Partager via

Security Stuff in Whidbey - The Safer CRT

  • Article

There has always been a very strong relationship with our team and the developer division (aka DevDiv), in part because they take some of our ideas and turn them into solutions that can be used by our developer customers. And I want to take an opportunity over the next few days to outline some of the excellent security stuff added to Whidbey, most of which you will see when beta 2 ships.

One of my favorites is a more up-to-date C runtime library, dubbed the Safer CRT. Let's face it, the CRT of 20 or so years ago has turned out to be a little, well, challenging to use from a security perspective. When David and I wrote Writing Secure Code we wrote an appendix describing "issues" with certain functions in Windows and the CRT. The CRT library folks, under the watchful eye of Martyn Lovell, decided to fix the "Appendix A Problem" and they did so with the Safer CRT.

Essentially, they have deprecated a whole bunch of old CRT functions (strcpy, strncpy, _itoa and so on) I don't know the final number of functions, but my guess is it's in the 100 ballpark, and replaced them with more secure versions. For example strcpy_s, _itoa_s and so on. By "more secure" I mean more consistant functions that help make it a little harder to shoot yourself in the foot.

One interesting addition is rand_s, which calls RtlGenRandom to create cryptographically secure random numbers, rather than rand's highly predictable numbers. I mentioned how you can call RtlGenRandom directly in a prior blog. Calling rand_s is a little different to calling rand, however:

#define _CRT_RAND_S
#include "stdlib.h"
...
unsigned int r = 0;
errno_t err = rand_s(&r);

Comments

  • Anonymous
    February 01, 2005
    I don’t know… all this Safer CRT is well worth indeed but from the other hand… Yeah, let’s make it the way even a dumb can use safely. And the dumb surely will. Technical workarounds instead of literacy and responsibility – there is something wrong with it. “Hey, these scalpels are so sharp and dangerous! Let’s make them nice and shiny and blunt so even a neighbor can use them safely while surgery on your kidney”

  • Anonymous
    February 01, 2005
    thats really good writing you should check out my weblog when you get a chance, and tell em if its as good as yours..k? well here ya go-http://katzthoughtz.bloghaqrbor.com
    thank you!!

  • Anonymous
    February 01, 2005
    I hate anaologies :)

    That said, I actually disagree, this is not about removing scalpels - it's about adding a safety net under the guy on the tightrope.

    Like I said, I hate analogies!

  • Anonymous
    February 02, 2005
    The comment has been removed

  • Anonymous
    February 02, 2005
    A few questions. First, is this, or will it become, standard? That is, are any of the Safer CRT functions in C99, or is there any chance they could get into "C 2k9"? Also, are there any functions that you've just dropped entirely? gets() doesn't need to be deprecated, it needs to be expunged.

    Second, what does "deprecated" mean? Do you get a warning if you try to compile/link code that calls sprintf()? Does a tooltip appear in Visual Studio?

    Finally, and this may be spurious since I guess this is limited to just one platform, but can't sizeof(int) ever change? (And why pull in stdlib.h with double quotes?) I would have expected:

    #define _CRT_RAND_S
    #include <stdlib.h>
    #include <stdint.h>
    ...
    uint32_t r = 0;
    errno_t err = rand_s(&r);

    It sounds like these new functions will really facilitate writing secure code, and that's a great thing.

  • Anonymous
    February 03, 2005
    We have put forward the Safer CRT spec to ISO, here's the email we rcvd Apr04:

    The Security New Work Item Proposal ballot at the SC22 level has passed.
    This means we can officially begin work on the Security TR, the ISO/IEC designation is "24731".

    'Deprecated' means you get a compiler warning.

  • Anonymous
    February 06, 2005
    Mike, you did not answer D. Conrad's question:

    (And why pull in stdlib.h with double quotes?) I would have expected:

    #define _CRT_RAND_S
    #include <stdlib.h>
    #include <stdint.h>

  • Anonymous
    February 08, 2005
    It's about time.

    I remember suggesting that the VC group do something similar to Bell Labs's LibSafe (at about the time that LibSafe was publicized).

    See <http://www.research.avayalabs.com/project/libsafe/>

    But I think they were preoccupied get VS2002 out.

    I can't wait to install Whidbey and VSTS.

  • Anonymous
    March 24, 2008
    In my previous blog I very briefly touched on the new C runtime library added to Whidbey. Take a look

  • Anonymous
    June 07, 2009
    PingBack from http://greenteafatburner.info/story.php?id=4717

  • Anonymous
    June 08, 2009
    PingBack from http://toenailfungusite.info/story.php?id=3371

  • Anonymous
    June 16, 2009
    PingBack from http://topalternativedating.info/story.php?id=5573