Security Features in Microsoft Visual C++Every developer makes mistakes. No matter how careful you are when writing code, you will introduce bugs. And any bug can become a security vulnerability when software that runs in a connected environment or is used long past its initially planned lifespan. Code that isn’t correct is insecure code. The Microsoft Visual C++ toolset offers numerous features that help you write secure, correct code from before you start typing code until after you’ve shipped it to your users. For more information on specific security features in the MSVC toolset, make sure you review Security Best Practices for C++. Describes an issue that blocks you from installing Windows updates. Provides a range of resolution methods.
Before you write any code. Secure code starts before you write your first line of code. The compiler toolset can’t show you design defects that might lead to security exploits, but there are many resources in print and online that will help you think about potential exploits and how to design your code securely. For example, almost everyone who’s been at Microsoft for a while has read Michael Howard and David Le. Blanc’s Writing Secure Code. When you start writing code it’s important that you use modern C++ constructs to manage and access resources. One of the best resources available is the C++ Core Guidelines, a set of tried- and- true guidelines, rules, and best practices about coding in C++. Coding practices recommended in the C++ Core Guidelines help you write simpler, more modern, software. In doing so, you’ll avoid common pitfalls such as integer overflow or buffer overruns, making your code more secure. And many of the C++ Core Guidelines are enforceable with a static analysis code tool that’s included with Visual C++. When you’re writing code. What can you do to help yourself when you’re writing code? First, get all the value you can from built- in compiler diagnostics by setting your warning levels properly. Run code analysis after you build to let the compiler toolset dive into a deeper analysis of your code. And don’t forget to do regular code reviews with your team! Compiler Warnings. One of the most frequently- used security features is compiler warnings. The MSVC compiler provides many switches that allow you to control which warnings you will see in your code and whether they are kept as informational messages or cause your compile to fail. Some compiler warnings are kept off- by- default because they are emitted too frequently in legacy code and most users don’t want to see them. But many of these warnings indicate real bugs in your program. For example, your code may have a valid reason to compare an unsigned value to a negative number but it could also be a bug. By enabling the off- by- default warnings you can catch potential errors. To learn more about how you can adjust build settings to allow the compiler to find as many bugs in your code as possible, see the documentation on the compiler options warning level. Static Code Analysis Security Features. We write frequently about C++ Code Analysis on this blog. We also keep you updated about the Cpp. Core. Check extension that checks your code for rules derived from the C++ Core Guidelines. But did you know that Microsoft has long considered PREfast, the engine at the core of our Code Analysis, a security tool? The tool was originally developed by a team that focused on software excellence and was later owned by the Secure Development Lifecycle team before making its way to the C++ team to be included with all versions of Visual Studio. We now have a number of Code Analysis tools built upon the PREfast engine, including our base set of /analyze rules, the ESPC Concurrency Checker (pdf) and the Cpp. Core. Checkers. We are also looking for ways to help you integrate Code Analysis more deeply into your daily development routine. As the name implies, code analysis does a deeper analysis of your code to find possible errors. While compiler detects many potential errors in your code, code analysis looks through an entire function to determine whether there are some code paths that could result in an error. We call this kind of analysis a “path- sensitive” analysis. While the compiler can do a lot of path- sensitive analysis, there are many cases it can’t identify. For example, compiling this code with all compiler warnings turned on (/Wall) and analysis (/analyze) shows that the compiler can only find one of three potential bugs. The compiler misses one of these three errors and indirectly attributes another. As the parse information available to the compiler improves, the analysis in the compiler will improve and you’ll see more instances where diagnostics can be duplicated between tools. In function one code analysis tells us that we’re using the bounds of the array as an index, causing C6. Both code analysis and the compiler pick up on the memory corruption, the former emitting C6. C4. 78. 9. In function two we dereference of a null pointer on one code path, causing C6. The compiler misses this error entirely. The compiler and code analysis both pick up on the error in function three. The compiler issues off- by- default warning C4. C6. 00. 1. Code analysis also excels at finding code that doesn’t do what you may think it does. For example, warning C6. The example given in the documentation contains a potential buffer overrun. You can read more about using C++ Code Analysis both inside VS and from the command line on the Microsoft Docs site. Code Reviews. Code reviews can seem like a lot of overhead but they save time in the long run. Some teams do one- on- one code reviews, others send out all changes to a group of reviews, some bring the team together every Friday to look over all the week’s changes. It doesn’t matter how you do code reviews. They will turn out to be one of the most valuable techniques you can use to improve the quality of your code. Find a process that works for your team and use it. Additional Security Checks. The /sdl compiler switch enables additional warnings focused on security issues as defined by the Microsoft Secure Development Lifecycle process. The /sdl switch is in many ways an expansion of off- by- default warning C4. CRT Secure Function Overloads. Security wasn’t an important design point for the C library—normally code was written and run inside of an organization instead of being exposed to a worldwide network of computers. The C “string” has no metadata associated with it that records its length. For example, functions that deal with strings, such as strcpy, must assume that the buffers supplied as parameters are an appropriate size for the requested operation. Several memory operations have similar limitations. Over ten years ago Microsoft introduced a set of overloads to these functions that validate their parameters for security. If you are still using C- style functions you should consider moving to C++, which offers more safety in its objects and abstractions. If you can’t use C++, at least use the secure versions of the C runtime functions.(NB: When we introduced this feature we incorrectly called the insecure C functions “deprecated”. This only means that Microsoft does not recommend use of the insecure functions, instead recommending you use the secure overloads. We’re aware that the term “deprecated” was used incorrectly.)When you’re testing your code. The compiler toolset offers many options that help you when you’re testing your code. Most of these switches aren’t intended to be shipped with your final, retail builds of your program. They’re turned on for debug builds—either by default or opt- in—so that you can find more bugs during your testing. CRT Debug Heap. The CRT Debug Heap is enabled when you compile your program in debug (non- release) mode. It finds common heap memory errors, including buffer overruns and leaks. The CRT Debug Heap will assert when it encounters any heap memory errors as you test your code. Various debug routines are enabled when you define the . These checks find real logic errors in your program such as data loss, initialization issues, and stack frame checking. Runtime Checks are only intended for when you are active testing your debug builds and are incompatible with optimizations. Because of these limitations they are off by default. Checked Iterators. Checked iterators help ensure that your code doesn’t accidentally overwrite the bounds of iterable containers in your code. They can be used both in debug code (as debug iterators) and in release code (as checked iterators.)After your code is compiled. The Windows team provides tools that help validate that your compiled binaries are secure. You can find these tools in the Debugging Tools for Windows and the Windows SDK. GFlags and Page. Heap. The GFlags and Page. Heap tools enable heap allocation monitoring for Windows. When using these tools, Windows will reserve memory at the boundary of every allocation that allows it to detect memory accesses outside of the allocated memory. Application Verifier. Application Verifier is a dynamic verification tool that subjects your binary to a number of stresses and tests as you exercise the code and generates a report of potential vulnerabilities. Runtime protection for released code. The MSVC code generator and linker provide several security features that continue to offer protection long after you’ve built and deployed your code. Because the code generator can see all of your code at once–as opposed to just one source file at a time–it can often detect errors and vulnerabilities that can’t be found in an individual source file. And the code generator and linker work with the OS loader and runtime to provide even more security when your binary is loaded and executed in Windows. Buffer Security Check. One of the oldest security features in the code generator is the Buffer Security Check, enabled by the /GS switch to the compiler. This feature is on- by- default as it protects against one of the most common security exploits. It creates a “security cookie” in functions that the compiler detects are vulnerable to buffer overruns.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
August 2017
Categories |