It’s no secret that some C runtime library routines are much more secure than other routines, simply based on what they're supposed to do. It’s also true that some bugs and vulnerabilities exist even in what appear to be safe routines.
Michael Howard, a Microsoft senior security engineer, recently outlined an ongoing project that intends to make C much safer. The first result of the project is strsafe.h, the Visual Studio .NET 2003 and Platform SDK string functions Microsoft introduced in 2002. (I'll provide more details about strsafe.h in a future column.)
Microsoft’s Visual C++ team is taking the steps I suggest that developers follow: The team is evaluating the security of C runtime library functions. However, they're going far beyond what individual developers could do; for instance, they've rewritten about 400 routines to make them more secure.
The new C functions will debut in Visual Studio 2005, and a few functions will improve older code simply by recompiling. But, as Howard wisely points out, it takes more than improved libraries to make most code secure; it also requires attention to using the most secure functions and practices.
The new compiler will have the old function names available, and some of the old functions will improve transparently. But you’ll need to make changes to old code or adjust compiler settings to get older code to compile because the new compiler will throw errors when it finds the older, insecure versions of functions for which Microsoft developed new alternatives. The Visual Studio 2005 compiler will show you what code you should consider changing, as well as take code that already conforms to best practices using the renamed functions and make it even more secure by fixing the problems inherent in the old libraries.
The new libraries are in the development and test stage, so some changes are inevitable. However, Howard cites interesting and important changes in his article—changes that I suspect will appear in similar or identical form in the final version, such as:
- Calloc gets more parameter checking and will keep the same function name.
- Strncat is a very troublesome function, and it gets a complete overhaul as strncat_s. There is also a new strncpy_s function, and in the new versions, both have similar new signatures:
—They return an error code (errno_t) rather than a pointer.
—The destination buffer (char *).
—The total character count of destination buffer (size_t).
—The source buffer (const char *).
—The total character count of the source buffer (size_t).
The new buffer counts eliminate “the need to keep an ongoing tally of the destination buffer count.” Both functions also “always null-terminate the string” and feature improved input parameter checking.
The new C++ will also include changes (fixes) to the Standard Template Library, which currently generates buffer overruns if you misuse iterators.
I think Microsoft is on the right track. Developers using C should give the upcoming Visual Studio 2005 a serious look because of these major changes to the runtime library. Microsoft has already presented its proposed changes to the standards committee. You can see a copy of the submission here. The 30-page document details changes to many of the standard function calls.
Today, C is a dinosaur, and we certainly wouldn’t be using it any longer if it weren’t so incredibly useful. C has long been in need of a major security overhaul and, at first glance, Microsoft seems to be taking a big step in the right direction. I can’t endorse Visual Studio 2005 yet because it isn’t finalized or available for testing. But the preliminary information indicates that the introduction of Visual Studio 2005 will make it a lot easier to develop secure apps.
Miss a column?
Check out the IT Locksmith Archive, and catch up on the most recent editions of John McCormick's column.
Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!
John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.