![Page 2: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/2.jpg)
Who Is This Guy?
• [email protected]• Christian (imperfect in every possible way!)• Microsoft employee for 20 years• Always in security• Worked on the Microsoft SDL since inception
![Page 3: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/3.jpg)
Goals and Non-Goals
• I am not one for drawing analogies– “Security Analogies are usually Wrong”
http://blogs.msdn.com/b/michael_howard/archive/2006/03/09/547575.aspx
• I use quotes from the Bible to compare/contrast software security
• “The Bible is correct, your code is not.” :-)
![Page 4: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/4.jpg)
If cars operated in an environment like the Internet, they would…
• Be driven by people with little regard for safe automobile operation.• Have their windshields shot out every 60 secs.• Once you have bullet-proof glass, the bad guys place nails at freeway
off-ramps next to signs like, “free coffee this way”– and someone is always trying to steal your keys– and pull out your sparkplugs– and siphon your gas
• Talking of gas, you fill up at a Shell station, only to realize the gas really isn’t gas, it’s vegetable oil and sand
• Oh, that gas station isn’t a Shell station, it certainly looked like one, but they took your credit card details anyway
• As this all goes on, you can’t see the adversary• And the adversaries are sharing new weapons with each other
![Page 5: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/5.jpg)
The SDL
• A set of process changes that help improve software security
• Over 100 requirements and recommendations• About 30 deal with memory corruption• Removing banned APIs is one such
requirement
![Page 6: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/6.jpg)
What Are The Banned APIs?
• Mostly memory corruption APIs– strcpy …– strcat …– strncpy …– strncat …– sprintf …– gets …
![Page 7: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/7.jpg)
Banned APIsstrcpy, strcpyA, strcpyW, wcscpy, _tcscpy, _mbscpy, StrCpy, StrCpyA, StrCpyW, lstrcpy, lstrcpyA, lstrcpyW, _tccpy, _mbccpystrcat, strcatA, strcatW, wcscat, _tcscat, _mbscat, StrCat, StrCatA, StrCatW, lstrcat, lstrcatA, lstrcatW, StrCatBuff, StrCatBuffA, StrCatBuffW, StrCatChainW, _tccat, _mbccatstrncpy, wcsncpy, _tcsncpy, _mbsncpy, _mbsnbcpy, StrCpyN, StrCpyNA, StrCpyNW, StrNCpy, strcpynA, StrNCpyA, StrNCpyW, lstrcpyn, lstrcpynA, lstrcpynWstrncat, wcsncat, _tcsncat, _mbsncat, _mbsnbcat, StrCatN, StrCatNA, StrCatNW, StrNCat, StrNCatA, StrNCatW, lstrncat, lstrcatnA, lstrcatnW, lstrcatnCharToOem, CharToOemA, CharToOemW, OemToChar, OemToCharA, OemToCharW, CharToOemBuffA, CharToOemBuffW
wnsprintf, wnsprintfA, wnsprintfW, sprintfW, sprintfA, wsprintf, wsprintfW, wsprintfA, sprintf, swprintf, _stprintf, _snwprintf, _snprintf, _sntprintf, wvsprintf, wvsprintfA, wvsprintfW, vsprintf, _vstprintf, vswprintf, _vsnprintf, _vsnwprintf, _vsntprintf, wvnsprintf, wvnsprintfA, wvnsprintfWstrtok, _tcstok, wcstok, _mbstokmakepath, _tmakepath, _makepath, _wmakepath, _splitpath, _tsplitpath, _wsplitpathscanf, wscanf, _tscanf, sscanf, swscanf, _stscanf, snscanf, snwscanf, _sntscanf_itoa, _itow, _i64toa, _i64tow, _ui64toa, _ui64tot, _ui64tow, _ultoa, _ultot, _ultowgets, _getts, _gettwsIsBadWritePtr, IsBadHugeWritePtr, IsBadReadPtr, IsBadHugeReadPtr, IsBadCodePtr, IsBadStringPtrmemcpy
![Page 8: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/8.jpg)
CONFIGRETResDesToNtResource( IN PCVOID ResourceData, IN RESOURCEID ResourceType, IN ULONG ResourceLen, IN PCM_PARTIAL_RESOURCE_DESCRIPTOR pResDes, IN ULONG ulTag ){ case ResType_ClassSpecific: { PCS_RESOURCE pCsData = (PCS_RESOURCE)ResourceData; LPBYTE ptr = NULL; ptr = (LPBYTE)((LPBYTE)pResDes + sizeof(CM_PARTIAL_RESOURCE_DESCRIPTOR)); memcpy(ptr, pCsData->CS_Header.CSD_Signature + pCsData->CS_Header.CSD_LegacyDataOffset, pCsData->CS_Header.CSD_LegacyDataSize);
PnP MS05-039Zotob
![Page 9: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/9.jpg)
#define SSL2_MAX_CHALLENGE_LEN 32
typedef struct _Ssl2_Client_Hello {DWORD dwVer;DWORD cCipherSpecs;DWORD cbSessionID;DWORD cbChallenge;UCHAR SessionID[SSL3_SESSION_ID_LEN]; UCHAR Challenge[SSL2_MAX_CHALLENGE_LEN];Ssl2_Cipher_Kind CipherSpecs[MAX_UNI_CIPHERS];
} Ssl2_Client_Hello, * PSsl2_Client_Hello;
SP_STATUS Pct1SrvHandleUniHello(..., PSsl2_Client_Hello pHello,...) { Pct1_Client_Hello ClientHello;
...
CopyMemory( ClientHello.Challenge,pHello->Challenge,pHello->cbChallenge);
PCT SChannel MS04-011
![Page 10: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/10.jpg)
NNTP MS05-030
Last Updated 20060103
HRESULT CNewsStore::OnResponse(LPNNTPRESPONSE pResponse) {...if (pResponse->state == NS_LIST)
hr = _HandleListResponse(pResponse, FALSE)...
}
HRESULT CNewsStore::_HandleListResponse(LPNNTPRESPONSE pResp, BOOL fNew) { LPSTR psz, pszCount; int nSize; char szGroupName[CCHMAX_FOLDER_NAME]; LPNNTPLIST pnl = &pResp->rList; for (DWORD i = 0; i < pnl->cLines; i++, m_op.dwProgress++) { psz = pnl->rgszLines[i]; while (*psz && !IsSpace(psz)) psz = CharNext(psz); nSize = (int)(psz - pnl->rgszLines[i]); if (nSize >= CCHMAX_FOLDER_NAME) nSize = CCHMAX_FOLDER_NAME - 1; CopyMemory(szGroupName, pnl->rgszLines[i], nSize);
![Page 11: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/11.jpg)
LSASS MS04-011VOID DsRolepDebugDumpRoutine( IN DWORD DebugFlag, IN LPWSTR Format, va_list arglist ) {
#define DsRolepDebugDumpRoutine_BUFFERSIZE 1024 WCHAR OutputBuffer[DsRolepDebugDumpRoutine_BUFFERSIZE]; ... length += (ULONG) wvsprintfW(&OutputBuffer[length], Format, arglist); ...}
Sasser
![Page 12: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/12.jpg)
How Do you Find Them?
• #include <banned.h>• C4996 warnings
![Page 13: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/13.jpg)
The Replacements
• Don’t use C++ as a glorified C!• Use std::string• Use strsafe.h• Use strcpy_s etc
![Page 14: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/14.jpg)
Auto-replacement of Banned Functions
• If the compiler knows the destination buffer size at compile time, it can automatically generate secure code
• Add the following to auto-migrate functions to
safe functions• #define _CRT_SECURE_CPP_OVERLOAD_STANDARD_NAMES (1)
char buf[32];strcpy(buf,src);
char buf[32];strcpy_s(buf,src,32);
![Page 15: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/15.jpg)
But Isn’t C dead?
http://www.tiobe.com/index.php/content/paperinfo/tpci/index.html
![Page 16: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/16.jpg)
The Leap of Faith
• What about regressions?• In ten years, I have seen only one regression at
Microsoft
![Page 17: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/17.jpg)
Effectiveness?
• Over 25% of MSRC memory corruption vulns did not affect newer products simply because we banned the API(s) in question and replaced them with a more secure version
• That’s low cost engineering at its best!
![Page 18: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/18.jpg)
Pop Quiz
• What’s in an 8oz glass of wine?• What’s in an 8oz glass of poison?• What’s in an 8oz glass of wine with a drop of
poison?
![Page 19: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/19.jpg)
Sin and Insecure Code
Righteous Man+ One Sin
Sinful Man
Well-Written Code+ One Vulnerability
Insecure System
![Page 20: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/20.jpg)
All Sin is the Same …• There is no “good” or “bad” sin, it’s all sin in
God’s eyes.• There is no “Security Bulletin” scale for sin
Critical: Adultery, MurderImportant: Bearing False WitnessModerate: StealingLow: Coveting
![Page 21: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/21.jpg)
… but insecure Code is not the Same
• An anonymously accessible remote code execution vulnerability that gives you root is *way* worse than a local information disclosure vuln accessibly only by admins
Critical: Remote code executionImportant: Server DoSModerate: Temporary Server DoSLow: Client DoS
![Page 22: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/22.jpg)
Banned APIs
• We have banned over 120 APIs at Microsoft• They are great examples of “One-line” Sins
![Page 23: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/23.jpg)
Removing Sin• How do you remove Sin?• By replacing Sin with something not Sinful!• Easy to say, very hard to do.
And I know that nothing good lives in me, that is, in my sinful nature. I want to do what is right, but I can't.Romans 7:18
• How do you remove banned APIs?• By replacing them with something less dangerous!• Easy to say, easy to do.
![Page 24: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/24.jpg)
Removal takes a Leap of Faith
• Trust that God forgives your Sins• Trust that the banned API replacements don’t
introduce regressions!
Praise the Lord, … who forgives all your sins.Psalm 103:3
![Page 25: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/25.jpg)
How Do you Remove Banned APIs?
• Admit you have banned APIs (admit you sin!)• Do something about it (admit the Lord into
your heart)• Don’t repeat!
![Page 26: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/26.jpg)
Banned APIs and the Sin WithinSummary
• Admit you sin– In life and in code
• Do something about it – Study Romans– Remove Banned APIs
• Put steps in place to help prevent Sin and banned APIs– Think!!– Use banned.h in all your C/C++ code
![Page 27: Banned APIs and Sin Within! Michael Howard mikehow@microsoft.com](https://reader036.vdocuments.mx/reader036/viewer/2022062404/5519cb035503468b0c8b45c8/html5/thumbnails/27.jpg)
Questions!?