S


SACL (system audit access check), enabling, 105

/SafeSEH, 3, 11

browser defenses, 133

buffer overrun protection, 67–72

SAL annotation, 3

buffers, 3–4

bug prevention, 2

C/C++ string buffers, 2, 3–8

example of, 4–5

in existing code, 7–8

macros, 5–7

syntaxes, 3

Salazar, Abby, persona, 17

Salazar, Toby, persona, 17

sal.h header file, 8

salts, and PIN protection, 154

Saltzer, Jerome H., 110

SAML (Security Assertion Markup Language), 156

SCdEnrl, 148

Schroeder, Michael D., 119

screen-scraper attacks, 158

script URLs, Internet Explorer 7, 132

scripting languages, 121

SDDL. See Security Descriptor Definition Language (SDDL)

secure socket extensions, 83–85

Secure Sockets Layer and Transport Layer Security (SSL/TLS). See SSL/TLS (Secure Sockets Layer and Transport Security Layer)

Security Assertion Markup Language (SAML), 156

security bugs.

See also bugs

browser-related, 121–122

buffer-related, 2

symlink-related, 45

security defenses, 163.

See also specific defenses

Security Descriptor Definition Language (SDDL), 37–38

integrity masks, 40

owner SIDs, 160–161

SIDs, 102

Security Development Lifecycle (SDL), 3, 8

Security Development Lifecycle, The (Howard and Lipner), 1

security event log, 163, 171–172

security ID (SID). See SIDs (security IDs)

security log, generating entries, 104

security models (integrity models), 40

security quality gate, 3

buffers and, 4

security quality requirements, 3–11

Security Support Provider Interface (SSPI), 84, 117

security token service (STS), 152

SendMessage, 24

Serpent encryption, 137, 138

server authentication, and phishing, 153

service accounts, 99–102

Service Configuration Manager (SCM) access configuration, 43

service control manager (SCM), 98

service principal name (SPN), 84

service providers, and Information Card, 152

service SIDs, 100–102

ServiceMain function, 98

ServiceRestricted, 108

services

desktop communication, 110–117

lessons, 117–118

network access control, 107–110

overview, 97–99

privilege reduction, 102–107

service accounts, 99–102

SeTakeOwnership, 161

/setintegritylevel argument, 38

SetMIC tool, and low-integrity testing, 37

SetSecurityDescriptorDacl, 118

SetServiceStatus, 98

SetSystemFileCacheSize, 107

SetThreadToken, 17

SetTokenInformation, failure of, 37

SHA-1, 136

SHA-2, 139

SHA512, 9

shared memory, 112

shatter attacks, 24, 110

shell codes, ease of obtaining, 61

ShellExecute function, 24–25

SHGetKnownFolderPath, 124

shield icon, 27

shims, no virtualization, 31

Shipworm, 78

SHLoadIndirectString, 90

SideBar, Windows, 181

SIDs (security IDs), 15, 17

deny, 19–20

integrity, 24

low-integrity, creating, 35–36

owner, and authentication/authorization, 159–161

and service accounts, 100–102

textual, creation of, 165

sign-in abandonment (drop-offs), reducing, 152

signing

Authenticode, 44

code, 44, 169

documents, 9

Information Card, 151

“Signing and Checking Code with Authenticode” (MSDN), 44

Simonyi, Charles, 8

simple message boxes, 112

SiteLock, 131

size_t argument, 6

Skape (aka Matt Miller), 60

Skywing (aka Ken Johnson), 60

smartcards, 152

sockets, 116–117

software, defects in, 49–50

sound files, 121

source buffers, 8

source strings, constant, 8

sources and sinks, 117

spoofing attacks, 158, 171

SpyNet, 169

spyware protection, 167–168

SSL2, 132–133

SSL3, 132–133

SSL/TLS (Secure Sockets Layer and Transport Security Layer), 135, 137, 144–145

CardSpace connection, 155

phishing attacks, 153, 155

revocation checking and OCSP, 145–147

Security Support Provider, 144

server authentication, 153

stack buffers, and stack protection, 50

stack diagram, sample, 66

stack randomization, 51, 54–55

Standard Annotation Language (SAL). See SAL annotation

standard user accounts, 13–14, 15

Standard User Analyzer tool, 42–44, 46

StartService, 118

static analysis, 3

strcat function, 11

strcpy function, 11, 173

string buffers, and SAL annotation, 3–8

string constants, 137

structured exception handlers (SEH), 67

“Structured Exception Handling” (MSDN), 67

Suite B requirements, 135, 137, 139, 144, 148

Sun Solaris operating system, and NX, 60

SvcName, 109

symbolic links (symlinks), 45

symlinks, 45

symmetric NATs, 80

syntax, SAL, 3

SysAllocString, 109

SysFreeString, 109

system ACL (SACL), and integrity level setting, 37

system audit access check (SACL), enabling, 105

system environment, manipulating, 105

system time, modifying, 45, 106

system-wide object warnings, 43

System.IdentityModel namespace, 157

System.InvalidOperationException, 143



Writing Secure Code for Windows Vista
Writing Secure Code for Windows Vista (Best Practices (Microsoft))
ISBN: 0735623937
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net