glenn Research Center, Office of Safety Assurance Technologies. NASA Software Safety Guidebook (NASA-GB-1740.13).
[Myers, 2001] Meyers, Randy. The New C: X Macros . Dr. Dobbs. May 01, 2001
[NAI 1998] Network Associates, Inc. Bugtraq: Network Associates Inc. Advisory (OpenBSD) . 1998.
[NASA-GB-1740.13] NASA Glenn Research Center, Office of Safety Assurance Technologies. NASA Software Safety Guidebook (NASA-GB-1740.13).
[NIST 2006] NIST. SAMATE Reference Dataset . 2006.
[OpenBSD] Berkley Software Design, Inc. Manual Pages . June 2008.
[Open Group 1997a] The Open Group. The Single UNIX ® Specification, Version 2 . 1997.
[Open Group 1997b] The Open Group. Go Solo 2—The Authorized Guide to Version 2 of the Single UNIX Specification . May 1997.
[Open Group 2004] The Open Group. The Open Group Base Specifications Issue 6, IEEE Std 1003.1, 2004 Edition . 2004. (See also IEEE Std 1003.1-2004 .)
[Open Group 2008] The Open Group. The Open Group Base Specifications Issue 7, IEEE Std 1003.1, 2008 Edition . 2008. (See also IEEE Std 1003.1-2008 .)
[OpenMP] The OpenMP API ® Specification for Parallel Programming .
[OWASP Double Free] Open Web Application Security Project, " Double Free ."
[OWASP Freed Memory] Open Web Application Security Project, " Using Freed Memory ."
[Pethia 2003] Pethia, Richard D. " Viruses and Worms: What Can We Do About Them? " September 10, 2003.
[Pfaff 2004] Pfaff, Ken Thompson. " Casting (time_t)(-1) ." Google Groups comps.lang.c , March 2, 2004.
[Pike 1993] Pike, Rob & Thompson, Ken. " Hello World. " Proceedings of the USENIX Winter 1993 Technical Conference , San Diego, CA, January 25–29, 1993, pp3 43–50.
[Plakosh 2005] Plakosh, Dan. "Consistent Memory Management Conventions ." Build Security In , 2005.
[Plum 1985] Plum, Thomas. Reliable Data Structures in C . Kamuela, HI: Plum Hall, Inc., 1985 (ISBN 0-911537-04-X).
[Plum 1989] Plum, Thomas & Saks, Dan. C Programming Guidelines, 2nd ed . Kamuela, HI: Plum Hall, 1989 (ISBN 0911537074).
[Plum 1991] Plum, Thomas. C++ Programming . Kamuela, HI: Plum Hall, 1991 (ISBN 0911537104).
[Plum 2008] Plum, Thomas. " Static Assertions ." June 2008.
[Plum 2012] Plum, Thomas. C Finally Gets a New Standard . Dr. Dobb's , 2012.
[Redwine 2006] Redwine, Samuel T., Jr., ed. Secure Software Assurance: A Guide to the Common Body of Knowledge to Produce, Acquire, and Sustain Secure Software Version 1.1 . U.S. Department of Homeland Security, September 2006. (See Software Assurance Common Body of Knowledge on Build Security In .)
[Roelker 2004] Roelker, Daniel. " HTTP IDS Evasions Revisited ." September 2004.
[RUS-CERT] RUS-CERT Advisory 2002-08:02, " Flaw in calloc and Similar Routines. " 2002.
[Saks 1999] Saks, Dan. " const T vs.T const ." Embedded Systems Programming , February 1999, pp. 13–16.
[Saks 2000] Saks, Dan. " Numeric Literals ." Embedded Systems Programming , September 2000.
[Saks 2001a] Saks, Dan. " Symbolic Constants ." Embedded Systems Design , November 2001.
[Saks 2001b] Saks, Dan. " Enumeration Constants vs. Constant Objects ." Embedded Systems Design , November 2001.
[Saks 2002] Saks, Dan. " Symbolic Constant Expressions ." Embedded Systems Design , February 2002.
[Saks 2005] Saks, Dan. " Catching Errors Early with Compile-Time Assertions ." Embedded Systems Design , June 2005.
[Saks 2007a] Saks, Dan. " Sequence Points. " Embedded Systems Design , July 1, 2002.
[Saks 2007b] Saks, Dan. " Bail, Return, Jump, or . . . Throw? " Embedded Systems Design , March 2007.
[Saks 2007c] Saks, Dan. " Standard C's Pointer Difference Type. " Embedded Systems Design , October 2007.
[Saks 2008] Saks, Dan & Dewhurst, Stephen C. "Sooner Rather Than Later: Static Programming Techniques for C++" (presentation). March 2008.
[Saltzer 1974] Saltzer, J. H. " Protection and the Control of Information Sharing in Multics ." Communications of the ACM 17 , 7 (July 1974): 388–402.
[Saltzer 1975] Saltzer, J. H. & Schroeder, M. D. " The Protection of Information in Computer Systems ." Proceedings of the IEEE 63 , 9 (September 1975): 1278–1308.
[Schwarz 2005] Schwarz, B.; Wagner, Hao Chen; Morrison, D.; West, G.; Lin, J.; & Tu, J. Wei. " Model Checking an Entire Linux Distribution for Security Violations ." Proceedings of the 21st Annual Computer Security Applications Conference , December 2005 (ISSN 1063-9527; ISBN 0-7695-2461-3).
[Seacord 2003] Seacord, Robert C.; Plakosh, Daniel; & Lewis, Grace A. Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices . Boston: Addison-Wesley, 2003.
[Seacord 2005a] Seacord, Robert C. Secure Coding in C and C++ . Boston: Addison-Wesley, 2005. (See http://www.cert.org/books/secure-coding for news and errata.)
[Seacord 2005b] Seacord, Robert C. "Managed String Library for C, C/C++." Users Journal , 23 , 10 (October 2005): 30–34.
[Seacord 2005c] Seacord, Robert C. " Variadic Functions: How They Contribute to Security Vulnerabilities and How to Fix Them ." Linux World Magazine , November 2005.
[Seacord 2013a] Seacord, Robert C. “ C Secure Coding Rules: Past, Present, and Future .” InformIT , June 26, 2013.
[Seacord 2013b] Seacord, Robert C. Secure Coding in C and C++ . Boston: Addison-Wesley, 2013. (See http://www.cert.org/books/secure-coding for news and errata.)
[Secunia] Secunia Advisory SA10635, " HP-UX calloc Buffer Size Miscalculation Vulnerability. " 2004.
[SecurityFocus 2007] SecurityFocus. " Linux Kernel Floating Point Exception Handler Local Denial of Service Vulnerability ." 2001.
[SecuriTeam 2007] SecuriTeam. " Microsoft Visual C++ 8.0 Standard Library Time Functions Invalid Assertion DoS (Problem 3000) ." February 13, 2007.
[Sloss 2004] Sloss, Andrew; Symes, Dominic; & Wright, Chris. ARM System Developer's Guide . San Francisco: Elsevier/Morgan Kauffman, 2004 (ISBN-10: 1558608745; ISBN-13: 978-1558608740).
[Spinellis 2006] Spinellis, Diomidis. Code Quality: The Open Source Perspective . Boston: Addison-Wesley, 2006.
[StackOvflw 2009] StackOverflow.com. "Should I return TRUE / FALSE values from a C function?" User Questions, March 15, 2010.
[Steele 1977] Steele, G. L. " Arithmetic shifting considered harmful ." SIGPLAN Not. 12, 11 (November 1977): 61–69.
[Stevens 2005] Stevens, W. Richard. Advanced Programming in the UNIX Environment . Boston: Addison-Wesley, 1995 (ISBN 032152594-9).
[Summit 1995] Summit, Steve. C Programming FAQs: Frequently Asked Questions . Boston: Addison-Wesley, 1995 (ISBN 0201845199).
[Summit 2005] Summit, Steve. comp.lang.c Frequently Asked Questions . 2005.
[Sun 1993] Sun Microsystems. Sun Security Bulletin #00122 1993.
[Sun 2005] Sun Microsystems. C User's Guide . 819-3688-10. Sun Microsystems, 2005.
[Sutter 2004] Sutter, Herb & Alexandrescu, Andrei. C++ Coding Standards : 101 Rules, Guidelines, and Best Practices . Boston: Addison-Wesley Professional, 2004 (ISBN 0321113586).
[Tsafrir 2008] Tsafrir, Dan; Da Silva, Dilma; & Wagner, David. The Murky Issue of Changing Process Identity: Revising "Setuid Demystified." USENIX, June 2008, pp. 55–66
[Unicode 2006] The Unicode Consortium. The Unicode Standard , Version 5.0 , 5th ed. Boston: Addison-Wesley Professional, 2006 (ISBN: 0321480910).
[Unicode 2012] The Unicode Consortium. The Unicode Standard, Version 6.2 .
[UNIX 1992] UNIX System Laboratories. System V Interface Definition , 3rd ed. Wokingham, MA: Addison-Wesley, 1992.
[van de Voort 2007] van de Voort, Marco. Development Tutorial (a.k.a Build FAQ) . January 29, 2007.
[Vanegue 2010] Vanegue, Julien. Automated Vulnerability Analysis of Zero-Sized Head Allocations . Hackito Ergo Sum (HES'10) Conference, Paris, April 10, 2010.
[van Sprundel 2006] van Sprundel, Ilja. Unusualbugs . 2006.
[Viega 2001] Viega, John. Protecting Sensitive Data in Memory . February 2001.
[Viega 2003] Viega, John & Messier, Matt. Secure Programming Cookbook for C and C++: Recipes for Cryptography, Authentication, Networking, Input Validation & More . Sebastopol, CA: O'Reilly, 2003 (ISBN 0-596-00394-3).
[Viega 2005] Viega, John. CLASP Reference Guide Volume 1.1. Secure Software, 2005.
[VU#159523] Giobbi, Ryan. Vulnerability Note VU#159523 , Adobe Flash Player Integer Overflow Vulnerability. April 2008.
[VU#162289] Dougherty, Chad. Vulnerability Note VU#162289 , GCC Silently Discards Some Wraparound Checks. April 2008.
[VU#196240] Taschner, Chris & Manion, Art. Vulnerability Note VU#196240 , Sourcefire Snort DCE/RPC Preprocessor Does Not Properly Reassemble Fragmented Packets . 2007.
[VU#286468] Burch, Hal. Vulnerability Note VU#286468 , Ettercap Contains a Format String Error in the "curses_msg()" Function. 2007.
[VU#439395] Lipson, Howard. Vulnerability Note VU#439395 , Apache Web Server Performs Case Sensitive Filtering on Mac OS X HFS+ Case Insensitive Filesystem. 2001.
[VU#551436] Giobbi, Ryan. Vulnerability Note VU#551436 , Mozilla Firefox SVG Viewer Vulnerable to Buffer Overflow. 2007.
[VU#568148] Finlay, Ian A. & Morda, Damon G. Vulnerability Note VU#568148 , Microsoft Windows RPC Vulnerable to Buffer Overflow . 2003.
[VU#623332] Mead, Robert. Vulnerability Note VU#623332 , MIT Kerberos 5 Contains Double-Free Vulnerability in "krb5_recvauth()" Function. 2005.
[VU#649732] Gennari, Jeff. Vulnerability Note VU#649732 , Samba AFS ACL Mapping VFS Plug-In Format String Vulnerability. 2007.
[VU#654390] Rafail, Jason A. Vulnerability Note VU#654390 , ISC DHCP Contains C Includes That Define vsnprintf() to vsprintf() Creating Potential Buffer Overflow Conditions . June 2004.
[VU#720951] Dorman, Will. Vulnerability Note VU#720951 , OpenSSL TLS Heartbeat Extension Read Overflow Discloses Sensitive Information . April 2014
[VU#743092] Rafail, Jason A. & Havrilla, Jeffrey S. Vulnerability Note VU#743092 , realpath(3) Function Contains Off-by-One Buffer Overflow. July 2003.
[VU#834865] Gennari, Jeff. Vulnerability Note VU#834865 , Sendmail Signal I/O Race Condition . March 2008.
[VU#837857] Dougherty, Chad. Vulnerability Note VU#837857 , SX.Org Server Fails to Properly Test for Effective User ID . August 2006.
[VU#881872] Manion, Art & Taschner, Chris. Vulnerability Note VU#881872 , Sun Solaris Telnet Authentication Bypass Vulnerability. 2007.
[VU#925211] Dougherty, Chad. Vulnerability Note VU#925211 , “Debian and Ubuntu OpenSSL Packages Contain a Predictable Random Number Generator.” June 2008.
[Walfridsson 2003] Walfridsson, Krister. Aliasing, Pointer Casts and GCC 3.3 . August 2003.
[Walls 2006] Walls, Douglas. How to Use the Qualifier in C . Sun ONE Tools Group, Sun Microsystems. March 2006.
[Wang 2012] Wang, Xi. More Randomness or Less . June 2012.
[Warren 2002] Warren, Henry S. Hacker's Delight . Boston: Addison Wesley, 2002 (ISBN 0201914654).
[WG14/N1396] Thomas, J. & Tydeman, F. " Wide function return values ." September 2009.
[Wheeler 2003] Wheeler, David. Secure Programming for Linux and Unix HOWTO, v3.010 . March 2003.
[Wheeler 2004] Wheeler, David. Secure Programmer: Call Components Safely . December 2004.
[Wojtczuk 2008] Wojtczuk, Rafal. " Analyzing the Linux Kernel vmsplice Exploit ." McAfee Avert Labs Blog, February 13, 2008.
[xorl 2009] xorl. xorl %eax, %eax . 2009.
[Yergeau 1998] Yergeau, F. RFC 2279 - UTF-8, a transformation format of ISO 10646. January 1998.
[Zadegan 2009] Zadegan, B. " A Lesson on Infinite Loops ." WinJade (formerly AeroXperience), January 2009.
[Zalewski 2001] Zalewski, Michal. Delivering Signals for Fun and Profit: Understanding, Exploiting and Preventing Signal-Handling Related Vulnerabilities . Bindview Corporation, May 2001.
