Over the years, we have learned a great deal about the practical aspects of securing software; but two lessons that really stand out for me are:
· You will never get the code perfect, so add defenses.
· Make securing software as easy as possible for designers, developers and testers.
Anyone following the SDL will realize that we spend a lot of time, research and effort adding defenses such as /GS, ASLR, NX and so on and then making them SDL requirements. Another SDL defensive requirement we added about two years ago, is to add the following to the startup code, usually main(), in native C or C++ code:
BOOL f=HeapSetInformation(NULL, HeapEnableTerminationOnCorruption, NULL, 0);
You can read more about this function and its security benefits in a blog post from February 2008.
The problem with adding this code is you have to churn your code! Obviously, it’s not a big deal in this case, as the code diff is only one line long.
Even though I’m a huge fan of defenses like this, we’re always looking for ways to make life as easy as possible for developers, and often that means changing the way we generate code or adding defenses to Windows.
Now back to the subject of this post! Something we have added to VC++ 2010 beta 2 is an automatic call to HeapSetInformation() for all unmanaged C and C++ applications. I love this for two reasons: it’s a great defense that makes it harder for an attacker to successfully exploit a heap-based buffer overrun in your code, and it’s frictionless because there is nothing the developer needs to do other than compile the code with VC++ 2010 beta 2 or later!
Later in the year I’ll write about some other defenses in VC++ 2010 .