"There is no such thing as dangerous functions, only dangerous
developers."*
"secure" functions are a complete crok - there is no such thing... There
are some functions that help you get things right, but they do not lead
to secure code... Anyone who thinks they can do away with the
"dangerous" functions and replace them with the "safe" 'n' versions (ie;
strcpy -> strncpy) is kidding themselves.
The issue is the DATA, not the code. Do you trust the data? You need to
determine at which point in the code is the data well-formed and
correct. The ONLY way to build secure code is to question the
assumptions about the trustworthiness of the data as it crosses
untrusted to trusted boundaries, not hunting down "insecure" functions.
It's secure, right? 'coz I'm using the 'secure' 'n' versions!!!? No,
it's not.. I'll leave that as an exercise for the reader
* there is one function that is impossible to use securely -> gets() :-)
Cheers, Michael
Secure Windows Initiative
Writing Secure Code
http://www.microsoft.com/mspress/books/5612.asp
-----Original Message-----
From: phani (at) myrealbox (dot) com [email concealed] [mailto:phani (at) myrealbox (dot) com [email concealed]]
Sent: Wednesday, November 13, 2002 9:38 PM
To: secprog (at) securityfocus (dot) com [email concealed]
Subject: Re: Are bad developer libraries the problem with M$ software?
On Thu, Nov 14, 2002 at 10:02:05AM +1100, Darren Reed wrote: hi,
There is indeed a valid point that you have made. The compilers that
come with operating systems should provide the necessary fns for secure
programming and in this case M$ looses.
I also work on VC 6.0, and of what I have gathered is that 7.0 (aka
.NET) has the necessary functions for sec programming, though i cannot
vouch for it. May be some1 on the list who is working/worked can throw
some light on this.
But the responsibility also falls on the developer too. If he/she
thinks that a particular fn is not available may be it can be developed
inhouse for use to others.
cheers
phani
> Whilst trying to write some C code using Visual Studio 6, I came
> across this error:
>
> Linking...
> foo.obj : error LNK2001: unresolved external symbol _snprintf
> Debug/relay.exe : fatal error LNK1120: 1 unresolved externals Error
> executing link.exe.
>
> Ok, so 6 isn't the latest but it's not that old either and you will
> find snprintf in libc for Solaris 2.6 and later.
>
> It's hard to write secure applications when the interfaces available
> to developers don't provide what are considered to be standard and
> safe C library calls. I suppose you might consider this to be an
> indication that Microsoft at that point in time still hadn't managed
> to build a good set of safe building blocks for programmers so any
> wonder that their platform is still suffering.
>
developers."*
"secure" functions are a complete crok - there is no such thing... There
are some functions that help you get things right, but they do not lead
to secure code... Anyone who thinks they can do away with the
"dangerous" functions and replace them with the "safe" 'n' versions (ie;
strcpy -> strncpy) is kidding themselves.
The issue is the DATA, not the code. Do you trust the data? You need to
determine at which point in the code is the data well-formed and
correct. The ONLY way to build secure code is to question the
assumptions about the trustworthiness of the data as it crosses
untrusted to trusted boundaries, not hunting down "insecure" functions.
Here's an example: wassup with this code?
#define MAXSTRLEN(x) (sizeof(x)/sizeof(x[0]))
if (bstrURL != NULL) {
WCHAR szTmp[MAX_PATH];
LPCWSTR szExtSrc;
LPWSTR szExtDst;
wcsncpy( szTmp, bstrURL, MAXSTRLEN(szTmp) );
szTmp[MAXSTRLEN(szTmp)] = 0;
szExtSrc = wcsrchr( bstrURL, '.' );
szExtDst = wcsrchr( szTmp , '.' );
if(szExtDst) {
szExtDst[0] = 0;
if(m_inst.m_fDesktop) {
wcsncat( szTmp, L"__DESKTOP", MAXSTRLEN(szTmp) );
wcsncat( szTmp, szExtSrc , MAXSTRLEN(szTmp) );
It's secure, right? 'coz I'm using the 'secure' 'n' versions!!!? No,
it's not.. I'll leave that as an exercise for the reader
* there is one function that is impossible to use securely -> gets() :-)
Cheers, Michael
Secure Windows Initiative
Writing Secure Code
http://www.microsoft.com/mspress/books/5612.asp
-----Original Message-----
From: phani (at) myrealbox (dot) com [email concealed] [mailto:phani (at) myrealbox (dot) com [email concealed]]
Sent: Wednesday, November 13, 2002 9:38 PM
To: secprog (at) securityfocus (dot) com [email concealed]
Subject: Re: Are bad developer libraries the problem with M$ software?
On Thu, Nov 14, 2002 at 10:02:05AM +1100, Darren Reed wrote: hi,
There is indeed a valid point that you have made. The compilers that
come with operating systems should provide the necessary fns for secure
programming and in this case M$ looses.
I also work on VC 6.0, and of what I have gathered is that 7.0 (aka
.NET) has the necessary functions for sec programming, though i cannot
vouch for it. May be some1 on the list who is working/worked can throw
some light on this.
But the responsibility also falls on the developer too. If he/she
thinks that a particular fn is not available may be it can be developed
inhouse for use to others.
cheers
phani
> Whilst trying to write some C code using Visual Studio 6, I came
> across this error:
>
> Linking...
> foo.obj : error LNK2001: unresolved external symbol _snprintf
> Debug/relay.exe : fatal error LNK1120: 1 unresolved externals Error
> executing link.exe.
>
> Ok, so 6 isn't the latest but it's not that old either and you will
> find snprintf in libc for Solaris 2.6 and later.
>
> It's hard to write secure applications when the interfaces available
> to developers don't provide what are considered to be standard and
> safe C library calls. I suppose you might consider this to be an
> indication that Microsoft at that point in time still hadn't managed
> to build a good set of safe building blocks for programmers so any
> wonder that their platform is still suffering.
>
[ reply ]