Writing Secure Code for Windows Vista | Writing Secure Code for Windows Vista (Best Practices (Microsoft))

Michael Howard

David LeBlanc

Microsoft

PUBLISHED BY
Microsoft Press
A Division of Microsoft Corporation
One Microsoft Way
Redmond, Washington 98052-6399

ISBN: 9780735623934

Library of Congress Control Number: 2007922582

1 2 3 4 5 6 7 8 9 QWT 2 1 0 9 8 7

Distributed in Canada by H.B. Fenn and Company Ltd.

A CIP catalogue record for this book is available from the British Library.

Microsoft Press books are available through booksellers and distributors worldwide. For further information about international editions, contact your local Microsoft Corporation office or contact Microsoft Press International directly at fax (425) 936-7329. Visit our Web site at www.microsoft.com/mspress. Send comments to mspinput@microsoft.com.

Microsoft, Microsoft Press, Active Directory, ActiveX, Authenticode, BitLocker, Hotmail, Internet Explorer, MSDN, Outlook, SQL Server, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows CardSpace, Windows Media, Windows NT, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners.

The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred.

This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.

Acquisitions Editor: Ben Ryan
Developmental Editor: Devon Musgrave
Project Editor: Valerie Woolley

Editorial and Production Services: Carlisle Publishing Services

Body Part No. X13-62470

Dedication

For my mother and father. Thank you for encouraging me in my earliest geeky endeavors. For buying my first chemistry set, microscope and rock collection. But most of all, I can’t express how much I appreciate you getting me my very first computer.
– Michael

To my wife, Jennifer, who has put up with yet another book. To Mr. Pennington, our school librarian, who I set out to annoy by programming a noisy computer in his library – I’ve been hooked on programming since. To Floyd R. Hacker, who introduced me to Windows, and one fateful day took a huge pile of research data, pulled it into Excel and quite unknowingly set me along this path.
– David

About the Author

image from book

Michael Howard

Michael Howard is a senior security program manager in the Security Engineering team at Microsoft, and an architect of the security-related process improvements at the company. He is the co-author of many security books, mostly with David LeBlanc including the award-winning Writing Secure Code, 19 Deadly Sins of Software Security, and the Security Development Lifecycle. He is an editor of IEEE Security and Privacy, and the series editor of the Microsoft Press Secure Software Development series.

image from book

David LeBlanc

David LeBlanc is a senior developer in the Microsoft Office Division's Trustworthy Computing team. In addition to writing code, he helps advise Office on security issues and how to implement the SDL. He has co-authored several security books, mostly with Michael Howard. David has worked in many aspects of the security industry, ranging from anti-fraud for telephony companies, leading the development team for an award-winning network security assessment tool, penetration testing for Microsoft's network security group, and was a founding member of the Trustworthy Computing Initiative team. When not writing books, he'll be found somewhere in the Cascades on his horse.

Acknowledgments

We have now written four books together so far, and we are proud of every one. Writing books is never easy, but it’s made a lot easier when you have a great group of people helping you along the way. What sets this book apart from the other is the list of acknowledgements. It’s huge! In fact, the list is so big we have decided to break it up into groups! Every person listed below contributed something to this book, from code review to fact checking and from little ideas to making sure we covered critically important topics.

Secure Windows Initiative and SDL teams

David Ross, Nitin Kumar Goel, John Lambert, Steve Lipner, Andrew Roths, Neill Clift, Richard Johnson, Matt Thomlinson, Josh Lackey, Damian Hasse, and Robert Hensing.

Windows Core Security

Darren Canavor, Ben Nick, Anderson Quach, Yu Chen, Tolga Acar, David Cross, Steve Hiskey, Tomas Palmer, Peter Brundrett, Oded Ye Shekel, Art Baker, Niels Ferguson, Ari Medvinsky, Chris Corio, George Li, John Brezak, Kelvin Yiu, Dan Fritch, Jon Schwartz, Mike Lai, Eric Fitzgerald, Jeff Williams, Nate Lewis, Brian Brown and Satyajit Nath

Windows

Dave Cutler, Saji Abraham, Daniel Wang, Hunter Hudson, Gov Maharaj, Richard Ward, Walter VonKoch, Sean Lyndersay, Mike Sheldon, Sandeep Singhal, Henry Sanders, Neeraj Garg, Deepak Bansal, Ravi Rao, Stan Pennington, David Bennett, David Kennedy, Landy Wang, Chuck Reeves, Andy Harjanto, Kim Cameron, Mike B. Jones, Garrett Serack, Brent Schmaltz, Adrian Marinescu, Ramesh Chinta, Chittur Subbaraman, Christian Huitema, Eran Yariv, and Mahesh Mohan.

Internet Explorer

Marc Silbey, Rob Franco, Dean Hachamovitch, Jeremy Dallman, Zhenbin Xu, Eric Lawrence, Alex Kuang, Tariq Sharif, Joshua Allen, Venkat Kudallur, and Chris Wilson.

Microsoft Office

Alan Myrvold, Tom Gallagher, Lawrence Landauer, Hidetake Jo, and Mike Marcelais.

Developer Division

Mark Lacey

Microsoft Consulting

Aaron Margosis

Microsoft Press

Devon Musgrave, as usual guided us seamlessly through the book-writing process and to Ben Ryan for agreeing to do the book. Valerie Woolley our editor was a dream to work with. One thing we both love about working with Microsoft Press, is the editors don’t try to force their style over our writing style. And we appreciate that!

And to anyone we missed. We’re sorry.

Michael Howard
David LeBlanc
Redmond, WA
March 2007