C/C++
banned APIs, 2, 8–9
compiler and linkage options, 11
exception handling, 67–68
heap defense functions, 57
pointers, 3–4, 172, 173–175
SAL annotation, 2, 3–8
service writing in, 96
static analysis, 9–10
string buffers, 3
token access, 15–16
TPM writing, 178–180
unmanaged, 3, 11
C runtime (CRT) functions, 3
C runtime headers, 8
C runtime library, and ASLR, 52
C# programming
credential/consent prompts, 25
TPM queries, 177
C4966 warning, 8
C6387 warning, 7
calc.exe, 129
cacls tool, 101
callbacks, 117
callees (implementations), 3
callers (clients), 3
Cameron, Kim, 159
canonicalization functions, 130–131
CAPICOM, 148, 157
CardSpace. See Windows CardSpace and Information Cards
cbcount, 8
cchcount, 8
CDP (Certificate Revocation List Distribution Point), 145
CertEnroll, 148
CertGetCertificateChain, 146–147, 148
certificate common name (CN), 155
certificate events, viewing, 147
Certificate Revocation List (CRL) revocation checks, 145–147
Certificate Revocation List Distribution Point (CDP), 145
certificate verification, 145–146
server, 153
SSL/TLS, 155
certificates, root, 148
certutil –url tool, 147
ChangeServiceConfig2, 103
Channel9, 156
characters, counting, 8
_checkReturn, 7
checksum, 9
cipher suites, 144–145
ciphers, Internet Explorer 7, 133
classes, sample code for, 63–64
cl.exe, 5
clients (callers), 3
clients, authenticating, 117, 152.
See also authentication and authorization
clients, impersonating, 106
RPC/COM, 227
sockets, 117
CNG (Cryptography API: Next Generation), 135
add-ins, 137–138
algorithms, new, 139–140
crypto-agility, 137–138
FIPS and, 142–143
missing element, 144
use of, 140–142
CoCreateInstance, 85, 91
code, third-party, 58
“Code Analysis for C/C++ Warnings” (MSDN), 10
code quality, 1–11
Code Red worm, 55
code security, 1–11
code signing, importance of, 44, 169
COM client/server configuration
elevation, 26
RPC, 117
COM components, COM Elevation Moniker, starting, 25–26
COM Elevation Moniker, 25
COM Elevation Moniker, The (MSDN), 26
COM interfaces
ATL and, 165
cURL and IUri interface, 131
deprecated crypto features, 148
RSS, 82
COM objects, 25–26
credential providers, 159
deprecated, crypto features, 148
parental controls, 165
problems with, privilege reduction, 102–103
Comer, Douglas E., 78
commands
icacls, 38
mklink, 45
Common Criteria requirements, 143
security events, 172
communication, with desktop. See desktop, communication with compatibility, backward, 9
compilers, 4–5
/analyze, 5, 7, 9
and banned APIs, 8
/GS, 11.
See also /GS
JIT, 127
warnings, 9–10
connections, port, and firewalls, 91–92
connectivity, determining, 81
ConnectivityChanged, 81
ConnectNamedPipe, 113, 115
console 0, sharing of, 110
consolidated URL parser (cURL), 130–131, 133
const, 5
constant source strings, 8
constants, string, 137
control handlers, and services, 98–99
ControlKey, 114
controls, adding, 123
ConvertStringSidToSid, 36
cookies
/GS, 64–67
safeSEH, 68
CreateFileMapping, 112
error (“Global\\objectname”), 43
CreateNamedPipe, 113
CreatePipeDacl, 102, 118
CreateProcessAsUser, 107
CreateRestrictedToken, 102–103
CreateService, 98, 117–118
CreateWellKnownSid, 160
Credential Manager, 44
Credential Prompt box, 18
Credential Provider model, 159
credentials, user, prompting for, 24–25, 169–171
credentials management, access to, 44
CredUIPromptForCredentials, deprecated, 169
CredUIPromptForWindowsCredentials, 169–171
CRL (Certificate Revocation List) revocation checks, 145–147
CRT (C runtime) functions, 3
CryptAcquireContext, 141
crypto-agility, 9, 136–137
in CNG, 137–139
cryptographic algorithms, 9, 136–137
Cryptographic API 1.0 (CAPI 1.0), 135–136
Cryptographic API 2.0 (CAPI 2.0), 135–136
cryptographic enhancements, 135–136
auditing, improved, 143
CNG algorithms, new, 139–140
CNG crypto-agility, 137–138
CNG and FIPS, 142–143
CNG “something missing,” 144
CNG use, 140–142
crypto-agility, 136–137
deprecated features, 148
kernel mode and user mode support, 136
root certificates, 148
SSL/TLS, 144–147
cryptographic interfaces, user-mode, supported, 135–136
cryptography, banned, 3
list of, 9
removing from codebase, 9
Cryptography API: Next Generation (CNG). See CNG (Cryptography API: Next Generation)
cURL (consolidated URL parser), 130–131, 133
Cutler, David, 60