Welcome to MSDN Blogs Sign in | Join | Help

Michael Howard's Web Log

A Simple Software Security Guy at Microsoft!
List of useful security libraries

I was asked last week for a list of "drop-in-and-more-secure" replacements, created at Microsoft, for C/C++ functions and constructs.

So here's a list:

IntSafe (C safe integer arith library)

SafeInt (C++ safe integer arith template class)

Secure CRT (C runtime replacements for strcpy, strncpy etc etc)

StrSafe (C runtime replacements for strcpy, strncpy etc etc)

Posted: Monday, February 27, 2006 1:17 PM by michael_HOWARD
Filed under:

Comments

Kernel Mustard » Blog Archive » More security libraries said:

PingBack from http://kernelmustard.com/2006/02/27/more-security-libraries/
# February 27, 2006 4:57 PM

James said:

That SafeInt class template (not template class) has got to be the worst bit of C++ I've seen in a while. Didn't that guy read Effective C++ or myriad other things? There's got to be something unsafe about bypassing the short-circuit evaluation for logical operators. The author doesn't justify his suspect choices, so I'll assume he doesn't know what he's doing.
# February 28, 2006 6:29 AM

David LeBlanc said:

BTW, Michael should have posted the link to the 2.0 version of the class, which is a fair bit cleaner, and is also posted on MSDN.

There is something unsafe about bypassing short-circuit evaluation for logical operators. But if you're going to pass a SafeInt to something that needs a bool, you're going to end up with this. It is one of the design trade-offs, and this one was considered very early on. The only time this will really bite you is in the case of:

if(func() && func2())

where is isn't valid to call func2 unless func has succeeded. That's not a typical usage scenario for SafeInt, hence the design decision.

There's several hundred lines of documentation and comments in the class - perhaps I missed that point.

Funny you should mention Meyers' books - they're among my favorites, and Scott wrote me to let me know he really liked this class. If you take a look in the comments, you'll see where I made changes based on his input.
# March 27, 2006 2:33 PM

David LeBlanc said:

The newer version of SafeInt (2.0), and the associated article is at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dncode/html/secure05052005.asp, and a direct link to the code is http://msdn.microsoft.com/library/en-us/dncode/html/secure05052005_sample.txt

BTW, an easy work-around to ensure short circuiting works as you want is to write clean code like so:

Instead of:

if(SafeInt<int>(x) && SomeFunc())

write:

if(SafeInt<int>(x) != 0 && SomeFunc())

This is nicer, more readable code, and the != operator does return a bool, this the && operator then works exactly as you expect. Another work-around would be to do this:

if((bool)SafeInt<int>(x) && SomeFunc())

My personal opinion is that if you write code that depends on short-circuiting to work correctly without side-effects, you'll find that others will have a hard time maintaining your code.

YMMV.
# March 27, 2006 4:30 PM

Michael Howard's Web Log said:

A couple of people have asked about the relationship between /GS, SAL and ASLR in Windows Vista. Here’s...
# June 12, 2006 10:44 AM

Soci blog » Blog Archive » Az elm??lt h??t tanuls??gai said:

PingBack from http://soci.hu/blog/index.php/2006/07/03/az-elmult-het-tanulsagai/
# July 3, 2006 10:07 AM

Librerie sicure per C e C++ « Satius est supervacua scire said:

PingBack from http://manuel91.wordpress.com/2008/04/02/librerie-sicure-per-c-e-c/

# April 2, 2008 11:57 AM
New Comments to this post are disabled
Page view tracker