2Who Is This Guy? firstname.lastname@example.org Christian (imperfect in every possible way!)Microsoft employee for 20 yearsAlways in securityWorked on the Microsoft SDL since inception
3Goals and Non-Goals I am not one for drawing analogies “Security Analogies are usually Wrong”I use quotes from the Bible to compare/contrast software security“The Bible is correct, your code is not.” :-)
4If cars operated in an environment like the Internet, they would… Be driven by people with little regard for safe automobile operation.Have their windshields shot out every 60 secs.Once you have bullet-proof glass, the bad guys place nails at freeway off-ramps next to signs like, “free coffee this way”and someone is always trying to steal your keysand pull out your sparkplugsand siphon your gasTalking of gas, you fill up at a Shell station, only to realize the gas really isn’t gas, it’s vegetable oil and sandOh, that gas station isn’t a Shell station, it certainly looked like one, but they took your credit card details anywayAs this all goes on, you can’t see the adversaryAnd the adversaries are sharing new weapons with each other
5The SDL A set of process changes that help improve software security Over 100 requirements and recommendationsAbout 30 deal with memory corruptionRemoving banned APIs is one such requirement
6What Are The Banned APIs? Mostly memory corruption APIsstrcpy …strcat …strncpy …strncat …sprintf …gets …
12How Do you Find Them?#include <banned.h>C4996 warnings
13The Replacements Don’t use C++ as a glorified C! Use std::string Use strsafe.hUse strcpy_s etc
14Auto-replacement of Banned Functions If the compiler knows the destination buffer size at compile time, it can automatically generate secure codeAdd the following to auto-migrate functions to safe functions#define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES (1)char buf;strcpy(buf,src);char buf;strcpy_s(buf,src,32);
16The Leap of Faith What about regressions? In ten years, I have seen only one regression at Microsoft
17Effectiveness?Over 25% of MSRC memory corruption vulns did not affect newer products simply because we banned the API(s) in question and replaced them with a more secure versionThat’s low cost engineering at its best!
18Pop Quiz What’s in an 8oz glass of wine? What’s in an 8oz glass of poison?What’s in an 8oz glass of wine with a drop of poison?
19Sin and Insecure Code Righteous Man + One Sin Sinful Man Well-Written Code+ One VulnerabilityInsecure System
20All Sin is the Same …There is no “good” or “bad” sin, it’s all sin in God’s eyes.There is no “Security Bulletin” scale for sinCritical: Adultery, MurderImportant: Bearing False WitnessModerate: StealingLow: Coveting
21… but insecure Code is not the Same An anonymously accessible remote code execution vulnerability that gives you root is *way* worse than a local information disclosure vuln accessibly only by adminsCritical: Remote code executionImportant: Server DoSModerate: Temporary Server DoSLow: Client DoS
22Banned APIs We have banned over 120 APIs at Microsoft They are great examples of “One-line” Sins
23Removing Sin How do you remove Sin? By replacing Sin with something not Sinful!Easy to say, very hard to do.How do you remove banned APIs?By replacing them with something less dangerous!Easy to say, easy to do.And I know that nothing good lives in me, that is, in my sinful nature. I want to do what is right, but I can't.Romans 7:18
24Removal takes a Leap of Faith Trust that God forgives your SinsTrust that the banned API replacements don’t introduce regressions!Praise the Lord, … who forgives all your sins.Psalm 103:3
25How Do you Remove Banned APIs? Admit you have banned APIs (admit you sin!)Do something about it (admit the Lord into your heart)Don’t repeat!
26Banned APIs and the Sin Within Summary Admit you sinIn life and in codeDo something about itStudy RomansRemove Banned APIsPut steps in place to help prevent Sin and banned APIsThink!!Use banned.h in all your C/C++ code