C Language Background
This chapter deals extensively with specifics of the C language and uses terminology from the C standards. You shouldn't have to reference the standards to follow this material, but this chapter makes extensive use of the public final draft of the C99 standard (ISO/IEC 9899:1999), which you can find at www.open-std.org/jtc1/sc22/wg14/www/standards.
The C Rationale document that accompanies the draft standard is also useful. Interested readers should check out Peter Van der Linden's excellent book Expert C Programming (Prentice Hall, 1994) and the second edition of Kernighan and Ritchie's The C Programming Language (Prentice Hall, 1988). You might also be interested in purchasing the final version of the ISO standard or the older ANSI standard; both are sold through the ANSI organization's Web site (www.ansi.org).
Although this chapter incorporates a recent standard, the content is targeted toward the current mainstream use of C, specifically the ANSI C89/ISO 90 standards. Because low-level security details are being discussed, notes on any situations in which changes across versions of C are relevant have been added.
Occasionally, the terms "undefined behavior" and "implementation-defined behavior" are used when discussing the standards. Undefined behavior is erroneous behavior: conditions that aren't required to be handled by the compiler and, therefore, have unspecified results. Implementation-defined behavior is behavior that's up to the underlying implementation. It should be handled in a consistent and logical manner, and the method for handling it should be documented.