Blog - About

About David LeBlanc's Web Log

This blog is about whatever security topics come to mind, and may occasionally wander off into other areas, like arcane C++ tricks. I'll primarily cover techniques to achieve more secure code, how to use some of the more interesting facets of the Windows operating system, and sometimes my thoughts about the general state of Internet security.

  • David LeBlanc's Web Log

    How to cause a regression

    • 2 Comments
    This one isn't really security related, except that we security people often want to get rid of old stuff because it's sometimes easier to disable it than to make it really robust. If only a few people use it, good attack surface reduction practices tell...
  • David LeBlanc's Web Log

    Being Part of the Solution

    • 2 Comments
    One of the comments to my last post asked how someone could be part of the solution, as opposed to part of the problem. Here are some thoughts on the issue, based on my experiences of being one of the people finding problems from outside, and one of the...
  • David LeBlanc's Web Log

    Even More Cool Integer Tricks

    • 2 Comments
    OK, so this is just utterly geeky, and would really only come in handy if you're writing something like SafeInt – How to tell if a numeric template type is a bool at compile time: isBool = ((T)1 == (T)2) if type T is a bool, then this is true...
  • David LeBlanc's Web Log

    More Fun with Integers

    • 2 Comments
    Just a quick note this morning to share something I found while finishing up SafeInt 3.0. This is something more helpful with 64-bit porting than with general security, though it does have some security side effects. Warning - heavy C++ programming geek...
  • David LeBlanc's Web Log

    What's still exploitable?

    • 2 Comments
    OK, just throwing this out, hoping for some interesting comments - if you have NX, ASLR, and SafeSEH, what's still exploitable? Please note I'm absolutely, positively NOT NOT NOT saying that stuff compiled with all this is unbreakable or any such silliness...
  • David LeBlanc's Web Log

    More on Exception Handlers

    • 2 Comments
    Sitting here at "Blue Hat" watching David Maynor present – pretty cool working for a company that can host its own security conference just to educate employees… A comment just came in that was a good question, and deserves a detailed answer – Arkon...
  • David LeBlanc's Web Log

    Checking Password Complexity

    • 2 Comments
    Michael put some sample code into WSC2 that showed people how to check passwords using the NetValidatePasswordPolicy API. It's a very flexible API, and it's meant to handle situations where an app maintains its own password database, like SQL Server....
  • David LeBlanc's Web Log

    Blog Comment Spam is Really, Really, Really Annoying

    • 2 Comments
    I keep getting spam from some bunch of (expletives deleted) as comments to the blog. It's all: Nice. Interesting. Cool! With some bogus URL they're trying to get people to click on, from weird psuedo-Greek names mostly ending in 'os'. They...
  • David LeBlanc's Web Log

    On the Other Hand…

    • 2 Comments
    In my previous post on threat models, I pointed out situations where TM's are either a complete waste of time, or maybe we've got bigger problems than design issues. To add a little balance and reinforce one of the points I was trying to make, let's look...
  • David LeBlanc's Web Log

    DREAD and the PHB

    • 1 Comments
    Sometimes when I present about secure programming practices, I emphasize education for PM's, testers, and devs, for obvious reasons. Then there's the hard part – educating management. You really have to be able to do that – you need to spend time on security...
  • David LeBlanc's Web Log

    Writing Secure Code 3

    • 1 Comments
    It seems like every time I've gone out in public recently, I've been asked when we were going to update Writing Secure Code 2. I've been seeing comments about it along the lines of "Good, but dated." Ouch. It has been a while – we published WSC2 in 2002...
  • David LeBlanc's Web Log

    More on Sandboxing – Network Implications

    • 1 Comments
    Larry Osterman's post (er, rant) (found here - http://blogs.msdn.com/larryosterman/archive/2007/11/02/chris-pirillo-s-annoyed-by-the-windows-firewall-prompt.aspx ) about someone's gripe with Firefox and the firewall caused me to remember to add to the...
  • David LeBlanc's Web Log

    Safebool

    • 1 Comments
    My last post triggered a couple of responses and a URL I thought would be good to not get lost in the comments. Check out http://www.artima.com/cppsource/safebool.html . As I was saying a couple of posts ago, the right tool is usually situational....
  • David LeBlanc's Web Log

    Process Tokens and Default DACLs

    • 1 Comments
    I ran up on something the other day that isn't very well documented in one place. When you're dealing with restricted tokens, and in a few other limited scenarios, the default DACL on the process token becomes important. We can look at the default DACL...
  • David LeBlanc's Web Log

    Practical Windows Sandboxing – Part 1

    • 1 Comments
    I've written more than once about how interesting restricted tokens are – the earliest article was on Mark Edward's Windows Security web site. Unless it's been taken down recently, the article and source code are still there. In the nearly 8 years since...
  • David LeBlanc's Web Log

    Logon ID SIDs

    • 1 Comments
    I've mentioned logon ID SIDs a couple of times, but they're fairly arcane. I first ran into them when I was exploring just what was in a process token, and a group SID came up that I wasn't familiar with. Here's how a SID is defined: typedef struct...
  • David LeBlanc's Web Log

    Is it a Read, Write or Execute AV?

    • 1 Comments
    I didn't find this documented in the Visual Studio documentation, but it is in the latest Windows SDK. In case anyone was interested, and would like to be able to tell from inside an app whether an AV was triggered by NX, this will do it:   DWORD...
  • David LeBlanc's Web Log

    Don’t Forget the Document Password!

    • 1 Comments
    Some interesting tid-bits from the password crackers: http://www.lostpassword.com/office.htm Word 2007 and Excel 2007 use an industry-strength AES encryption algorithm that makes password search speed slow: 20-100 passwords per second on an average...
  • David LeBlanc's Web Log

    Implementation vs. Design Defects

    • 1 Comments
    I got a comment to my last post that's worth following up on: Can you comment on what percentage of defects you all are finding are implementation vs. design defects? Its pretty clear that older code that doesn't have buffer overflows isn't going...
  • David LeBlanc's Web Log

    How we know which file formats are used

    • 1 Comments
    A reader wrote to ask me how it is that we know what file formats are being opened by users. I can assure you that neither the Bavarian Illuminati, UFOs nor 3-letter agencies flying black helicopters have anything at all to do with this. We're also not...
  • David LeBlanc's Web Log

    Use of ASLR, NX, etc

    • 1 Comments
    Found a really great post by David Maynor here . He points out that various counter-measures aren't always used by apps other than Windows. I would have commented directly to his blog, but didn't feel like signing up, so I'll make some comments here ...
  • David LeBlanc's Web Log

    Visual C++ Defenses and 64-bit

    • 1 Comments
    Michael Howard just published a good article here on how Visual C++ features can help protect your app. I go into a fair bit more detail on these in our most recent book, "Writing Secure Code for Windows Vista" (WSCV) if you're curious. Something Michael...
  • David LeBlanc's Web Log

    Templatized Min/Max Solved!

    • 1 Comments
    I had some time to think about the overall problem, and had originally thought of a functional approach, like so: template <typename R, typename T, typename U> R Max(T t, U u); This has all the information we need to check for truncation on...
  • David LeBlanc's Web Log

    SafeInt 3 on CodePlex!

    • 1 Comments
    I have finally found a stable place to keep SafeInt. It can now be found at http://www.codeplex.com/SafeInt . In terms of the code, this is exactly the same stuff as we're using internally. This version is documented a little better than the master copy...
  • David LeBlanc's Web Log

    MS-OFFCRYPTO, W7 Engineering blog, etc

    • 1 Comments
    We have a new version of MS-OFFCRYPTO out. The big change is that how CryptDeriveKey was documented on MSDN was incorrect, we copied it, which made our document also incorrect. As it turns out, CryptDeriveKey always uses the same code path for AES as...
Page 3 of 4 (94 items) 1234