Coding Standards Development Series-Zero Vulnerability Code Must Learn

Others 2021-02-27 23:02:09 views: null

Coding guidelines for writing zero-vulnerability code

1. The array subscript should start from 0

  • Programming rookies can make mistakes, so I won't talk about it here.

2. Parentheses must be used when replacing strings

  • It's also a programming rookie who makes mistakes, so I won't say more

Know everything

#define  S(x)  (x*x)	//s(x)=x*x

3. The documents must be relevant

  • I heard the supervisor before. When the project he was responsible for was about to end, a comprehensive test was carried out, but it was strange that only the program she wrote was wrong, various checks, 1500 lines of code, and it took two weeks. Did not find the abnormality! ! !

  • Delay in compensation, time. . . Finally, he found the reason in a very small program. I don't know any rookie programmer who opened the file but didn't close it, so I didn't have permission to read it again.

  • He only needs to add a line fclose(masterFp); the project will not be postponed for two weeks, and the compensation will not be paid.

  • The details. After the file is opened, it will continue to be read, even if nothing is read, add a line of code to close it.

4. Don't ignore compiler warnings and errors

  1. Fatal error
  2. Warning error
  • Fatal errors usually mean that if the error is not fixed, the program cannot run. Occasionally, some fatal errors will not affect the operation of the program, but will cause problems in the operation. So do a good job of finding it during the test.
  • Warning errors may not cause any major problems, or they may not cause problems at all. But we still cannot take it lightly. When I was doing unit testing, I ignored some warnings and errors, and the system crashed when I finally worked. After various analyses, it was finally discovered that the storage location was one place and the files were chaotic, and finally the entire system was paralyzed-buffer overflow (data overflow).

5. Master and prevent runtime errors when coding

Errors that occur during program operation are called runtime errors, which are different from compilation errors and logic errors.

  • Compilation errors are mainly caused by syntax
  • Logic errors are mainly caused by design flaws in program logic or algorithms
  • Runtime errors are related to the runtime environment.
    Here are two common runtime errors

5.1 Stack overflow

  • The stack overflow is caused by the operating system restricting the size of the stack, that is, the size of the stack is set differently by each operating system.
  • Although some operating systems allow users to adjust the size of the stack, stack overflow may still occur when processing large amounts of data.
  • In the case of using large arrays, stack overflow may occur. Using a very large array will occupy most of the stack space, and the space available for other automatic variables is relatively insufficient.
  • When using a recursive function, we must carefully check the possibility of stack overflow according to the recursive termination condition to determine whether a stack overflow has occurred.

5.2 Divide by 0

In complex code, it may happen that the divisor is 0 accidentally.

  • If you need to write a program that processes input values, the minimum input value of the program is 1. Once the programmer forgets to specify and the user enters 0 as the starting calculation, an error will be triggered
  • In control statements, such as for and while statements, the variable (counter) that counts the number of loops is used as a book, and it is divided with other variables. It will also start wrong.

These errors are often hidden in complex logic and are difficult to grasp. This requires programmers to carefully check all possible operating conditions of the program.

6. Declare large arrays with static variables

C language divides variables into the following categories according to their life cycle, scope of influence, and storage location:

Variable modifier variable name storage location
external External variables Stored on the heap
static Static variable Stored on the heap
auto Automatic variable Stored on the heap
register Register variable Storage and CPU registers
  • To process large amounts of data, arrays are usually used.
int arr[100][100][100]//存放在栈空间
static int arr[100][100][100]//存放在堆空间
  • Array stored in the heap space will not overflow

7. Reserve enough storage space

  • The user uses an array to store strings. Assuming the length to be input is 80 characters, then 2~3 times or more string storage space should be reserved when defining.
char inputString[800];//预留的存储空间大小是与其输入长度的10倍
  • Some people say a waste of storage space. But in your actual work process, once the input content exceeds 80 characters, it will directly cause program errors.
  • Therefore, we should check whether the length and content of the input string are within the valid range.

8. Pay attention to the emergent effects caused by information exchange

8.1 What vocabulary? ?

  • In the process of information exchange between program units, it may trigger the emergence of usage.
  • Emergence refers to the essence that can cause unexpected effects, and it is a very common vocabulary in the research field of complex systems.
  • That is, when the program is running, unexpected bugs will occur, which may not be detected by the code. . .

8.2 How to prevent?

Carry out system-level comprehensive tests
such as:

  1. The integrated system is called a comprehensive system that contains 10 interconnected program units, and the comprehensive test is performed at this level first
  2. Any system that integrates the entire software system of the Commission for Discipline Inspection of this system will be comprehensively tested at this level
  3. Then apply it to the business, and conduct a rigorous comprehensive test again in the human-computer interaction stage
  • Through these steps, emergent phenomena can be discovered and prevented to a certain extent, but this requires the same amount of resources to be invested in software development during the testing process.

9. Summary

I also learned while writing. To be honest, I did learn a lot of coding rules. Slowly, I believe I can also write standard code. Come on! ! !

Guess you like

Origin blog.csdn.net/weixin_43722052/article/details/110931286
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com