Michael Howard mikehowmicrosoftcom Who Is This Guy mikehowmicrosoftcom Christian imperfect in every possible way Microsoft employee for 20 years Always in security Worked on the Microsoft SDL since inception ID: 464022
Download Presentation The PPT/PDF document "Banned APIs and Sin Within!" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Banned APIs and Sin Within!
Michael Howard
mikehow@microsoft.comSlide2
Who Is This Guy?
mikehow@microsoft.com
Christian (imperfect in every possible way!)
Microsoft employee for 20 yearsAlways in securityWorked on the Microsoft SDL since inceptionSlide3
Goals and Non-Goals
I am not one for drawing analogies
“Security Analogies are usually Wrong”
http://blogs.msdn.com/b/michael_howard/archive/2006/03/09/547575.aspxI use quotes from the Bible to compare/contrast software security“The Bible is correct, your code is not.” :-)Slide4
If cars operated in an environment like the Internet, they would…
Be driven by people with little regard for safe automobile operation.
Have their windshields shot out every 60
secs.Once you have bullet-proof glass, the bad guys place nails at freeway off-ramps next to signs like, “free coffee this way”
and someone is always trying to steal your keys and pull out your sparkplugs and siphon your gasTalking of gas, you fill up at a Shell station, only to realize the gas really isn’t gas, it’s vegetable oil and sandOh, that gas station isn’t a Shell station, it certainly looked like one, but they took your credit card details anyway
As this all goes on, you can’t see the adversaryAnd the adversaries are sharing new weapons with each otherSlide5
The SDL
A set of process changes that help improve software security
Over 100 requirements and recommendations
About 30 deal with memory corruptionRemoving banned APIs is one such requirementSlide6
What Are The Banned APIs?
Mostly memory corruption APIs
strcpy
…strcat …strncpy …
strncat …sprintf …gets …Slide7
Banned APIs
strcpy
,
strcpyA, strcpyW
, wcscpy, _tcscpy, _mbscpy, StrCpy,
StrCpyA, StrCpyW
, lstrcpy, lstrcpyA, lstrcpyW
, _tccpy, _mbccpy
strcat, strcatA, strcatW, wcscat
, _tcscat, _mbscat, StrCat, StrCatA
, StrCatW, lstrcat, lstrcatA, lstrcatW
, StrCatBuff, StrCatBuffA, StrCatBuffW, StrCatChainW
, _
tccat
, _
mbccat
strncpy
,
wcsncpy
, _
tcsncpy
, _
mbsncpy, _mbsnbcpy, StrCpyN, StrCpyNA, StrCpyNW, StrNCpy, strcpynA, StrNCpyA, StrNCpyW, lstrcpyn, lstrcpynA, lstrcpynWstrncat, wcsncat, _tcsncat, _mbsncat, _mbsnbcat, StrCatN, StrCatNA, StrCatNW, StrNCat, StrNCatA, StrNCatW, lstrncat, lstrcatnA, lstrcatnW, lstrcatnCharToOem, CharToOemA, CharToOemW, OemToChar, OemToCharA, OemToCharW, CharToOemBuffA, CharToOemBuffW
wnsprintf
,
wnsprintfA
,
wnsprintfW
,
sprintfW
,
sprintfA
,
wsprintf
,
wsprintfW
,
wsprintfA
,
sprintf
,
swprintf
, _
stprintf
, _
snwprintf
, _
snprintf
, _
sntprintf
,
wvsprintf
,
wvsprintfA
,
wvsprintfW
,
vsprintf
, _
vstprintf
,
vswprintf
, _
vsnprintf
, _
vsnwprintf
, _
vsntprintf
,
wvnsprintf
,
wvnsprintfA
,
wvnsprintfW
strtok
, _
tcstok
,
wcstok
, _
mbstok
makepath
, _
tmakepath
, _
makepath
, _
wmakepath
, _
splitpath
, _
tsplitpath
, _
wsplitpath
scanf
,
wscanf
, _
tscanf
,
sscanf
,
swscanf
, _
stscanf
,
snscanf
,
snwscanf
, _
sntscanf
_
itoa
, _
itow
, _i64toa, _i64tow, _ui64toa, _ui64tot, _ui64tow, _
ultoa
, _
ultot
, _
ultow
gets, _
getts
, _
gettws
IsBadWritePtr
,
IsBadHugeWritePtr
,
IsBadReadPtr
,
IsBadHugeReadPtr
,
IsBadCodePtr
,
IsBadStringPtr
memcpySlide8
CONFIGRET
ResDesToNtResource(
IN PCVOID
ResourceData,
IN RESOURCEID ResourceType,
IN ULONG ResourceLen, IN PCM_PARTIAL_RESOURCE_DESCRIPTOR pResDes,
IN ULONG ulTag )
{ case ResType_ClassSpecific: {
PCS_RESOURCE pCsData = (PCS_RESOURCE)ResourceData
; LPBYTE ptr = NULL; ptr = (LPBYTE)((LPBYTE)pResDes +
sizeof(CM_PARTIAL_RESOURCE_DESCRIPTOR)); memcpy(ptr,
pCsData->CS_Header.CSD_Signature +
pCsData->CS_Header.CSD_LegacyDataOffset,
pCsData->CS_Header.CSD_LegacyDataSize
);
PnP MS05-039
ZotobSlide9
#define SSL2_MAX_CHALLENGE_LEN 32
typedef struct _Ssl2_Client_Hello {
DWORD dwVer;
DWORD cCipherSpecs;
DWORD cbSessionID;
DWORD cbChallenge;
UCHAR SessionID[SSL3_SESSION_ID_LEN];
UCHAR Challenge[SSL2_MAX_CHALLENGE_LEN];
Ssl2_Cipher_Kind CipherSpecs[MAX_UNI_CIPHERS]; } Ssl2_Client_Hello, * PSsl2_Client_Hello;
SP_STATUS Pct1SrvHandleUniHello(..., PSsl2_Client_Hello
pHello,...) { Pct1_Client_Hello ClientHello;
... CopyMemory( ClientHello.Challenge,
pHello->Challenge,
pHello->cbChallenge
);
PCT SChannel MS04-011Slide10
NNTP MS05-030
Last Updated 20060103
HRESULT
CNewsStore
::OnResponse(LPNNTPRESPONSE
pResponse) {
... if (pResponse
->state == NS_LIST) hr = _
HandleListResponse(pResponse, FALSE)
...}HRESULT CNewsStore
::_HandleListResponse(LPNNTPRESPONSE pResp
, BOOL fNew) { LPSTR psz
,
pszCount
;
int
nSize
;
char
szGroupName
[CCHMAX_FOLDER_NAME]; LPNNTPLIST pnl = &pResp->rList; for (DWORD i = 0; i < pnl->cLines; i++, m_op.dwProgress++) { psz = pnl->rgszLines[i]; while (*psz && !
IsSpace
(
psz
))
psz
=
CharNext
(
psz
);
nSize = (int)(psz - pnl->rgszLines[i]); if (nSize >= CCHMAX_FOLDER_NAME) nSize = CCHMAX_FOLDER_NAME - 1; CopyMemory(szGroupName, pnl->rgszLines[i], nSize);Slide11
LSASS MS04-011
VOID DsRolepDebugDumpRoutine(
IN DWORD DebugFlag,
IN LPWSTR
Format,
va_list
arglist ) {
#define DsRolepDebugDumpRoutine_BUFFERSIZE 1024
WCHAR OutputBuffer[DsRolepDebugDumpRoutine_BUFFERSIZE]; ... length += (ULONG) wvsprintfW(&OutputBuffer[length],
Format,
arglist);
...}
SasserSlide12
How Do you Find Them?
#include <
banned.h
>C4996 warningsSlide13
The Replacements
Don’t use C++ as a glorified C!
Use
std::stringUse strsafe.hUse strcpy_s
etcSlide14
Auto-replacement of Banned Functions
If the compiler knows the destination buffer size at compile time, it can
automatically
generate secure codeAdd the following to auto-migrate functions to
safe functions#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES (1)
char buf
[32];s
trcpy(buf,src
);
char buf[32];
strcpy_s(buf,src,32);Slide15
But Isn’t C dead?
http://www.tiobe.com/index.php/content/paperinfo/tpci/index.htmlSlide16
The Leap of Faith
What about regressions?
In ten years, I have seen only one regression at MicrosoftSlide17
Effectiveness?
Over 25% of MSRC memory corruption
vulns
did not affect newer products simply because we banned the API(s) in question and replaced them with a more secure versionThat’s low cost engineering at its best!Slide18
Pop Quiz
What’s in an 8oz glass of wine?
What’s in an 8oz glass of poison?
What’s in an 8oz glass of wine with a drop of poison?Slide19
Sin and Insecure Code
Righteous Man
+ One Sin
Sinful Man
Well-Written Code
+ One Vulnerability
Insecure SystemSlide20
All Sin is the Same …
There is no “good” or “bad” sin, it’s all sin in God’s eyes.
There is no “Security Bulletin” scale for sin
Critical:
Adultery, Murder
Important:
Bearing False WitnessModerate:
StealingLow: CovetingSlide21
… but insecure Code is not the Same
An anonymously accessible remote code execution vulnerability that gives you root is *way* worse than a local information disclosure
vuln
accessibly only by admins
Critical:
Remote code execution
Important: Server DoS
Moderate: Temporary Server DoSLow:
Client DoSSlide22
Banned APIs
We have banned over 120 APIs at Microsoft
They are great examples of “One-line” SinsSlide23
Removing Sin
How do you remove Sin?
By replacing Sin with something not Sinful!
Easy to say, very hard to do.
And I know that nothing good lives in me, that is, in my sinful nature. I want to do what is right, but I can't.Romans 7:18
How do you remove banned APIs?
By replacing them with something less dangerous!
Easy to say, easy to do.Slide24
Removal takes a Leap of Faith
Trust that God forgives your Sins
Trust that
the banned API replacements don’t introduce regressions!
Praise the Lord, …
who forgives all your sins.
Psalm 103:3Slide25
How Do you Remove Banned APIs?
Admit you have banned APIs (admit you sin!)
Do something about it (admit the Lord into your heart)
Don’t repeat!Slide26
Banned APIs and the Sin Within
Summary
Admit you sin
In life and in codeDo something about it Study Romans
Remove Banned APIsPut steps in place to help prevent Sin and banned APIsThink!!Use banned.h in all your C/C++ codeSlide27
Questions!?