Security Checks at Runtime and Compile Time

Microsoft has released an article on MSDN which demonstrates Visual C++ compiler and library features for helping developers increase the robustness and security of their applications.

Included in the article is information on using the following switches:

• /GS - Buffer Security Check
  
• /RTCs - Stack Frame Run-Time Error Checking
  
• /RTCc - Detects Assignments that Resulted in Data Loss.
  
• /RTCu - Report Variable Use without Initialization

The sample application includes 6 tests to simulate some of the errors programmers may commit, or the results of malicious input to a program that is too trusting:

1. Overwrite a buffer by running a loop too many times. Since only one buffer is defined, the overwrite affects the rest of the stack including the return address.
   
2. Overwrite a buffer when another buffer is also on the stack.
   
3. Underwrite a buffer.
   
4. Use an uninitialized variable.
   
5. Perform a cast that may lose information.
   
6. Use an uninitialized variable in more complex ways.

If you are using a lanugage that is not typesafe like C++ and are using a newer MS compiler you should really read about these options. Well actually, even if you aren't using C++ you will find the article interesting... you should read it anyways.

Happy reading!

Posted by SilverStr at April 19, 2004 04:35 PM | TrackBack