Banned APIs are Removed from the Codebase


The SDL requires that new C and C++ code should not use banned C runtime (CRT) or banned Windows base functions. Most of these banned functions deal with buffers at run time and are a common source of many buffer overruns. At Microsoft we simply ban a function if it is shown to lead to consistently insecure software. The Windows Vista team went one step beyond SDL by actively removing most instances of banned functions. We say most because in some cases there is no need to replace a function with a safer function if the source buffer is trusted. For example, the code below is utterly safe because the source string is a constant; there is no way the attacker can change this string short of patching the binary directly.

 const char *src = "Hello, World!"; char dst[32]; strcpy(dst,src);

A security purist would say this code should be changed to use a safer function call, but the realist would make no change because the code is safe. By the way, the purist would win the argument if the source buffer increases because of localization!

Tip 

If you decide not to replace a banned API with a safer alternative, you should add a comment to the code explaining why the API is not replaced. This will save time in the future when someone asks, “Why didn’t we replace this function?”

The list of banned APIs is not static; it evolves if bugs are found. That being said, the list of banned APIs at Microsoft has not changed in several years. When analyzing security bugs, we make a note of the offending function calls, if any, and if we see the function call used in three or more security bugs, we ban that function for new code. But we can only ban the function if there is a viable replacement.

The good news is the process of removing banned APIs is pretty much a no-brainer if you use Visual Studio 2005 because all banned APIs are deprecated. If your code uses a banned API, the compiler will emit a C4996 warning:

 c:\code\test.cpp(101) : warning C4996: 'wcscpy': This function or variable may be unsafe. Consider using wcscpy_s instead.

The list of banned APIs as it stands is listed at http://msdn.microsoft.com/security.



Writing Secure Code for Windows Vista
Writing Secure Code for Windows Vista (Best Practices (Microsoft))
ISBN: 0735623937
EAN: 2147483647
Year: 2004
Pages: 122

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net