MSDN Magazine - March 2008 - (Page 107)

Protecting Your Code with Visual C++Defenses MICHAEL HOWARD A lot of code is written in C and C++ and unfortunately a lot of this code has security vulnerabilities that many developers do not know about. Programs written in any language can have vulnerabilities that leave their users open to attack, but it’s the C and C++ languages that have a special place in Internet history because so many security vulnerabilities are due to the very thing that makes these two programming languages so popular: the unbridled access to computer hardware and the performance that comes with it. When you read about security and C or C++ crops up, the words “buffer” and “overrun” are usually pretty close by because buffers are typically an example of direct access to memory. This kind of direct access is very powerful—and very, very dangerous. There are a number of reasons for the many buffer overruns in production C and C++ code. The first I have already mentioned: the languages provide direct access to vulnerable memory. Second, developers make mistakes. And third, there are normally no defenses offered by compilers. It is feasible to provide remedies for the first issue, but then C and C++ start to become different languages. The reason for developers making mistakes could be partially addressed through education, but I really don’t see the educational institutions stepping up. Sure there is a place in industry for security education, too, but we are all part of the solution or part of the problem, and I would love to see colleges doing more to educate students about software security. You’re probably asking, “Why are educational institutions not attempting to teach this critically important subject?” To be honest, I have absolutely no idea. It’s kind of depressing, actually. Finally, even with an excellent education, some security issues are complex enough that even well-educated engineers won’t catch everything. We humans are not perfect. The issue about needing to build more defenses into compilers is something the Microsoft Visual C++ team has been working on and slowly improving over the years, with help from our security team. This column outlines some of the buffer overrun defenses available in Visual C++® 2005 and beyond. Note that some other compilers do offer defenses, but Visual C++ has two major advantages over the likes of gcc. First, all these defenses are in the toolset by default; there is no need to download some funky add-in. Second, the options are easy to use. In no particular order, the defenses offered by the Visual C++ toolset are: • Stack-based Buffer Overrun Detection (/GS) • Safe Exception Handling (/SafeSEH) • D ata Execution Prevention (DEP) Compatibility (/NXCompat) • Image Randomization (/DynamicBase) • Automatic use of safer function calls • C++ operator::new Before I discuss each of these in detail I want to point out that these defenses do not compensate for insecure code. You should always strive to create the most secure code possible, Unfortunately a lot of and if you don’t know how C and C++ code has to do that, then run right out and read some of the security vulnerabilities very good books available that many developers on the subject. do not know about. I also want to point out that these are all Security Development Lifecycle (SDL) requirements at Microsoft, which means that C and C++ code must use these options in order to ship. There are occasional exceptions, but they are relatively rare, so I won’t be going into detail about them here. Finally, you must keep in mind this important point: it is possible, depending on the code in question, to circumvent these elaborate defenses. The more defenses used by the code, the harder they are to work around, but no defense is perfect. They are all speed bumps to reduce the chance an exploit will succeed. You have been warned! The only variant is the use of safer function calls, which are real defenses and can remove vulnerabilities. Let’s look at each defense in detail. Stack-Based Buffer Overrun Detection (/GS) Stack-based buffer overrun detection is the oldest and most well-known defense available in Visual C++. The goal of the /GS compiler flag is simple: reduce the chance that malicious code will execute correctly. The /GS option is on by default in Visual C++ 2003 and later, and it detects certain kinds of stack smash at run time. It goes about doing this by including a random number in a function’s stack just before the return address on the stack, and when the function returns, function epilogue code checks this value to make sure it has not changed. If the cookie, as it’s called, has changed, execution is halted. The function prologue code that sets the cookie looks like this: march2008 107

Table of Contents Feed for the Digital Edition of MSDN Magazine - March 2008

MSDN Magazine - March 2008 Contents Toolbox CLR Inside Out Data Points Advanced Basics Office Space Introducing ASP.NET MVC Loosen Up CI Server Performance Office Development Test Run Security Briefs Extreme ASP.NET Foundations .NET Matters {End Bracket}

MSDN Magazine - March 2008

For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.